Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Attendance list.exe

Overview

General Information

Sample name:Attendance list.exe
Analysis ID:1465802
MD5:ac274060092bb14f6504d6fd48c20590
SHA1:9c1c471f9a2fe2523062c8bcd16fbf093ae6a72e
SHA256:e977838b7536ed73154cbfb37e2204bbc873da89b3c5aeed5bb2d9eff73a07b6
Tags:exe
Infos:

Detection

FormBook
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Attendance list.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\Attendance list.exe" MD5: AC274060092BB14F6504D6FD48C20590)
    • svchost.exe (PID: 7452 cmdline: "C:\Users\user\Desktop\Attendance list.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2013285557.0000000003570000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.2013285557.0000000003570000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2acb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x141bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.2013032455.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.2013032455.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2e763:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17c72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2e763:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x17c72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d963:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16e72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Attendance list.exe", CommandLine: "C:\Users\user\Desktop\Attendance list.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Attendance list.exe", ParentImage: C:\Users\user\Desktop\Attendance list.exe, ParentProcessId: 7432, ParentProcessName: Attendance list.exe, ProcessCommandLine: "C:\Users\user\Desktop\Attendance list.exe", ProcessId: 7452, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Attendance list.exe", CommandLine: "C:\Users\user\Desktop\Attendance list.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Attendance list.exe", ParentImage: C:\Users\user\Desktop\Attendance list.exe, ParentProcessId: 7432, ParentProcessName: Attendance list.exe, ProcessCommandLine: "C:\Users\user\Desktop\Attendance list.exe", ProcessId: 7452, ProcessName: svchost.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Attendance list.exeReversingLabs: Detection: 44%
          Source: Attendance list.exeVirustotal: Detection: 39%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2013285557.0000000003570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2013032455.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: Attendance list.exeJoe Sandbox ML: detected
          Source: Attendance list.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: Attendance list.exe, 00000000.00000003.1650735131.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, Attendance list.exe, 00000000.00000003.1650516808.0000000004020000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2013318515.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2013318515.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1975568723.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1977257906.0000000003500000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Attendance list.exe, 00000000.00000003.1650735131.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, Attendance list.exe, 00000000.00000003.1650516808.0000000004020000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2013318515.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2013318515.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1975568723.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1977257906.0000000003500000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002B4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_002B4696
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BC93C FindFirstFileW,FindClose,0_2_002BC93C
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002BC9C7
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002BF200
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002BF35D
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002BF65E
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002B3A2B
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002B3D4E
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002BBF27
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002C25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_002C25E2
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_002C425A
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002C4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_002C4458
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_002C425A
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002B0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_002B0219
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002DCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_002DCDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2013285557.0000000003570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2013032455.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.2013285557.0000000003570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.2013032455.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: This is a third-party compiled AutoIt script.0_2_00253B4C
          Source: Attendance list.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: Attendance list.exe, 00000000.00000000.1642064482.0000000000305000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_cbf527d6-0
          Source: Attendance list.exe, 00000000.00000000.1642064482.0000000000305000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_14feb605-6
          Source: Attendance list.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b35930b1-2
          Source: Attendance list.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7758b7e3-f
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042BBA3 NtClose,1_2_0042BBA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772B60 NtClose,LdrInitializeThunk,1_2_03772B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03772DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037735C0 NtCreateMutant,LdrInitializeThunk,1_2_037735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03774340 NtSetContextThread,1_2_03774340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03774650 NtSuspendThread,1_2_03774650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772BF0 NtAllocateVirtualMemory,1_2_03772BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772BE0 NtQueryValueKey,1_2_03772BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772BA0 NtEnumerateValueKey,1_2_03772BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772B80 NtQueryInformationFile,1_2_03772B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772AF0 NtWriteFile,1_2_03772AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772AD0 NtReadFile,1_2_03772AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772AB0 NtWaitForSingleObject,1_2_03772AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772F60 NtCreateProcessEx,1_2_03772F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772F30 NtCreateSection,1_2_03772F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772FE0 NtCreateFile,1_2_03772FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772FB0 NtResumeThread,1_2_03772FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772FA0 NtQuerySection,1_2_03772FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772F90 NtProtectVirtualMemory,1_2_03772F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772E30 NtWriteVirtualMemory,1_2_03772E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772EE0 NtQueueApcThread,1_2_03772EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772EA0 NtAdjustPrivilegesToken,1_2_03772EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772E80 NtReadVirtualMemory,1_2_03772E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772D30 NtUnmapViewOfSection,1_2_03772D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772D10 NtMapViewOfSection,1_2_03772D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772D00 NtSetInformationFile,1_2_03772D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772DD0 NtDelayExecution,1_2_03772DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772DB0 NtEnumerateKey,1_2_03772DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772C70 NtFreeVirtualMemory,1_2_03772C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772C60 NtCreateKey,1_2_03772C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772C00 NtQueryInformationProcess,1_2_03772C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772CF0 NtOpenProcess,1_2_03772CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772CC0 NtQueryVirtualMemory,1_2_03772CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772CA0 NtQueryInformationToken,1_2_03772CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773010 NtOpenDirectoryObject,1_2_03773010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773090 NtSetValueKey,1_2_03773090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037739B0 NtGetContextThread,1_2_037739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773D70 NtOpenThread,1_2_03773D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03773D10 NtOpenProcessToken,1_2_03773D10
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002B4021: CreateFileW,DeviceIoControl,CloseHandle,0_2_002B4021
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002A8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_002A8858
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002B545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_002B545F
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0025E8000_2_0025E800
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0027DBB50_2_0027DBB5
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0025E0600_2_0025E060
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002D804A0_2_002D804A
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002641400_2_00264140
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002724050_2_00272405
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002865220_2_00286522
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002D06650_2_002D0665
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0028267E0_2_0028267E
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0027283A0_2_0027283A
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002668430_2_00266843
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002889DF0_2_002889DF
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00268A0E0_2_00268A0E
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00286A940_2_00286A94
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002D0AE20_2_002D0AE2
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002AEB070_2_002AEB07
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002B8B130_2_002B8B13
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0027CD610_2_0027CD61
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002870060_2_00287006
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0026710E0_2_0026710E
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002631900_2_00263190
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002512870_2_00251287
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002733C70_2_002733C7
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0027F4190_2_0027F419
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002656800_2_00265680
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002716C40_2_002716C4
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002658C00_2_002658C0
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002778D30_2_002778D3
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00271BB80_2_00271BB8
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00289D050_2_00289D05
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0025FE400_2_0025FE40
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0027BFE60_2_0027BFE6
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00271FD00_2_00271FD0
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_039636000_2_03963600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004038401_2_00403840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042E0531_2_0042E053
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040282A1_2_0040282A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028301_2_00402830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004010C01_2_004010C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004108931_2_00410893
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004010BE1_2_004010BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E9131_2_0040E913
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004029F01_2_004029F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004033FF1_2_004033FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00404C541_2_00404C54
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004034001_2_00403400
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402CA41_2_00402CA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402CB01_2_00402CB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004106731_2_00410673
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416FDF1_2_00416FDF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416FE31_2_00416FE3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA3521_2_037FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038003E61_2_038003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F01_2_0374E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E02741_2_037E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C02C01_2_037C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C81581_2_037C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038001AA1_2_038001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA1181_2_037DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037301001_2_03730100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F81CC1_2_037F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F41A21_2_037F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D20001_2_037D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037407701_2_03740770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037647501_2_03764750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373C7C01_2_0373C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375C6E01_2_0375C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038005911_2_03800591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037405351_2_03740535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F24461_2_037F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E44201_2_037E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EE4F61_2_037EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FAB401_2_037FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F6BD71_2_037F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA801_2_0373EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037569621_2_03756962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380A9A61_2_0380A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A01_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374A8401_2_0374A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037428401_2_03742840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E8F01_2_0376E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037268B81_2_037268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B4F401_2_037B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760F301_2_03760F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E2F301_2_037E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03782F281_2_03782F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732FC81_2_03732FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BEFA01_2_037BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740E591_2_03740E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FEE261_2_037FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FEEDB1_2_037FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752E901_2_03752E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FCE931_2_037FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DCD1F1_2_037DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374AD001_2_0374AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373ADE01_2_0373ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03758DBF1_2_03758DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740C001_2_03740C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730CF21_2_03730CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0CB51_2_037E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372D34C1_2_0372D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F132D1_2_037F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0378739A1_2_0378739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E12ED1_2_037E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375B2C01_2_0375B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037452A01_2_037452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372F1721_2_0372F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377516C1_2_0377516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374B1B01_2_0374B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380B16B1_2_0380B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F70E91_2_037F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FF0E01_2_037FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EF0CC1_2_037EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037470C01_2_037470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FF7B01_2_037FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037856301_2_03785630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F16CC1_2_037F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F75711_2_037F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038095C31_2_038095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DD5B01_2_037DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037314601_2_03731460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FF43F1_2_037FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFB761_2_037FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B5BF01_2_037B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377DBF91_2_0377DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375FB801_2_0375FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B3A6C1_2_037B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFA491_2_037FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F7A461_2_037F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EDAC61_2_037EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DDAAC1_2_037DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03785AA01_2_03785AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E1AA31_2_037E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037499501_2_03749950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375B9501_2_0375B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D59101_2_037D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AD8001_2_037AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037438E01_2_037438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFF091_2_037FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03703FD21_2_03703FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03703FD51_2_03703FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFFB11_2_037FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03741F921_2_03741F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03749EB01_2_03749EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F7D731_2_037F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F1D5A1_2_037F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03743D401_2_03743D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375FDC01_2_0375FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B9C321_2_037B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FFCF21_2_037FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 108 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 265 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: String function: 00278B40 appears 42 times
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: String function: 00270D27 appears 70 times
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: String function: 00257F41 appears 35 times
          Source: Attendance list.exe, 00000000.00000003.1651034764.0000000003FA3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Attendance list.exe
          Source: Attendance list.exe, 00000000.00000003.1650222790.00000000040FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Attendance list.exe
          Source: Attendance list.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.2013285557.0000000003570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.2013032455.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal88.troj.evad.winEXE@3/4@0/0
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BA2D5 GetLastError,FormatMessageW,0_2_002BA2D5
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002A8713 AdjustTokenPrivileges,CloseHandle,0_2_002A8713
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002A8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_002A8CC3
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_002BB59E
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002CF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_002CF121
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BC602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_002BC602
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00254FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00254FE9
          Source: C:\Users\user\Desktop\Attendance list.exeFile created: C:\Users\user\AppData\Local\Temp\autE4E0.tmpJump to behavior
          Source: Attendance list.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Attendance list.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Attendance list.exeReversingLabs: Detection: 44%
          Source: Attendance list.exeVirustotal: Detection: 39%
          Source: unknownProcess created: C:\Users\user\Desktop\Attendance list.exe "C:\Users\user\Desktop\Attendance list.exe"
          Source: C:\Users\user\Desktop\Attendance list.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Attendance list.exe"
          Source: C:\Users\user\Desktop\Attendance list.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Attendance list.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: ntmarta.dllJump to behavior
          Source: Attendance list.exeStatic file information: File size 1197056 > 1048576
          Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: Attendance list.exe, 00000000.00000003.1650735131.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, Attendance list.exe, 00000000.00000003.1650516808.0000000004020000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2013318515.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2013318515.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1975568723.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1977257906.0000000003500000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Attendance list.exe, 00000000.00000003.1650735131.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, Attendance list.exe, 00000000.00000003.1650516808.0000000004020000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2013318515.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2013318515.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1975568723.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1977257906.0000000003500000.00000004.00000020.00020000.00000000.sdmp
          Source: Attendance list.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: Attendance list.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: Attendance list.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: Attendance list.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: Attendance list.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002CC304 LoadLibraryA,GetProcAddress,0_2_002CC304
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002B8719 push FFFFFF8Bh; iretd 0_2_002B871B
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0027E94F push edi; ret 0_2_0027E951
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0027EA68 push esi; ret 0_2_0027EA6A
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00278B85 push ecx; ret 0_2_00278B98
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0027EC43 push esi; ret 0_2_0027EC45
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0027ED2C push edi; ret 0_2_0027ED2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041905C push 72B82297h; ret 1_2_004190E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00408028 pushfd ; retf 1_2_00408034
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00419151 push ecx; iretd 1_2_00419152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004089B6 push ecx; retf 1_2_004089C2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004162D3 push esi; retf 1_2_004162DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403AB0 push eax; ret 1_2_00403AB2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00407C44 pushfd ; retf 1_2_00407C45
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041856F push edx; ret 1_2_00418572
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040ADF5 push eax; retf 1_2_0040AE11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00405776 pushad ; retf 1_2_00405785
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00411F7B push ebx; retf 1_2_00411F7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418F14 push ecx; ret 1_2_00418F15
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370225F pushad ; ret 1_2_037027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037027FA pushad ; ret 1_2_037027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037309AD push ecx; mov dword ptr [esp], ecx1_2_037309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370283D push eax; iretd 1_2_03702858
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00254A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00254A35
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002D55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_002D55FD
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002733C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002733C7
          Source: C:\Users\user\Desktop\Attendance list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Attendance list.exeAPI/Special instruction interceptor: Address: 3963224
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E rdtsc 1_2_0377096E
          Source: C:\Users\user\Desktop\Attendance list.exeEvaded block: after key decisiongraph_0-99667
          Source: C:\Users\user\Desktop\Attendance list.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-98369
          Source: C:\Users\user\Desktop\Attendance list.exeAPI coverage: 4.7 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7456Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002B4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_002B4696
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BC93C FindFirstFileW,FindClose,0_2_002BC93C
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002BC9C7
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002BF200
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002BF35D
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002BF65E
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002B3A2B
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002B3D4E
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002BBF27
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00254AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00254AFE
          Source: C:\Users\user\Desktop\Attendance list.exeAPI call chain: ExitProcess graph end nodegraph_0-96987
          Source: C:\Users\user\Desktop\Attendance list.exeAPI call chain: ExitProcess graph end nodegraph_0-97059
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E rdtsc 1_2_0377096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417F93 LdrLoadDll,1_2_00417F93
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002C41FD BlockInput,0_2_002C41FD
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00253B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00253B4C
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00285CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00285CCC
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002CC304 LoadLibraryA,GetProcAddress,0_2_002CC304
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_03963490 mov eax, dword ptr fs:[00000030h]0_2_03963490
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_039634F0 mov eax, dword ptr fs:[00000030h]0_2_039634F0
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_03961E70 mov eax, dword ptr fs:[00000030h]0_2_03961E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D437C mov eax, dword ptr fs:[00000030h]1_2_037D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov ecx, dword ptr fs:[00000030h]1_2_037B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B035C mov eax, dword ptr fs:[00000030h]1_2_037B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA352 mov eax, dword ptr fs:[00000030h]1_2_037FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D8350 mov ecx, dword ptr fs:[00000030h]1_2_037D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B2349 mov eax, dword ptr fs:[00000030h]1_2_037B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C310 mov ecx, dword ptr fs:[00000030h]1_2_0372C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750310 mov ecx, dword ptr fs:[00000030h]1_2_03750310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]1_2_0376A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]1_2_0376A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A30B mov eax, dword ptr fs:[00000030h]1_2_0376A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]1_2_0374E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]1_2_0374E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E3F0 mov eax, dword ptr fs:[00000030h]1_2_0374E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037663FF mov eax, dword ptr fs:[00000030h]1_2_037663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037403E9 mov eax, dword ptr fs:[00000030h]1_2_037403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03808324 mov eax, dword ptr fs:[00000030h]1_2_03808324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03808324 mov ecx, dword ptr fs:[00000030h]1_2_03808324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03808324 mov eax, dword ptr fs:[00000030h]1_2_03808324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03808324 mov eax, dword ptr fs:[00000030h]1_2_03808324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]1_2_037DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]1_2_037DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov ecx, dword ptr fs:[00000030h]1_2_037DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE3DB mov eax, dword ptr fs:[00000030h]1_2_037DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D43D4 mov eax, dword ptr fs:[00000030h]1_2_037D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D43D4 mov eax, dword ptr fs:[00000030h]1_2_037D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EC3CD mov eax, dword ptr fs:[00000030h]1_2_037EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A3C0 mov eax, dword ptr fs:[00000030h]1_2_0373A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037383C0 mov eax, dword ptr fs:[00000030h]1_2_037383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B63C0 mov eax, dword ptr fs:[00000030h]1_2_037B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380634F mov eax, dword ptr fs:[00000030h]1_2_0380634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]1_2_03728397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]1_2_03728397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728397 mov eax, dword ptr fs:[00000030h]1_2_03728397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]1_2_0372E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]1_2_0372E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E388 mov eax, dword ptr fs:[00000030h]1_2_0372E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375438F mov eax, dword ptr fs:[00000030h]1_2_0375438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375438F mov eax, dword ptr fs:[00000030h]1_2_0375438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E0274 mov eax, dword ptr fs:[00000030h]1_2_037E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]1_2_03734260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]1_2_03734260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734260 mov eax, dword ptr fs:[00000030h]1_2_03734260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372826B mov eax, dword ptr fs:[00000030h]1_2_0372826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A250 mov eax, dword ptr fs:[00000030h]1_2_0372A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736259 mov eax, dword ptr fs:[00000030h]1_2_03736259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA250 mov eax, dword ptr fs:[00000030h]1_2_037EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA250 mov eax, dword ptr fs:[00000030h]1_2_037EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B8243 mov eax, dword ptr fs:[00000030h]1_2_037B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B8243 mov ecx, dword ptr fs:[00000030h]1_2_037B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372823B mov eax, dword ptr fs:[00000030h]1_2_0372823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038062D6 mov eax, dword ptr fs:[00000030h]1_2_038062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]1_2_037402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]1_2_037402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402E1 mov eax, dword ptr fs:[00000030h]1_2_037402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A2C3 mov eax, dword ptr fs:[00000030h]1_2_0373A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402A0 mov eax, dword ptr fs:[00000030h]1_2_037402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037402A0 mov eax, dword ptr fs:[00000030h]1_2_037402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov ecx, dword ptr fs:[00000030h]1_2_037C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C62A0 mov eax, dword ptr fs:[00000030h]1_2_037C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380625D mov eax, dword ptr fs:[00000030h]1_2_0380625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E284 mov eax, dword ptr fs:[00000030h]1_2_0376E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E284 mov eax, dword ptr fs:[00000030h]1_2_0376E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]1_2_037B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]1_2_037B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0283 mov eax, dword ptr fs:[00000030h]1_2_037B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C156 mov eax, dword ptr fs:[00000030h]1_2_0372C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C8158 mov eax, dword ptr fs:[00000030h]1_2_037C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736154 mov eax, dword ptr fs:[00000030h]1_2_03736154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736154 mov eax, dword ptr fs:[00000030h]1_2_03736154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov ecx, dword ptr fs:[00000030h]1_2_037C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C4144 mov eax, dword ptr fs:[00000030h]1_2_037C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760124 mov eax, dword ptr fs:[00000030h]1_2_03760124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov ecx, dword ptr fs:[00000030h]1_2_037DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]1_2_037DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]1_2_037DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DA118 mov eax, dword ptr fs:[00000030h]1_2_037DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038061E5 mov eax, dword ptr fs:[00000030h]1_2_038061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F0115 mov eax, dword ptr fs:[00000030h]1_2_037F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov eax, dword ptr fs:[00000030h]1_2_037DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DE10E mov ecx, dword ptr fs:[00000030h]1_2_037DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037601F8 mov eax, dword ptr fs:[00000030h]1_2_037601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_037AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE1D0 mov eax, dword ptr fs:[00000030h]1_2_037AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F61C3 mov eax, dword ptr fs:[00000030h]1_2_037F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F61C3 mov eax, dword ptr fs:[00000030h]1_2_037F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B019F mov eax, dword ptr fs:[00000030h]1_2_037B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804164 mov eax, dword ptr fs:[00000030h]1_2_03804164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804164 mov eax, dword ptr fs:[00000030h]1_2_03804164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]1_2_0372A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]1_2_0372A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A197 mov eax, dword ptr fs:[00000030h]1_2_0372A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03770185 mov eax, dword ptr fs:[00000030h]1_2_03770185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EC188 mov eax, dword ptr fs:[00000030h]1_2_037EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EC188 mov eax, dword ptr fs:[00000030h]1_2_037EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4180 mov eax, dword ptr fs:[00000030h]1_2_037D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4180 mov eax, dword ptr fs:[00000030h]1_2_037D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375C073 mov eax, dword ptr fs:[00000030h]1_2_0375C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732050 mov eax, dword ptr fs:[00000030h]1_2_03732050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6050 mov eax, dword ptr fs:[00000030h]1_2_037B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6030 mov eax, dword ptr fs:[00000030h]1_2_037C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A020 mov eax, dword ptr fs:[00000030h]1_2_0372A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C020 mov eax, dword ptr fs:[00000030h]1_2_0372C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E016 mov eax, dword ptr fs:[00000030h]1_2_0374E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B4000 mov ecx, dword ptr fs:[00000030h]1_2_037B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D2000 mov eax, dword ptr fs:[00000030h]1_2_037D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C0F0 mov eax, dword ptr fs:[00000030h]1_2_0372C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037720F0 mov ecx, dword ptr fs:[00000030h]1_2_037720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0372A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037380E9 mov eax, dword ptr fs:[00000030h]1_2_037380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B60E0 mov eax, dword ptr fs:[00000030h]1_2_037B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B20DE mov eax, dword ptr fs:[00000030h]1_2_037B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F60B8 mov eax, dword ptr fs:[00000030h]1_2_037F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F60B8 mov ecx, dword ptr fs:[00000030h]1_2_037F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037280A0 mov eax, dword ptr fs:[00000030h]1_2_037280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C80A8 mov eax, dword ptr fs:[00000030h]1_2_037C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373208A mov eax, dword ptr fs:[00000030h]1_2_0373208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738770 mov eax, dword ptr fs:[00000030h]1_2_03738770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740770 mov eax, dword ptr fs:[00000030h]1_2_03740770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730750 mov eax, dword ptr fs:[00000030h]1_2_03730750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE75D mov eax, dword ptr fs:[00000030h]1_2_037BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772750 mov eax, dword ptr fs:[00000030h]1_2_03772750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772750 mov eax, dword ptr fs:[00000030h]1_2_03772750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B4755 mov eax, dword ptr fs:[00000030h]1_2_037B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376674D mov esi, dword ptr fs:[00000030h]1_2_0376674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376674D mov eax, dword ptr fs:[00000030h]1_2_0376674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376674D mov eax, dword ptr fs:[00000030h]1_2_0376674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376273C mov eax, dword ptr fs:[00000030h]1_2_0376273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376273C mov ecx, dword ptr fs:[00000030h]1_2_0376273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376273C mov eax, dword ptr fs:[00000030h]1_2_0376273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AC730 mov eax, dword ptr fs:[00000030h]1_2_037AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C720 mov eax, dword ptr fs:[00000030h]1_2_0376C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C720 mov eax, dword ptr fs:[00000030h]1_2_0376C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730710 mov eax, dword ptr fs:[00000030h]1_2_03730710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760710 mov eax, dword ptr fs:[00000030h]1_2_03760710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C700 mov eax, dword ptr fs:[00000030h]1_2_0376C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037347FB mov eax, dword ptr fs:[00000030h]1_2_037347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037347FB mov eax, dword ptr fs:[00000030h]1_2_037347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]1_2_037527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]1_2_037527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037527ED mov eax, dword ptr fs:[00000030h]1_2_037527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE7E1 mov eax, dword ptr fs:[00000030h]1_2_037BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373C7C0 mov eax, dword ptr fs:[00000030h]1_2_0373C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B07C3 mov eax, dword ptr fs:[00000030h]1_2_037B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037307AF mov eax, dword ptr fs:[00000030h]1_2_037307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E47A0 mov eax, dword ptr fs:[00000030h]1_2_037E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D678E mov eax, dword ptr fs:[00000030h]1_2_037D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03762674 mov eax, dword ptr fs:[00000030h]1_2_03762674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F866E mov eax, dword ptr fs:[00000030h]1_2_037F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F866E mov eax, dword ptr fs:[00000030h]1_2_037F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A660 mov eax, dword ptr fs:[00000030h]1_2_0376A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A660 mov eax, dword ptr fs:[00000030h]1_2_0376A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374C640 mov eax, dword ptr fs:[00000030h]1_2_0374C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374E627 mov eax, dword ptr fs:[00000030h]1_2_0374E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03766620 mov eax, dword ptr fs:[00000030h]1_2_03766620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768620 mov eax, dword ptr fs:[00000030h]1_2_03768620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373262C mov eax, dword ptr fs:[00000030h]1_2_0373262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03772619 mov eax, dword ptr fs:[00000030h]1_2_03772619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE609 mov eax, dword ptr fs:[00000030h]1_2_037AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0374260B mov eax, dword ptr fs:[00000030h]1_2_0374260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE6F2 mov eax, dword ptr fs:[00000030h]1_2_037AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B06F1 mov eax, dword ptr fs:[00000030h]1_2_037B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B06F1 mov eax, dword ptr fs:[00000030h]1_2_037B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0376A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A6C7 mov eax, dword ptr fs:[00000030h]1_2_0376A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037666B0 mov eax, dword ptr fs:[00000030h]1_2_037666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C6A6 mov eax, dword ptr fs:[00000030h]1_2_0376C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734690 mov eax, dword ptr fs:[00000030h]1_2_03734690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734690 mov eax, dword ptr fs:[00000030h]1_2_03734690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]1_2_0376656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]1_2_0376656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376656A mov eax, dword ptr fs:[00000030h]1_2_0376656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738550 mov eax, dword ptr fs:[00000030h]1_2_03738550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738550 mov eax, dword ptr fs:[00000030h]1_2_03738550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740535 mov eax, dword ptr fs:[00000030h]1_2_03740535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E53E mov eax, dword ptr fs:[00000030h]1_2_0375E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6500 mov eax, dword ptr fs:[00000030h]1_2_037C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804500 mov eax, dword ptr fs:[00000030h]1_2_03804500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375E5E7 mov eax, dword ptr fs:[00000030h]1_2_0375E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037325E0 mov eax, dword ptr fs:[00000030h]1_2_037325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C5ED mov eax, dword ptr fs:[00000030h]1_2_0376C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376C5ED mov eax, dword ptr fs:[00000030h]1_2_0376C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037365D0 mov eax, dword ptr fs:[00000030h]1_2_037365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A5D0 mov eax, dword ptr fs:[00000030h]1_2_0376A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A5D0 mov eax, dword ptr fs:[00000030h]1_2_0376A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E5CF mov eax, dword ptr fs:[00000030h]1_2_0376E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E5CF mov eax, dword ptr fs:[00000030h]1_2_0376E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037545B1 mov eax, dword ptr fs:[00000030h]1_2_037545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037545B1 mov eax, dword ptr fs:[00000030h]1_2_037545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]1_2_037B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]1_2_037B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B05A7 mov eax, dword ptr fs:[00000030h]1_2_037B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E59C mov eax, dword ptr fs:[00000030h]1_2_0376E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732582 mov eax, dword ptr fs:[00000030h]1_2_03732582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03732582 mov ecx, dword ptr fs:[00000030h]1_2_03732582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03764588 mov eax, dword ptr fs:[00000030h]1_2_03764588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]1_2_0375A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]1_2_0375A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375A470 mov eax, dword ptr fs:[00000030h]1_2_0375A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC460 mov ecx, dword ptr fs:[00000030h]1_2_037BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA456 mov eax, dword ptr fs:[00000030h]1_2_037EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372645D mov eax, dword ptr fs:[00000030h]1_2_0372645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375245A mov eax, dword ptr fs:[00000030h]1_2_0375245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376E443 mov eax, dword ptr fs:[00000030h]1_2_0376E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376A430 mov eax, dword ptr fs:[00000030h]1_2_0376A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]1_2_0372E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]1_2_0372E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372E420 mov eax, dword ptr fs:[00000030h]1_2_0372E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372C427 mov eax, dword ptr fs:[00000030h]1_2_0372C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B6420 mov eax, dword ptr fs:[00000030h]1_2_037B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]1_2_03768402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]1_2_03768402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768402 mov eax, dword ptr fs:[00000030h]1_2_03768402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037304E5 mov ecx, dword ptr fs:[00000030h]1_2_037304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037644B0 mov ecx, dword ptr fs:[00000030h]1_2_037644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BA4B0 mov eax, dword ptr fs:[00000030h]1_2_037BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037364AB mov eax, dword ptr fs:[00000030h]1_2_037364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037EA49A mov eax, dword ptr fs:[00000030h]1_2_037EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0372CB7E mov eax, dword ptr fs:[00000030h]1_2_0372CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728B50 mov eax, dword ptr fs:[00000030h]1_2_03728B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DEB50 mov eax, dword ptr fs:[00000030h]1_2_037DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4B4B mov eax, dword ptr fs:[00000030h]1_2_037E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4B4B mov eax, dword ptr fs:[00000030h]1_2_037E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6B40 mov eax, dword ptr fs:[00000030h]1_2_037C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6B40 mov eax, dword ptr fs:[00000030h]1_2_037C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FAB40 mov eax, dword ptr fs:[00000030h]1_2_037FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D8B42 mov eax, dword ptr fs:[00000030h]1_2_037D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EB20 mov eax, dword ptr fs:[00000030h]1_2_0375EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EB20 mov eax, dword ptr fs:[00000030h]1_2_0375EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F8B28 mov eax, dword ptr fs:[00000030h]1_2_037F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037F8B28 mov eax, dword ptr fs:[00000030h]1_2_037F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AEB1D mov eax, dword ptr fs:[00000030h]1_2_037AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804B00 mov eax, dword ptr fs:[00000030h]1_2_03804B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]1_2_03738BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]1_2_03738BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738BF0 mov eax, dword ptr fs:[00000030h]1_2_03738BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EBFC mov eax, dword ptr fs:[00000030h]1_2_0375EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BCBF0 mov eax, dword ptr fs:[00000030h]1_2_037BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DEBD0 mov eax, dword ptr fs:[00000030h]1_2_037DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]1_2_03750BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]1_2_03750BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03750BCB mov eax, dword ptr fs:[00000030h]1_2_03750BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]1_2_03730BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]1_2_03730BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730BCD mov eax, dword ptr fs:[00000030h]1_2_03730BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740BBE mov eax, dword ptr fs:[00000030h]1_2_03740BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740BBE mov eax, dword ptr fs:[00000030h]1_2_03740BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4BB0 mov eax, dword ptr fs:[00000030h]1_2_037E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037E4BB0 mov eax, dword ptr fs:[00000030h]1_2_037E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]1_2_03802B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]1_2_03802B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]1_2_03802B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03802B57 mov eax, dword ptr fs:[00000030h]1_2_03802B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804A80 mov eax, dword ptr fs:[00000030h]1_2_03804A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037ACA72 mov eax, dword ptr fs:[00000030h]1_2_037ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037ACA72 mov eax, dword ptr fs:[00000030h]1_2_037ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]1_2_0376CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]1_2_0376CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA6F mov eax, dword ptr fs:[00000030h]1_2_0376CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037DEA60 mov eax, dword ptr fs:[00000030h]1_2_037DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03736A50 mov eax, dword ptr fs:[00000030h]1_2_03736A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740A5B mov eax, dword ptr fs:[00000030h]1_2_03740A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03740A5B mov eax, dword ptr fs:[00000030h]1_2_03740A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03754A35 mov eax, dword ptr fs:[00000030h]1_2_03754A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03754A35 mov eax, dword ptr fs:[00000030h]1_2_03754A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA38 mov eax, dword ptr fs:[00000030h]1_2_0376CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376CA24 mov eax, dword ptr fs:[00000030h]1_2_0376CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0375EA2E mov eax, dword ptr fs:[00000030h]1_2_0375EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BCA11 mov eax, dword ptr fs:[00000030h]1_2_037BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376AAEE mov eax, dword ptr fs:[00000030h]1_2_0376AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0376AAEE mov eax, dword ptr fs:[00000030h]1_2_0376AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03730AD0 mov eax, dword ptr fs:[00000030h]1_2_03730AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03764AD0 mov eax, dword ptr fs:[00000030h]1_2_03764AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03764AD0 mov eax, dword ptr fs:[00000030h]1_2_03764AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]1_2_03786ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]1_2_03786ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786ACC mov eax, dword ptr fs:[00000030h]1_2_03786ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738AA0 mov eax, dword ptr fs:[00000030h]1_2_03738AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03738AA0 mov eax, dword ptr fs:[00000030h]1_2_03738AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03786AA4 mov eax, dword ptr fs:[00000030h]1_2_03786AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03768A90 mov edx, dword ptr fs:[00000030h]1_2_03768A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373EA80 mov eax, dword ptr fs:[00000030h]1_2_0373EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4978 mov eax, dword ptr fs:[00000030h]1_2_037D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037D4978 mov eax, dword ptr fs:[00000030h]1_2_037D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC97C mov eax, dword ptr fs:[00000030h]1_2_037BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]1_2_03756962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]1_2_03756962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03756962 mov eax, dword ptr fs:[00000030h]1_2_03756962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E mov eax, dword ptr fs:[00000030h]1_2_0377096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E mov edx, dword ptr fs:[00000030h]1_2_0377096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0377096E mov eax, dword ptr fs:[00000030h]1_2_0377096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B0946 mov eax, dword ptr fs:[00000030h]1_2_037B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B892A mov eax, dword ptr fs:[00000030h]1_2_037B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C892B mov eax, dword ptr fs:[00000030h]1_2_037C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BC912 mov eax, dword ptr fs:[00000030h]1_2_037BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728918 mov eax, dword ptr fs:[00000030h]1_2_03728918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03728918 mov eax, dword ptr fs:[00000030h]1_2_03728918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE908 mov eax, dword ptr fs:[00000030h]1_2_037AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037AE908 mov eax, dword ptr fs:[00000030h]1_2_037AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037629F9 mov eax, dword ptr fs:[00000030h]1_2_037629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037629F9 mov eax, dword ptr fs:[00000030h]1_2_037629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE9E0 mov eax, dword ptr fs:[00000030h]1_2_037BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0373A9D0 mov eax, dword ptr fs:[00000030h]1_2_0373A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037649D0 mov eax, dword ptr fs:[00000030h]1_2_037649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037FA9D3 mov eax, dword ptr fs:[00000030h]1_2_037FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C69C0 mov eax, dword ptr fs:[00000030h]1_2_037C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03804940 mov eax, dword ptr fs:[00000030h]1_2_03804940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B89B3 mov esi, dword ptr fs:[00000030h]1_2_037B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B89B3 mov eax, dword ptr fs:[00000030h]1_2_037B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037B89B3 mov eax, dword ptr fs:[00000030h]1_2_037B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037429A0 mov eax, dword ptr fs:[00000030h]1_2_037429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037309AD mov eax, dword ptr fs:[00000030h]1_2_037309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037309AD mov eax, dword ptr fs:[00000030h]1_2_037309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE872 mov eax, dword ptr fs:[00000030h]1_2_037BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037BE872 mov eax, dword ptr fs:[00000030h]1_2_037BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6870 mov eax, dword ptr fs:[00000030h]1_2_037C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037C6870 mov eax, dword ptr fs:[00000030h]1_2_037C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03760854 mov eax, dword ptr fs:[00000030h]1_2_03760854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734859 mov eax, dword ptr fs:[00000030h]1_2_03734859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03734859 mov eax, dword ptr fs:[00000030h]1_2_03734859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03742840 mov ecx, dword ptr fs:[00000030h]1_2_03742840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03752835 mov eax, dword ptr fs:[00000030h]1_2_03752835
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_002A81F7
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0027A364 SetUnhandledExceptionFilter,0_2_0027A364
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0027A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0027A395

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Attendance list.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C25008Jump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002A8C93 LogonUserW,0_2_002A8C93
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00253B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00253B4C
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00254A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00254A35
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002B4EF5 mouse_event,0_2_002B4EF5
          Source: C:\Users\user\Desktop\Attendance list.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Attendance list.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_002A81F7
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002B4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_002B4C03
          Source: Attendance list.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: Attendance list.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0027886B cpuid 0_2_0027886B
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002850D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_002850D7
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00292230 GetUserNameW,0_2_00292230
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0028418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0028418A
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00254AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00254AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2013285557.0000000003570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2013032455.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Attendance list.exeBinary or memory string: WIN_81
          Source: Attendance list.exeBinary or memory string: WIN_XP
          Source: Attendance list.exeBinary or memory string: WIN_XPe
          Source: Attendance list.exeBinary or memory string: WIN_VISTA
          Source: Attendance list.exeBinary or memory string: WIN_7
          Source: Attendance list.exeBinary or memory string: WIN_8
          Source: Attendance list.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2013285557.0000000003570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2013032455.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002C6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_002C6596
          Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_002C6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_002C6A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		3
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory15
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Attendance list.exe45%ReversingLabsWin32.Trojan.Autoit
          Attendance list.exe40%VirustotalBrowse
          Attendance list.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1465802
          Start date and time:2024-07-02 06:13:06 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 47s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:5
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:Attendance list.exe
          Detection:MAL
          Classification:mal88.troj.evad.winEXE@3/4@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 98%
          • Number of executed functions: 56
          • Number of non-executed functions: 273
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing disassembly code.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          00:14:28API Interceptor3x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\autE4E0.tmp

          Download File
          Process:C:\Users\user\Desktop\Attendance list.exe
          File Type:data
          Category:dropped
          Size (bytes):274432
          Entropy (8bit):7.994758912890692
          Encrypted:true
          SSDEEP:6144:KhuRm8/xU0Q1cv7HzfhKU8EkYERLkm34Z3cPMRVd:KQRmqxJQ1wfhF5ER+bRVd
          MD5:08F7CCD0DD280D2FA4F8C8A3BCB835EC
          SHA1:3CFD34A341C25D5CB9AC1B532C7CEEAD3E32AF2B
          SHA-256:FCBDCDDA495F396408339E1AEFD1B2531D0B66A11ABCD8461B0F5F52147BF790
          SHA-512:62DB62D77D267ED7DFC1A1411CCE0494C2CC6E0BC78F6F1C981652A2769F12CCCBC2838C5C5CE68F5C46CE44A46A1CED414E3B18D678013D008F4B2C91A0415F
          Malicious:false
          Reputation:low
          Preview:~....6OJBo.J...z.3Y...LB...DC9WEKF23ZQXA6OJB7KDC9WEKF23ZQ.A6OD].ED.0.d.G~.{.0(Eo:0X,6"Tw&*(\\.q:$.=?,."*c}..k+]W?.UL<kJB7KDC9.DB..S=.e!Q.w"P.^..+!.)...}V(.X...Y0../Q[g1?.6OJB7KDCi.EK.32Z$..`OJB7KDC9.EIG92QQX_2OJB7KDC9We_F23JQXA.KJB7.DC)WEKD23\QXA6OJB1KDC9WEKF.7ZQZA6OJB7ID..WE[F2#ZQXA&OJR7KDC9WUKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9y1.>F3ZQ.]2OJR7KD]=WE[F23ZQXA6OJB7KDc9W%KF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KD

          C:\Users\user\AppData\Local\Temp\autE51F.tmp

          Download File
          Process:C:\Users\user\Desktop\Attendance list.exe
          File Type:data
          Category:dropped
          Size (bytes):9840
          Entropy (8bit):7.599658708143446
          Encrypted:false
          SSDEEP:192:65jwEiq2KWeTY6Vi+7MX9O1JZNO3yLyD416WBAoniCl2e6EMajYxc3EBVHbZr:I6qTRPI9ObSCGD413BAoniG2anEmEXbt
          MD5:DCE9B5B03644E1F050CAA151E1BB4013
          SHA1:DD24ED4B2C5571BBC09B03FF67D5C36F8D310A81
          SHA-256:D7A72B68CACCCFAD5C528525F2045E8F9552A0A42135367148576738D831B57F
          SHA-512:AE11CCF13DE27E37F42D971993DDB983A47223102DFFF8D8EFB7AFB63F00E0959BCA1558110FAD6EB901C83A8087E45D44E46E901BFAC43E57012DD74ACFFF35
          Malicious:false
          Reputation:low
          Preview:EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.|........}S{....7...| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i|v)....b.h.,@..%........9....c...|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

          C:\Users\user\AppData\Local\Temp\benting

          Download File
          Process:C:\Users\user\Desktop\Attendance list.exe
          File Type:data
          Category:dropped
          Size (bytes):274432
          Entropy (8bit):7.994758912890692
          Encrypted:true
          SSDEEP:6144:KhuRm8/xU0Q1cv7HzfhKU8EkYERLkm34Z3cPMRVd:KQRmqxJQ1wfhF5ER+bRVd
          MD5:08F7CCD0DD280D2FA4F8C8A3BCB835EC
          SHA1:3CFD34A341C25D5CB9AC1B532C7CEEAD3E32AF2B
          SHA-256:FCBDCDDA495F396408339E1AEFD1B2531D0B66A11ABCD8461B0F5F52147BF790
          SHA-512:62DB62D77D267ED7DFC1A1411CCE0494C2CC6E0BC78F6F1C981652A2769F12CCCBC2838C5C5CE68F5C46CE44A46A1CED414E3B18D678013D008F4B2C91A0415F
          Malicious:false
          Reputation:low
          Preview:~....6OJBo.J...z.3Y...LB...DC9WEKF23ZQXA6OJB7KDC9WEKF23ZQ.A6OD].ED.0.d.G~.{.0(Eo:0X,6"Tw&*(\\.q:$.=?,."*c}..k+]W?.UL<kJB7KDC9.DB..S=.e!Q.w"P.^..+!.)...}V(.X...Y0../Q[g1?.6OJB7KDCi.EK.32Z$..`OJB7KDC9.EIG92QQX_2OJB7KDC9We_F23JQXA.KJB7.DC)WEKD23\QXA6OJB1KDC9WEKF.7ZQZA6OJB7ID..WE[F2#ZQXA&OJR7KDC9WUKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9y1.>F3ZQ.]2OJR7KD]=WE[F23ZQXA6OJB7KDc9W%KF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KDC9WEKF23ZQXA6OJB7KD

          C:\Users\user\AppData\Local\Temp\conged

          Download File
          Process:C:\Users\user\Desktop\Attendance list.exe
          File Type:ASCII text, with very long lines (28756), with no line terminators
          Category:dropped
          Size (bytes):28756
          Entropy (8bit):3.589992688693254
          Encrypted:false
          SSDEEP:768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbA+IL26cz24vfF3if6gF:miTZ+2QoioGRk6ZklputwjpjBkCiw2RQ
          MD5:E1561084BAD30A33612A273F6B143A19
          SHA1:842414D322C02E03EE20E8E62AA908A8CA2FC892
          SHA-256:36470D381704EEBA19EFCDA19357A1873D626376F7C5530CFE2E0BE4D0F7D0A7
          SHA-512:122AA8DD43D6DA9E345CB734055E142299AF03580E6D3B0DFAC2562F62D80BC2AC77C2CCFA421047DAAC1F1E0EB5DF33C07413AAF0321B2BBA79F001ED84867D
          Malicious:false
          Reputation:low
          Preview:8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.1506622976873135
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:Attendance list.exe
          File size:1'197'056 bytes
          MD5:ac274060092bb14f6504d6fd48c20590
          SHA1:9c1c471f9a2fe2523062c8bcd16fbf093ae6a72e
          SHA256:e977838b7536ed73154cbfb37e2204bbc873da89b3c5aeed5bb2d9eff73a07b6
          SHA512:b3bf7b5f6b2e29e7a01c1efc4ddd5326cc4caf74b23225f03c4a0108f8739e0a9f99e00e90b944cd9178730ae8fee5a4e3f45d0889812be802cf01024e491874
          SSDEEP:24576:eAHnh+eWsN3skA4RV1Hom2KXMmHa+3RwsGpjQT/sM5:Jh+ZkldoPK8Ya+BDujQT/D
          TLSH:C845BD0273D1C036FFABA2739B6AF64156BD79250133852F13982DB9BC701B1267E663
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

          File Icon

          Icon Hash:aaf3e3e3938382a0

          Static PE Info

          General

          Entrypoint:0x42800a
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x66833693 [Mon Jul 1 23:06:59 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:afcdf79be1557326c854b6e20cb900a7

          Entrypoint Preview

          Instruction
          call 00007FEC9521CD2Dh
          jmp 00007FEC9520FAE4h
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          push edi
          push esi
          mov esi, dword ptr [esp+10h]
          mov ecx, dword ptr [esp+14h]
          mov edi, dword ptr [esp+0Ch]
          mov eax, ecx
          mov edx, ecx
          add eax, esi
          cmp edi, esi
          jbe 00007FEC9520FC6Ah
          cmp edi, eax
          jc 00007FEC9520FFCEh
          bt dword ptr [004C41FCh], 01h
          jnc 00007FEC9520FC69h
          rep movsb
          jmp 00007FEC9520FF7Ch
          cmp ecx, 00000080h
          jc 00007FEC9520FE34h
          mov eax, edi
          xor eax, esi
          test eax, 0000000Fh
          jne 00007FEC9520FC70h
          bt dword ptr [004BF324h], 01h
          jc 00007FEC95210140h
          bt dword ptr [004C41FCh], 00000000h
          jnc 00007FEC9520FE0Dh
          test edi, 00000003h
          jne 00007FEC9520FE1Eh
          test esi, 00000003h
          jne 00007FEC9520FDFDh
          bt edi, 02h
          jnc 00007FEC9520FC6Fh
          mov eax, dword ptr [esi]
          sub ecx, 04h
          lea esi, dword ptr [esi+04h]
          mov dword ptr [edi], eax
          lea edi, dword ptr [edi+04h]
          bt edi, 03h
          jnc 00007FEC9520FC73h
          movq xmm1, qword ptr [esi]
          sub ecx, 08h
          lea esi, dword ptr [esi+08h]
          movq qword ptr [edi], xmm1
          lea edi, dword ptr [edi+08h]
          test esi, 00000007h
          je 00007FEC9520FCC5h
          bt esi, 03h

          Rich Headers

          Programming Language:
          • [ASM] VS2013 build 21005
          • [ C ] VS2013 build 21005
          • [C++] VS2013 build 21005
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729
          • [ASM] VS2013 UPD5 build 40629
          • [RES] VS2013 build 21005
          • [LNK] VS2013 UPD5 build 40629

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x59d18.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1220000x7134.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xc80000x59d180x59e00825d539a2c42d9940188ba0542810553False0.9269438890820584data7.892385272077475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x1220000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
          RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
          RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
          RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
          RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
          RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
          RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
          RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
          RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
          RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
          RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xd07b80x50fe0data1.0003345953506317
          RT_GROUP_ICON0x1217980x76dataEnglishGreat Britain0.6610169491525424
          RT_GROUP_ICON0x1218100x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x1218240x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x1218380x14dataEnglishGreat Britain1.25
          RT_VERSION0x12184c0xdcdataEnglishGreat Britain0.6181818181818182
          RT_MANIFEST0x1219280x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

          Imports

          DLLImport
          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
          UxTheme.dllIsThemeActive
          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:00:13:53
          Start date:02/07/2024
          Path:C:\Users\user\Desktop\Attendance list.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\Attendance list.exe"
          Imagebase:0x250000
          File size:1'197'056 bytes
          MD5 hash:AC274060092BB14F6504D6FD48C20590
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:00:13:54
          Start date:02/07/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\Attendance list.exe"
          Imagebase:0x980000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2013285557.0000000003570000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2013285557.0000000003570000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2013032455.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2013032455.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          Reputation:moderate
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:4.1%
            Dynamic/Decrypted Code Coverage:0.4%
            Signature Coverage:2.9%
            Total number of Nodes:2000
            Total number of Limit Nodes:167
            execution_graph 96931 251055 96936 252649 96931->96936 96946 2577c7 96936->96946 96941 252754 96942 25105a 96941->96942 96954 253416 59 API calls 2 library calls 96941->96954 96943 272f80 96942->96943 97000 272e84 96943->97000 96945 251064 96955 270ff6 96946->96955 96948 2577e8 96949 270ff6 Mailbox 59 API calls 96948->96949 96950 2526b7 96949->96950 96951 253582 96950->96951 96993 2535b0 96951->96993 96954->96941 96957 270ffe 96955->96957 96958 271018 96957->96958 96960 27101c std::exception::exception 96957->96960 96965 27594c 96957->96965 96982 2735e1 DecodePointer 96957->96982 96958->96948 96983 2787db RaiseException 96960->96983 96962 271046 96984 278711 58 API calls _free 96962->96984 96964 271058 96964->96948 96966 2759c7 96965->96966 96970 275958 96965->96970 96991 2735e1 DecodePointer 96966->96991 96968 2759cd 96992 278d68 58 API calls __getptd_noexit 96968->96992 96969 275963 96969->96970 96985 27a3ab 58 API calls 2 library calls 96969->96985 96986 27a408 58 API calls 8 library calls 96969->96986 96987 2732df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 96969->96987 96970->96969 96973 27598b RtlAllocateHeap 96970->96973 96976 2759b3 96970->96976 96980 2759b1 96970->96980 96988 2735e1 DecodePointer 96970->96988 96973->96970 96974 2759bf 96973->96974 96974->96957 96989 278d68 58 API calls __getptd_noexit 96976->96989 96990 278d68 58 API calls __getptd_noexit 96980->96990 96982->96957 96983->96962 96984->96964 96985->96969 96986->96969 96988->96970 96989->96980 96990->96974 96991->96968 96992->96974 96994 2535bd 96993->96994 96995 2535a1 96993->96995 96994->96995 96996 2535c4 RegOpenKeyExW 96994->96996 96995->96941 96996->96995 96997 2535de RegQueryValueExW 96996->96997 96998 253614 RegCloseKey 96997->96998 96999 2535ff 96997->96999 96998->96995 96999->96998 97001 272e90 __ioinit 97000->97001 97008 273457 97001->97008 97007 272eb7 __ioinit 97007->96945 97025 279e4b 97008->97025 97010 272e99 97011 272ec8 DecodePointer DecodePointer 97010->97011 97012 272ea5 97011->97012 97013 272ef5 97011->97013 97022 272ec2 97012->97022 97013->97012 97071 2789e4 59 API calls 2 library calls 97013->97071 97015 272f58 EncodePointer EncodePointer 97015->97012 97016 272f07 97016->97015 97017 272f2c 97016->97017 97072 278aa4 61 API calls 2 library calls 97016->97072 97017->97012 97020 272f46 EncodePointer 97017->97020 97073 278aa4 61 API calls 2 library calls 97017->97073 97020->97015 97021 272f40 97021->97012 97021->97020 97074 273460 97022->97074 97026 279e6f EnterCriticalSection 97025->97026 97027 279e5c 97025->97027 97026->97010 97032 279ed3 97027->97032 97029 279e62 97029->97026 97056 2732f5 58 API calls 3 library calls 97029->97056 97033 279edf __ioinit 97032->97033 97034 279f00 97033->97034 97035 279ee8 97033->97035 97043 279f21 __ioinit 97034->97043 97060 278a5d 58 API calls __malloc_crt 97034->97060 97057 27a3ab 58 API calls 2 library calls 97035->97057 97037 279eed 97058 27a408 58 API calls 8 library calls 97037->97058 97040 279f15 97041 279f1c 97040->97041 97042 279f2b 97040->97042 97061 278d68 58 API calls __getptd_noexit 97041->97061 97046 279e4b __lock 58 API calls 97042->97046 97043->97029 97044 279ef4 97059 2732df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97044->97059 97048 279f32 97046->97048 97050 279f57 97048->97050 97051 279f3f 97048->97051 97063 272f95 97050->97063 97062 27a06b InitializeCriticalSectionAndSpinCount 97051->97062 97054 279f4b 97069 279f73 LeaveCriticalSection _doexit 97054->97069 97057->97037 97058->97044 97060->97040 97061->97043 97062->97054 97064 272f9e RtlFreeHeap 97063->97064 97065 272fc7 __dosmaperr 97063->97065 97064->97065 97066 272fb3 97064->97066 97065->97054 97070 278d68 58 API calls __getptd_noexit 97066->97070 97068 272fb9 GetLastError 97068->97065 97069->97043 97070->97068 97071->97016 97072->97017 97073->97021 97077 279fb5 LeaveCriticalSection 97074->97077 97076 272ec7 97076->97007 97077->97076 97078 251016 97083 254ad2 97078->97083 97081 272f80 __cinit 67 API calls 97082 251025 97081->97082 97084 270ff6 Mailbox 59 API calls 97083->97084 97085 254ada 97084->97085 97086 25101b 97085->97086 97090 254a94 97085->97090 97086->97081 97091 254aaf 97090->97091 97092 254a9d 97090->97092 97094 254afe 97091->97094 97093 272f80 __cinit 67 API calls 97092->97093 97093->97091 97095 2577c7 59 API calls 97094->97095 97096 254b16 GetVersionExW 97095->97096 97118 257d2c 97096->97118 97098 254b59 97102 254b86 97098->97102 97131 257e8c 97098->97131 97100 254b7a 97135 257886 97100->97135 97103 254bf1 GetCurrentProcess IsWow64Process 97102->97103 97104 28dc8d 97102->97104 97105 254c0a 97103->97105 97106 254c20 97105->97106 97107 254c89 GetSystemInfo 97105->97107 97127 254c95 97106->97127 97109 254c56 97107->97109 97109->97086 97111 254c32 97113 254c95 2 API calls 97111->97113 97112 254c7d GetSystemInfo 97114 254c47 97112->97114 97115 254c3a GetNativeSystemInfo 97113->97115 97114->97109 97116 254c4d FreeLibrary 97114->97116 97115->97114 97116->97109 97119 257da5 97118->97119 97120 257d38 __wsetenvp 97118->97120 97121 257e8c 59 API calls 97119->97121 97122 257d73 97120->97122 97123 257d4e 97120->97123 97126 257d56 _memmove 97121->97126 97143 258189 97122->97143 97139 258087 97123->97139 97126->97098 97128 254c2e 97127->97128 97129 254c9e LoadLibraryA 97127->97129 97128->97111 97128->97112 97129->97128 97130 254caf GetProcAddress 97129->97130 97130->97128 97132 257ea3 _memmove 97131->97132 97133 257e9a 97131->97133 97132->97100 97133->97132 97146 257faf 97133->97146 97136 257894 97135->97136 97137 257e8c 59 API calls 97136->97137 97138 2578a4 97137->97138 97138->97102 97140 258099 97139->97140 97141 25809f 97139->97141 97140->97126 97142 270ff6 Mailbox 59 API calls 97141->97142 97142->97140 97144 270ff6 Mailbox 59 API calls 97143->97144 97145 258193 97144->97145 97145->97126 97147 257fc2 97146->97147 97149 257fbf _memmove 97146->97149 97148 270ff6 Mailbox 59 API calls 97147->97148 97148->97149 97149->97132 97150 251066 97155 25f8cf 97150->97155 97152 25106c 97153 272f80 __cinit 67 API calls 97152->97153 97154 251076 97153->97154 97156 25f8f0 97155->97156 97188 270143 97156->97188 97160 25f937 97161 2577c7 59 API calls 97160->97161 97162 25f941 97161->97162 97163 2577c7 59 API calls 97162->97163 97164 25f94b 97163->97164 97165 2577c7 59 API calls 97164->97165 97166 25f955 97165->97166 97167 2577c7 59 API calls 97166->97167 97168 25f993 97167->97168 97169 2577c7 59 API calls 97168->97169 97170 25fa5e 97169->97170 97198 2660e7 97170->97198 97174 25fa90 97175 2577c7 59 API calls 97174->97175 97176 25fa9a 97175->97176 97226 26ffde 97176->97226 97178 25fae1 97179 25faf1 GetStdHandle 97178->97179 97180 25fb3d 97179->97180 97181 2949d5 97179->97181 97182 25fb45 OleInitialize 97180->97182 97181->97180 97183 2949de 97181->97183 97182->97152 97233 2b6dda 64 API calls Mailbox 97183->97233 97185 2949e5 97234 2b74a9 CreateThread 97185->97234 97187 2949f1 CloseHandle 97187->97182 97235 27021c 97188->97235 97191 27021c 59 API calls 97192 270185 97191->97192 97193 2577c7 59 API calls 97192->97193 97194 270191 97193->97194 97195 257d2c 59 API calls 97194->97195 97196 25f8f6 97195->97196 97197 2703a2 6 API calls 97196->97197 97197->97160 97199 2577c7 59 API calls 97198->97199 97200 2660f7 97199->97200 97201 2577c7 59 API calls 97200->97201 97202 2660ff 97201->97202 97242 265bfd 97202->97242 97205 265bfd 59 API calls 97206 26610f 97205->97206 97207 2577c7 59 API calls 97206->97207 97208 26611a 97207->97208 97209 270ff6 Mailbox 59 API calls 97208->97209 97210 25fa68 97209->97210 97211 266259 97210->97211 97212 266267 97211->97212 97213 2577c7 59 API calls 97212->97213 97214 266272 97213->97214 97215 2577c7 59 API calls 97214->97215 97216 26627d 97215->97216 97217 2577c7 59 API calls 97216->97217 97218 266288 97217->97218 97219 2577c7 59 API calls 97218->97219 97220 266293 97219->97220 97221 265bfd 59 API calls 97220->97221 97222 26629e 97221->97222 97223 270ff6 Mailbox 59 API calls 97222->97223 97224 2662a5 RegisterWindowMessageW 97223->97224 97224->97174 97227 26ffee 97226->97227 97228 2a5cc3 97226->97228 97229 270ff6 Mailbox 59 API calls 97227->97229 97245 2b9d71 60 API calls 97228->97245 97232 26fff6 97229->97232 97231 2a5cce 97232->97178 97233->97185 97234->97187 97246 2b748f 65 API calls 97234->97246 97236 2577c7 59 API calls 97235->97236 97237 270227 97236->97237 97238 2577c7 59 API calls 97237->97238 97239 27022f 97238->97239 97240 2577c7 59 API calls 97239->97240 97241 27017b 97240->97241 97241->97191 97243 2577c7 59 API calls 97242->97243 97244 265c05 97243->97244 97244->97205 97245->97231 97247 277e93 97248 277e9f __ioinit 97247->97248 97284 27a048 GetStartupInfoW 97248->97284 97250 277ea4 97286 278dbc GetProcessHeap 97250->97286 97252 277efc 97253 277f07 97252->97253 97369 277fe3 58 API calls 3 library calls 97252->97369 97287 279d26 97253->97287 97256 277f0d 97258 277f18 __RTC_Initialize 97256->97258 97370 277fe3 58 API calls 3 library calls 97256->97370 97308 27d812 97258->97308 97260 277f27 97261 277f33 GetCommandLineW 97260->97261 97371 277fe3 58 API calls 3 library calls 97260->97371 97327 285173 GetEnvironmentStringsW 97261->97327 97264 277f32 97264->97261 97267 277f4d 97268 277f58 97267->97268 97372 2732f5 58 API calls 3 library calls 97267->97372 97337 284fa8 97268->97337 97271 277f5e 97272 277f69 97271->97272 97373 2732f5 58 API calls 3 library calls 97271->97373 97351 27332f 97272->97351 97275 277f71 97276 277f7c __wwincmdln 97275->97276 97374 2732f5 58 API calls 3 library calls 97275->97374 97357 25492e 97276->97357 97279 277f90 97280 277f9f 97279->97280 97375 273598 58 API calls _doexit 97279->97375 97376 273320 58 API calls _doexit 97280->97376 97283 277fa4 __ioinit 97285 27a05e 97284->97285 97285->97250 97286->97252 97377 2733c7 36 API calls 2 library calls 97287->97377 97289 279d2b 97378 279f7c InitializeCriticalSectionAndSpinCount __ioinit 97289->97378 97291 279d30 97292 279d34 97291->97292 97380 279fca TlsAlloc 97291->97380 97379 279d9c 61 API calls 2 library calls 97292->97379 97295 279d39 97295->97256 97296 279d46 97296->97292 97297 279d51 97296->97297 97381 278a15 97297->97381 97300 279d93 97389 279d9c 61 API calls 2 library calls 97300->97389 97303 279d72 97303->97300 97305 279d78 97303->97305 97304 279d98 97304->97256 97388 279c73 58 API calls 4 library calls 97305->97388 97307 279d80 GetCurrentThreadId 97307->97256 97309 27d81e __ioinit 97308->97309 97310 279e4b __lock 58 API calls 97309->97310 97311 27d825 97310->97311 97312 278a15 __calloc_crt 58 API calls 97311->97312 97315 27d836 97312->97315 97313 27d841 __ioinit @_EH4_CallFilterFunc@8 97313->97260 97314 27d8a1 GetStartupInfoW 97320 27d8b6 97314->97320 97324 27d9e5 97314->97324 97315->97313 97315->97314 97316 27daad 97403 27dabd LeaveCriticalSection _doexit 97316->97403 97318 278a15 __calloc_crt 58 API calls 97318->97320 97319 27da32 GetStdHandle 97319->97324 97320->97318 97322 27d904 97320->97322 97320->97324 97321 27da45 GetFileType 97321->97324 97323 27d938 GetFileType 97322->97323 97322->97324 97401 27a06b InitializeCriticalSectionAndSpinCount 97322->97401 97323->97322 97324->97316 97324->97319 97324->97321 97402 27a06b InitializeCriticalSectionAndSpinCount 97324->97402 97328 277f43 97327->97328 97329 285184 97327->97329 97333 284d6b GetModuleFileNameW 97328->97333 97404 278a5d 58 API calls __malloc_crt 97329->97404 97331 2851c0 FreeEnvironmentStringsW 97331->97328 97332 2851aa _memmove 97332->97331 97334 284d9f _wparse_cmdline 97333->97334 97336 284ddf _wparse_cmdline 97334->97336 97405 278a5d 58 API calls __malloc_crt 97334->97405 97336->97267 97338 284fc1 __wsetenvp 97337->97338 97342 284fb9 97337->97342 97339 278a15 __calloc_crt 58 API calls 97338->97339 97340 284fea __wsetenvp 97339->97340 97340->97342 97343 285041 97340->97343 97344 278a15 __calloc_crt 58 API calls 97340->97344 97345 285066 97340->97345 97348 28507d 97340->97348 97406 284857 58 API calls 2 library calls 97340->97406 97341 272f95 _free 58 API calls 97341->97342 97342->97271 97343->97341 97344->97340 97346 272f95 _free 58 API calls 97345->97346 97346->97342 97407 279006 IsProcessorFeaturePresent 97348->97407 97350 285089 97350->97271 97353 27333b __IsNonwritableInCurrentImage 97351->97353 97430 27a711 97353->97430 97354 273359 __initterm_e 97355 272f80 __cinit 67 API calls 97354->97355 97356 273378 __cinit __IsNonwritableInCurrentImage 97354->97356 97355->97356 97356->97275 97358 254948 97357->97358 97368 2549e7 97357->97368 97359 254982 IsThemeActive 97358->97359 97433 2735ac 97359->97433 97363 2549ae 97445 254a5b SystemParametersInfoW SystemParametersInfoW 97363->97445 97365 2549ba 97446 253b4c 97365->97446 97367 2549c2 SystemParametersInfoW 97367->97368 97368->97279 97369->97253 97370->97258 97371->97264 97375->97280 97376->97283 97377->97289 97378->97291 97379->97295 97380->97296 97384 278a1c 97381->97384 97383 278a57 97383->97300 97387 27a026 TlsSetValue 97383->97387 97384->97383 97385 278a3a 97384->97385 97390 285446 97384->97390 97385->97383 97385->97384 97398 27a372 Sleep 97385->97398 97387->97303 97388->97307 97389->97304 97391 285451 97390->97391 97396 28546c 97390->97396 97392 28545d 97391->97392 97391->97396 97399 278d68 58 API calls __getptd_noexit 97392->97399 97394 28547c HeapAlloc 97395 285462 97394->97395 97394->97396 97395->97384 97396->97394 97396->97395 97400 2735e1 DecodePointer 97396->97400 97398->97385 97399->97395 97400->97396 97401->97322 97402->97324 97403->97313 97404->97332 97405->97336 97406->97340 97408 279011 97407->97408 97413 278e99 97408->97413 97412 27902c 97412->97350 97414 278eb3 _memset __call_reportfault 97413->97414 97415 278ed3 IsDebuggerPresent 97414->97415 97421 27a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 97415->97421 97418 278fba 97420 27a380 GetCurrentProcess TerminateProcess 97418->97420 97419 278f97 __call_reportfault 97422 27c836 97419->97422 97420->97412 97421->97419 97423 27c840 IsProcessorFeaturePresent 97422->97423 97424 27c83e 97422->97424 97426 285b5a 97423->97426 97424->97418 97429 285b09 5 API calls 2 library calls 97426->97429 97428 285c3d 97428->97418 97429->97428 97431 27a714 EncodePointer 97430->97431 97431->97431 97432 27a72e 97431->97432 97432->97354 97434 279e4b __lock 58 API calls 97433->97434 97435 2735b7 DecodePointer EncodePointer 97434->97435 97498 279fb5 LeaveCriticalSection 97435->97498 97437 2549a7 97438 273614 97437->97438 97439 27361e 97438->97439 97440 273638 97438->97440 97439->97440 97499 278d68 58 API calls __getptd_noexit 97439->97499 97440->97363 97442 273628 97500 278ff6 9 API calls __woutput_l 97442->97500 97444 273633 97444->97363 97445->97365 97447 253b59 __write_nolock 97446->97447 97448 2577c7 59 API calls 97447->97448 97449 253b63 GetCurrentDirectoryW 97448->97449 97501 253778 97449->97501 97451 253b8c IsDebuggerPresent 97452 28d4ad MessageBoxA 97451->97452 97453 253b9a 97451->97453 97454 28d4c7 97452->97454 97453->97454 97455 253bb7 97453->97455 97485 253c73 97453->97485 97711 257373 59 API calls Mailbox 97454->97711 97582 2573e5 97455->97582 97456 253c7a SetCurrentDirectoryW 97461 253c87 Mailbox 97456->97461 97459 28d4d7 97465 28d4ed SetCurrentDirectoryW 97459->97465 97461->97367 97462 253bd5 GetFullPathNameW 97463 257d2c 59 API calls 97462->97463 97464 253c10 97463->97464 97598 260a8d 97464->97598 97465->97461 97468 253c2e 97469 253c38 97468->97469 97712 2b4c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 97468->97712 97614 253a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 97469->97614 97472 28d50a 97472->97469 97475 28d51b 97472->97475 97713 254864 97475->97713 97476 253c42 97477 253c55 97476->97477 97622 2543db 97476->97622 97633 260b30 97477->97633 97481 28d523 97485->97456 97498->97437 97499->97442 97500->97444 97502 2577c7 59 API calls 97501->97502 97503 25378e 97502->97503 97740 253d43 97503->97740 97505 2537ac 97506 254864 61 API calls 97505->97506 97507 2537c0 97506->97507 97508 257f41 59 API calls 97507->97508 97509 2537cd 97508->97509 97754 254f3d 97509->97754 97512 28d3ae 97825 2b97e5 97512->97825 97513 2537ee Mailbox 97778 2581a7 97513->97778 97516 28d3cd 97519 272f95 _free 58 API calls 97516->97519 97521 28d3da 97519->97521 97523 254faa 84 API calls 97521->97523 97525 28d3e3 97523->97525 97529 253ee2 59 API calls 97525->97529 97526 257f41 59 API calls 97527 25381a 97526->97527 97785 258620 97527->97785 97531 28d3fe 97529->97531 97530 25382c Mailbox 97532 257f41 59 API calls 97530->97532 97533 253ee2 59 API calls 97531->97533 97534 253852 97532->97534 97535 28d41a 97533->97535 97536 258620 69 API calls 97534->97536 97537 254864 61 API calls 97535->97537 97539 253861 Mailbox 97536->97539 97538 28d43f 97537->97538 97540 253ee2 59 API calls 97538->97540 97542 2577c7 59 API calls 97539->97542 97541 28d44b 97540->97541 97543 2581a7 59 API calls 97541->97543 97544 25387f 97542->97544 97545 28d459 97543->97545 97789 253ee2 97544->97789 97547 253ee2 59 API calls 97545->97547 97549 28d468 97547->97549 97555 2581a7 59 API calls 97549->97555 97551 253899 97551->97525 97552 2538a3 97551->97552 97553 27313d _W_store_winword 60 API calls 97552->97553 97554 2538ae 97553->97554 97554->97531 97556 2538b8 97554->97556 97557 28d48a 97555->97557 97558 27313d _W_store_winword 60 API calls 97556->97558 97559 253ee2 59 API calls 97557->97559 97560 2538c3 97558->97560 97561 28d497 97559->97561 97560->97535 97562 2538cd 97560->97562 97561->97561 97563 27313d _W_store_winword 60 API calls 97562->97563 97564 2538d8 97563->97564 97564->97549 97565 253919 97564->97565 97567 253ee2 59 API calls 97564->97567 97565->97549 97566 253926 97565->97566 97805 25942e 97566->97805 97569 2538fc 97567->97569 97571 2581a7 59 API calls 97569->97571 97573 25390a 97571->97573 97575 253ee2 59 API calls 97573->97575 97575->97565 97577 2593ea 59 API calls 97579 253961 97577->97579 97578 259040 60 API calls 97578->97579 97579->97577 97579->97578 97580 253ee2 59 API calls 97579->97580 97581 2539a7 Mailbox 97579->97581 97580->97579 97581->97451 97583 2573f2 __write_nolock 97582->97583 97584 28ee4b _memset 97583->97584 97585 25740b 97583->97585 97587 28ee67 GetOpenFileNameW 97584->97587 98616 2548ae 97585->98616 97589 28eeb6 97587->97589 97591 257d2c 59 API calls 97589->97591 97593 28eecb 97591->97593 97593->97593 97595 257429 98644 2569ca 97595->98644 97599 260a9a __write_nolock 97598->97599 98961 256ee0 97599->98961 97601 260a9f 97613 253c26 97601->97613 98972 2612fe 89 API calls 97601->98972 97603 260aac 97603->97613 98973 264047 91 API calls Mailbox 97603->98973 97605 260ab5 97606 260ab9 GetFullPathNameW 97605->97606 97605->97613 97607 257d2c 59 API calls 97606->97607 97608 260ae5 97607->97608 97609 257d2c 59 API calls 97608->97609 97610 260af2 97609->97610 97611 2950d5 _wcscat 97610->97611 97612 257d2c 59 API calls 97610->97612 97612->97613 97613->97459 97613->97468 97615 28d49c 97614->97615 97616 253ac2 LoadImageW RegisterClassExW 97614->97616 99013 2548fe LoadImageW EnumResourceNamesW 97615->99013 99012 253041 7 API calls 97616->99012 97619 28d4a5 97620 253b46 97621 2539e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97620->97621 97621->97476 97623 254406 _memset 97622->97623 99014 254213 97623->99014 97634 2950ed 97633->97634 97648 260b55 97633->97648 99103 2ba0b5 89 API calls 4 library calls 97634->99103 97687 260b65 Mailbox 97648->97687 99104 259fbd 60 API calls 97648->99104 99105 2a68bf 341 API calls 97648->99105 97664 270ff6 59 API calls Mailbox 97664->97687 97665 295f22 Sleep 97668 2610ae timeGetTime 97687->97664 97687->97665 97687->97668 97711->97459 97712->97472 97714 281b90 __write_nolock 97713->97714 97715 254871 GetModuleFileNameW 97714->97715 97716 257f41 59 API calls 97715->97716 97717 254897 97716->97717 97718 2548ae 60 API calls 97717->97718 97719 2548a1 Mailbox 97718->97719 97719->97481 97741 253d50 __write_nolock 97740->97741 97742 257d2c 59 API calls 97741->97742 97747 253eb6 Mailbox 97741->97747 97744 253d82 97742->97744 97753 253db8 Mailbox 97744->97753 97866 257b52 97744->97866 97745 253e89 97746 257f41 59 API calls 97745->97746 97745->97747 97749 253eaa 97746->97749 97747->97505 97748 257f41 59 API calls 97748->97753 97750 253f84 59 API calls 97749->97750 97750->97747 97751 257b52 59 API calls 97751->97753 97753->97745 97753->97747 97753->97748 97753->97751 97869 253f84 97753->97869 97875 254d13 97754->97875 97759 28dd0f 97762 254faa 84 API calls 97759->97762 97760 254f68 LoadLibraryExW 97885 254cc8 97760->97885 97764 28dd16 97762->97764 97766 254cc8 3 API calls 97764->97766 97767 28dd1e 97766->97767 97911 25506b 97767->97911 97768 254f8f 97768->97767 97769 254f9b 97768->97769 97771 254faa 84 API calls 97769->97771 97773 2537e6 97771->97773 97773->97512 97773->97513 97775 28dd45 97919 255027 97775->97919 97777 28dd52 97779 2581b2 97778->97779 97780 253801 97778->97780 98349 2580d7 59 API calls 2 library calls 97779->98349 97782 2593ea 97780->97782 97783 270ff6 Mailbox 59 API calls 97782->97783 97784 25380d 97783->97784 97784->97526 97786 25862b 97785->97786 97788 258652 97786->97788 98350 258b13 69 API calls Mailbox 97786->98350 97788->97530 97790 253f05 97789->97790 97791 253eec 97789->97791 97792 257d2c 59 API calls 97790->97792 97793 2581a7 59 API calls 97791->97793 97794 25388b 97792->97794 97793->97794 97795 27313d 97794->97795 97796 2731be 97795->97796 97797 273149 97795->97797 98353 2731d0 60 API calls 4 library calls 97796->98353 97804 27316e 97797->97804 98351 278d68 58 API calls __getptd_noexit 97797->98351 97800 2731cb 97800->97551 97801 273155 98352 278ff6 9 API calls __woutput_l 97801->98352 97803 273160 97803->97551 97804->97551 97806 259436 97805->97806 97807 270ff6 Mailbox 59 API calls 97806->97807 97809 259444 97807->97809 97808 253936 97811 2591b0 97808->97811 97809->97808 98354 25935c 59 API calls Mailbox 97809->98354 98355 2592c0 97811->98355 97813 2591bf 97814 270ff6 Mailbox 59 API calls 97813->97814 97815 253944 97813->97815 97814->97815 97816 259040 97815->97816 97817 28f5a5 97816->97817 97823 259057 97816->97823 97817->97823 98365 258d3b 59 API calls Mailbox 97817->98365 97819 2591a0 98364 259e9c 60 API calls Mailbox 97819->98364 97820 259158 97821 270ff6 Mailbox 59 API calls 97820->97821 97824 25915f 97821->97824 97823->97819 97823->97820 97823->97824 97824->97579 97826 255045 85 API calls 97825->97826 97827 2b9854 97826->97827 98366 2b99be 97827->98366 97830 25506b 74 API calls 97831 2b9881 97830->97831 97832 25506b 74 API calls 97831->97832 97833 2b9891 97832->97833 97834 25506b 74 API calls 97833->97834 97835 2b98ac 97834->97835 97836 25506b 74 API calls 97835->97836 97837 2b98c7 97836->97837 97838 255045 85 API calls 97837->97838 97839 2b98de 97838->97839 97840 27594c __malloc_crt 58 API calls 97839->97840 97841 2b98e5 97840->97841 97842 27594c __malloc_crt 58 API calls 97841->97842 97843 2b98ef 97842->97843 97844 25506b 74 API calls 97843->97844 97845 2b9903 97844->97845 97846 2b9393 GetSystemTimeAsFileTime 97845->97846 97847 2b9916 97846->97847 97848 2b992b 97847->97848 97849 2b9940 97847->97849 97850 272f95 _free 58 API calls 97848->97850 97851 2b9946 97849->97851 97852 2b99a5 97849->97852 97854 2b9931 97850->97854 98372 2b8d90 97851->98372 97853 272f95 _free 58 API calls 97852->97853 97858 28d3c1 97853->97858 97856 272f95 _free 58 API calls 97854->97856 97856->97858 97858->97516 97860 254faa 97858->97860 97859 272f95 _free 58 API calls 97859->97858 97861 254fb4 97860->97861 97863 254fbb 97860->97863 97862 2755d6 __fcloseall 83 API calls 97861->97862 97862->97863 97864 254fdb FreeLibrary 97863->97864 97865 254fca 97863->97865 97864->97865 97865->97516 97867 257faf 59 API calls 97866->97867 97868 257b5d 97867->97868 97868->97744 97870 253f92 97869->97870 97874 253fb4 _memmove 97869->97874 97872 270ff6 Mailbox 59 API calls 97870->97872 97871 270ff6 Mailbox 59 API calls 97873 253fc8 97871->97873 97872->97874 97873->97753 97874->97871 97924 254d61 97875->97924 97878 254d61 2 API calls 97881 254d3a 97878->97881 97879 254d53 97882 27548b 97879->97882 97880 254d4a FreeLibrary 97880->97879 97881->97879 97881->97880 97928 2754a0 97882->97928 97884 254f5c 97884->97759 97884->97760 98086 254d94 97885->98086 97888 254ced 97889 254cff FreeLibrary 97888->97889 97890 254d08 97888->97890 97889->97890 97892 254dd0 97890->97892 97891 254d94 2 API calls 97891->97888 97893 270ff6 Mailbox 59 API calls 97892->97893 97894 254de5 97893->97894 98090 25538e 97894->98090 97896 254df1 _memmove 97897 254e2c 97896->97897 97898 254f21 97896->97898 97899 254ee9 97896->97899 97900 255027 69 API calls 97897->97900 98104 2b9ba5 95 API calls 97898->98104 98093 254fe9 CreateStreamOnHGlobal 97899->98093 97906 254e35 97900->97906 97903 25506b 74 API calls 97903->97906 97905 254ec9 97905->97768 97906->97903 97906->97905 97907 28dcd0 97906->97907 98099 255045 97906->98099 97908 255045 85 API calls 97907->97908 97909 28dce4 97908->97909 97910 25506b 74 API calls 97909->97910 97910->97905 97912 25507d 97911->97912 97913 28ddf6 97911->97913 98128 275812 97912->98128 97916 2b9393 98326 2b91e9 97916->98326 97918 2b93a9 97918->97775 97920 28ddb9 97919->97920 97921 255036 97919->97921 98331 275e90 97921->98331 97923 25503e 97923->97777 97925 254d2e 97924->97925 97926 254d6a LoadLibraryA 97924->97926 97925->97878 97925->97881 97926->97925 97927 254d7b GetProcAddress 97926->97927 97927->97925 97931 2754ac __ioinit 97928->97931 97929 2754bf 97977 278d68 58 API calls __getptd_noexit 97929->97977 97931->97929 97933 2754f0 97931->97933 97932 2754c4 97978 278ff6 9 API calls __woutput_l 97932->97978 97947 280738 97933->97947 97936 2754f5 97937 2754fe 97936->97937 97938 27550b 97936->97938 97979 278d68 58 API calls __getptd_noexit 97937->97979 97939 275535 97938->97939 97940 275515 97938->97940 97962 280857 97939->97962 97980 278d68 58 API calls __getptd_noexit 97940->97980 97944 2754cf __ioinit @_EH4_CallFilterFunc@8 97944->97884 97948 280744 __ioinit 97947->97948 97949 279e4b __lock 58 API calls 97948->97949 97960 280752 97949->97960 97950 2807c6 97982 28084e 97950->97982 97951 2807cd 97987 278a5d 58 API calls __malloc_crt 97951->97987 97954 2807d4 97954->97950 97988 27a06b InitializeCriticalSectionAndSpinCount 97954->97988 97955 280843 __ioinit 97955->97936 97957 279ed3 __mtinitlocknum 58 API calls 97957->97960 97959 2807fa EnterCriticalSection 97959->97950 97960->97950 97960->97951 97960->97957 97985 276e8d 59 API calls __lock 97960->97985 97986 276ef7 LeaveCriticalSection LeaveCriticalSection _doexit 97960->97986 97971 280877 __wopenfile 97962->97971 97963 280891 97993 278d68 58 API calls __getptd_noexit 97963->97993 97964 280a4c 97964->97963 97968 280aaf 97964->97968 97966 280896 97994 278ff6 9 API calls __woutput_l 97966->97994 97990 2887f1 97968->97990 97969 275540 97981 275562 LeaveCriticalSection LeaveCriticalSection __wfsopen 97969->97981 97971->97963 97971->97964 97995 273a0b 60 API calls 3 library calls 97971->97995 97973 280a45 97973->97964 97996 273a0b 60 API calls 3 library calls 97973->97996 97975 280a64 97975->97964 97997 273a0b 60 API calls 3 library calls 97975->97997 97977->97932 97978->97944 97979->97944 97980->97944 97981->97944 97989 279fb5 LeaveCriticalSection 97982->97989 97984 280855 97984->97955 97985->97960 97986->97960 97987->97954 97988->97959 97989->97984 97998 287fd5 97990->97998 97992 28880a 97992->97969 97993->97966 97994->97969 97995->97973 97996->97975 97997->97964 98001 287fe1 __ioinit 97998->98001 97999 287ff7 98083 278d68 58 API calls __getptd_noexit 97999->98083 98001->97999 98003 28802d 98001->98003 98002 287ffc 98084 278ff6 9 API calls __woutput_l 98002->98084 98009 28809e 98003->98009 98006 288049 98085 288072 LeaveCriticalSection __unlock_fhandle 98006->98085 98008 288006 __ioinit 98008->97992 98010 2880be 98009->98010 98011 27471a __wsopen_nolock 58 API calls 98010->98011 98014 2880da 98011->98014 98012 279006 __invoke_watson 8 API calls 98013 2887f0 98012->98013 98015 287fd5 __wsopen_helper 103 API calls 98013->98015 98016 288114 98014->98016 98023 288137 98014->98023 98082 288211 98014->98082 98017 28880a 98015->98017 98018 278d34 __dosmaperr 58 API calls 98016->98018 98017->98006 98019 288119 98018->98019 98020 278d68 ___libm_error_support 58 API calls 98019->98020 98021 288126 98020->98021 98024 278ff6 __woutput_l 9 API calls 98021->98024 98022 2881f5 98025 278d34 __dosmaperr 58 API calls 98022->98025 98023->98022 98030 2881d3 98023->98030 98026 288130 98024->98026 98027 2881fa 98025->98027 98026->98006 98028 278d68 ___libm_error_support 58 API calls 98027->98028 98029 288207 98028->98029 98031 278ff6 __woutput_l 9 API calls 98029->98031 98032 27d4d4 __alloc_osfhnd 61 API calls 98030->98032 98031->98082 98033 2882a1 98032->98033 98034 2882ab 98033->98034 98035 2882ce 98033->98035 98037 278d34 __dosmaperr 58 API calls 98034->98037 98036 287f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98035->98036 98047 2882f0 98036->98047 98038 2882b0 98037->98038 98039 278d68 ___libm_error_support 58 API calls 98038->98039 98041 2882ba 98039->98041 98040 28836e GetFileType 98042 288379 GetLastError 98040->98042 98043 2883bb 98040->98043 98045 278d68 ___libm_error_support 58 API calls 98041->98045 98046 278d47 __dosmaperr 58 API calls 98042->98046 98054 27d76a __set_osfhnd 59 API calls 98043->98054 98044 28833c GetLastError 98048 278d47 __dosmaperr 58 API calls 98044->98048 98045->98026 98049 2883a0 CloseHandle 98046->98049 98047->98040 98047->98044 98050 287f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98047->98050 98051 288361 98048->98051 98049->98051 98052 2883ae 98049->98052 98053 288331 98050->98053 98055 278d68 ___libm_error_support 58 API calls 98051->98055 98056 278d68 ___libm_error_support 58 API calls 98052->98056 98053->98040 98053->98044 98058 2883d9 98054->98058 98055->98082 98057 2883b3 98056->98057 98057->98051 98059 288594 98058->98059 98060 281b11 __lseeki64_nolock 60 API calls 98058->98060 98068 28845a 98058->98068 98061 288767 CloseHandle 98059->98061 98059->98082 98062 288443 98060->98062 98063 287f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98061->98063 98065 278d34 __dosmaperr 58 API calls 98062->98065 98062->98068 98064 28878e 98063->98064 98067 288796 GetLastError 98064->98067 98075 2887c2 98064->98075 98065->98068 98066 2810ab 70 API calls __read_nolock 98066->98068 98069 278d47 __dosmaperr 58 API calls 98067->98069 98068->98059 98068->98066 98071 280d2d __close_nolock 61 API calls 98068->98071 98074 28848c 98068->98074 98076 27dac6 __write 78 API calls 98068->98076 98077 288611 98068->98077 98080 281b11 60 API calls __lseeki64_nolock 98068->98080 98070 2887a2 98069->98070 98073 27d67d __free_osfhnd 59 API calls 98070->98073 98071->98068 98072 2899f2 __chsize_nolock 82 API calls 98072->98074 98073->98075 98074->98068 98074->98072 98075->98082 98076->98068 98078 280d2d __close_nolock 61 API calls 98077->98078 98079 288618 98078->98079 98081 278d68 ___libm_error_support 58 API calls 98079->98081 98080->98068 98081->98082 98082->98012 98083->98002 98084->98008 98085->98008 98087 254ce1 98086->98087 98088 254d9d LoadLibraryA 98086->98088 98087->97888 98087->97891 98088->98087 98089 254dae GetProcAddress 98088->98089 98089->98087 98091 270ff6 Mailbox 59 API calls 98090->98091 98092 2553a0 98091->98092 98092->97896 98094 255020 98093->98094 98095 255003 FindResourceExW 98093->98095 98094->97897 98095->98094 98096 28dd5c LoadResource 98095->98096 98096->98094 98097 28dd71 SizeofResource 98096->98097 98097->98094 98098 28dd85 LockResource 98097->98098 98098->98094 98100 255054 98099->98100 98101 28ddd4 98099->98101 98105 275a7d 98100->98105 98103 255062 98103->97906 98104->97897 98107 275a89 __ioinit 98105->98107 98106 275a9b 98118 278d68 58 API calls __getptd_noexit 98106->98118 98107->98106 98108 275ac1 98107->98108 98120 276e4e 98108->98120 98110 275aa0 98119 278ff6 9 API calls __woutput_l 98110->98119 98113 275ac7 98126 2759ee 83 API calls 5 library calls 98113->98126 98115 275ad6 98127 275af8 LeaveCriticalSection LeaveCriticalSection __wfsopen 98115->98127 98117 275aab __ioinit 98117->98103 98118->98110 98119->98117 98121 276e80 EnterCriticalSection 98120->98121 98122 276e5e 98120->98122 98124 276e76 98121->98124 98122->98121 98123 276e66 98122->98123 98125 279e4b __lock 58 API calls 98123->98125 98124->98113 98125->98124 98126->98115 98127->98117 98131 27582d 98128->98131 98130 25508e 98130->97916 98132 275839 __ioinit 98131->98132 98133 27587c 98132->98133 98134 275874 __ioinit 98132->98134 98136 27584f _memset 98132->98136 98135 276e4e __lock_file 59 API calls 98133->98135 98134->98130 98137 275882 98135->98137 98158 278d68 58 API calls __getptd_noexit 98136->98158 98144 27564d 98137->98144 98140 275869 98159 278ff6 9 API calls __woutput_l 98140->98159 98146 275668 _memset 98144->98146 98150 275683 98144->98150 98145 275673 98256 278d68 58 API calls __getptd_noexit 98145->98256 98146->98145 98146->98150 98155 2756c3 98146->98155 98148 275678 98257 278ff6 9 API calls __woutput_l 98148->98257 98160 2758b6 LeaveCriticalSection LeaveCriticalSection __wfsopen 98150->98160 98152 2757d4 _memset 98259 278d68 58 API calls __getptd_noexit 98152->98259 98155->98150 98155->98152 98161 274916 98155->98161 98168 2810ab 98155->98168 98236 280df7 98155->98236 98258 280f18 58 API calls 4 library calls 98155->98258 98158->98140 98159->98134 98160->98134 98162 274935 98161->98162 98163 274920 98161->98163 98162->98155 98260 278d68 58 API calls __getptd_noexit 98163->98260 98165 274925 98261 278ff6 9 API calls __woutput_l 98165->98261 98167 274930 98167->98155 98169 2810cc 98168->98169 98170 2810e3 98168->98170 98271 278d34 58 API calls __getptd_noexit 98169->98271 98171 28181b 98170->98171 98176 28111d 98170->98176 98287 278d34 58 API calls __getptd_noexit 98171->98287 98174 2810d1 98272 278d68 58 API calls __getptd_noexit 98174->98272 98178 281125 98176->98178 98184 28113c 98176->98184 98177 281820 98288 278d68 58 API calls __getptd_noexit 98177->98288 98273 278d34 58 API calls __getptd_noexit 98178->98273 98181 281131 98289 278ff6 9 API calls __woutput_l 98181->98289 98182 28112a 98274 278d68 58 API calls __getptd_noexit 98182->98274 98185 281151 98184->98185 98187 28116b 98184->98187 98189 281189 98184->98189 98216 2810d8 98184->98216 98275 278d34 58 API calls __getptd_noexit 98185->98275 98187->98185 98192 281176 98187->98192 98276 278a5d 58 API calls __malloc_crt 98189->98276 98262 285ebb 98192->98262 98193 281199 98195 2811bc 98193->98195 98196 2811a1 98193->98196 98194 28128a 98197 281303 ReadFile 98194->98197 98200 2812a0 GetConsoleMode 98194->98200 98279 281b11 60 API calls 3 library calls 98195->98279 98277 278d68 58 API calls __getptd_noexit 98196->98277 98201 2817e3 GetLastError 98197->98201 98202 281325 98197->98202 98207 281300 98200->98207 98208 2812b4 98200->98208 98204 2817f0 98201->98204 98205 2812e3 98201->98205 98202->98201 98210 2812f5 98202->98210 98203 2811a6 98278 278d34 58 API calls __getptd_noexit 98203->98278 98285 278d68 58 API calls __getptd_noexit 98204->98285 98218 2812e9 98205->98218 98280 278d47 58 API calls 2 library calls 98205->98280 98207->98197 98208->98207 98211 2812ba ReadConsoleW 98208->98211 98210->98218 98220 28135a 98210->98220 98223 2815c7 98210->98223 98211->98210 98213 2812dd GetLastError 98211->98213 98212 2817f5 98286 278d34 58 API calls __getptd_noexit 98212->98286 98213->98205 98216->98155 98217 272f95 _free 58 API calls 98217->98216 98218->98216 98218->98217 98221 2813c6 ReadFile 98220->98221 98229 281447 98220->98229 98224 2813e7 GetLastError 98221->98224 98231 2813f1 98221->98231 98222 2816cd ReadFile 98228 2816f0 GetLastError 98222->98228 98232 2816fe 98222->98232 98223->98218 98223->98222 98224->98231 98225 281504 98230 2814b4 MultiByteToWideChar 98225->98230 98283 281b11 60 API calls 3 library calls 98225->98283 98226 2814f4 98282 278d68 58 API calls __getptd_noexit 98226->98282 98228->98232 98229->98218 98229->98225 98229->98226 98229->98230 98230->98213 98230->98218 98231->98220 98281 281b11 60 API calls 3 library calls 98231->98281 98232->98223 98284 281b11 60 API calls 3 library calls 98232->98284 98237 280e02 98236->98237 98241 280e17 98236->98241 98323 278d68 58 API calls __getptd_noexit 98237->98323 98239 280e07 98324 278ff6 9 API calls __woutput_l 98239->98324 98242 280e4c 98241->98242 98248 280e12 98241->98248 98325 286234 58 API calls __malloc_crt 98241->98325 98244 274916 __fflush_nolock 58 API calls 98242->98244 98245 280e60 98244->98245 98290 280f97 98245->98290 98247 280e67 98247->98248 98249 274916 __fflush_nolock 58 API calls 98247->98249 98248->98155 98250 280e8a 98249->98250 98250->98248 98251 274916 __fflush_nolock 58 API calls 98250->98251 98252 280e96 98251->98252 98252->98248 98253 274916 __fflush_nolock 58 API calls 98252->98253 98254 280ea3 98253->98254 98255 274916 __fflush_nolock 58 API calls 98254->98255 98255->98248 98256->98148 98257->98150 98258->98155 98259->98148 98260->98165 98261->98167 98263 285ed3 98262->98263 98264 285ec6 98262->98264 98267 285edf 98263->98267 98268 278d68 ___libm_error_support 58 API calls 98263->98268 98265 278d68 ___libm_error_support 58 API calls 98264->98265 98266 285ecb 98265->98266 98266->98194 98267->98194 98269 285f00 98268->98269 98270 278ff6 __woutput_l 9 API calls 98269->98270 98270->98266 98271->98174 98272->98216 98273->98182 98274->98181 98275->98182 98276->98193 98277->98203 98278->98216 98279->98192 98280->98218 98281->98231 98282->98218 98283->98230 98284->98232 98285->98212 98286->98218 98287->98177 98288->98181 98289->98216 98291 280fa3 __ioinit 98290->98291 98292 280fb0 98291->98292 98293 280fc7 98291->98293 98295 278d34 __dosmaperr 58 API calls 98292->98295 98294 28108b 98293->98294 98296 280fdb 98293->98296 98297 278d34 __dosmaperr 58 API calls 98294->98297 98298 280fb5 98295->98298 98300 280ff9 98296->98300 98301 281006 98296->98301 98302 280ffe 98297->98302 98299 278d68 ___libm_error_support 58 API calls 98298->98299 98314 280fbc __ioinit 98299->98314 98303 278d34 __dosmaperr 58 API calls 98300->98303 98304 281028 98301->98304 98305 281013 98301->98305 98306 278d68 ___libm_error_support 58 API calls 98302->98306 98303->98302 98308 27d446 ___lock_fhandle 59 API calls 98304->98308 98307 278d34 __dosmaperr 58 API calls 98305->98307 98310 281020 98306->98310 98311 281018 98307->98311 98309 28102e 98308->98309 98312 281041 98309->98312 98313 281054 98309->98313 98317 278ff6 __woutput_l 9 API calls 98310->98317 98315 278d68 ___libm_error_support 58 API calls 98311->98315 98316 2810ab __read_nolock 70 API calls 98312->98316 98318 278d68 ___libm_error_support 58 API calls 98313->98318 98314->98247 98315->98310 98319 28104d 98316->98319 98317->98314 98320 281059 98318->98320 98322 281083 __read LeaveCriticalSection 98319->98322 98321 278d34 __dosmaperr 58 API calls 98320->98321 98321->98319 98322->98314 98323->98239 98324->98248 98325->98242 98329 27543a GetSystemTimeAsFileTime 98326->98329 98328 2b91f8 98328->97918 98330 275468 __aulldiv 98329->98330 98330->98328 98332 275e9c __ioinit 98331->98332 98333 275ec3 98332->98333 98334 275eae 98332->98334 98335 276e4e __lock_file 59 API calls 98333->98335 98345 278d68 58 API calls __getptd_noexit 98334->98345 98337 275ec9 98335->98337 98347 275b00 67 API calls 7 library calls 98337->98347 98338 275eb3 98346 278ff6 9 API calls __woutput_l 98338->98346 98341 275ed4 98348 275ef4 LeaveCriticalSection LeaveCriticalSection __wfsopen 98341->98348 98343 275ee6 98344 275ebe __ioinit 98343->98344 98344->97923 98345->98338 98346->98344 98347->98341 98348->98343 98349->97780 98350->97788 98351->97801 98352->97803 98353->97800 98354->97808 98356 2592c9 Mailbox 98355->98356 98357 28f5c8 98356->98357 98362 2592d3 98356->98362 98358 270ff6 Mailbox 59 API calls 98357->98358 98360 28f5d4 98358->98360 98359 2592da 98359->97813 98362->98359 98363 259df0 59 API calls Mailbox 98362->98363 98363->98362 98364->97824 98365->97823 98370 2b99d2 __tzset_nolock _wcscmp 98366->98370 98367 2b9866 98367->97830 98367->97858 98368 25506b 74 API calls 98368->98370 98369 2b9393 GetSystemTimeAsFileTime 98369->98370 98370->98367 98370->98368 98370->98369 98371 255045 85 API calls 98370->98371 98371->98370 98373 2b8d9b 98372->98373 98374 2b8da9 98372->98374 98375 27548b 115 API calls 98373->98375 98376 2b8dee 98374->98376 98377 27548b 115 API calls 98374->98377 98388 2b8db2 98374->98388 98375->98374 98403 2b901b 98376->98403 98379 2b8dd3 98377->98379 98379->98376 98381 2b8ddc 98379->98381 98380 2b8e32 98382 2b8e57 98380->98382 98383 2b8e36 98380->98383 98384 2755d6 __fcloseall 83 API calls 98381->98384 98381->98388 98407 2b8c33 98382->98407 98387 2755d6 __fcloseall 83 API calls 98383->98387 98391 2b8e43 98383->98391 98384->98388 98387->98391 98388->97859 98389 2b8e85 98416 2b8eb5 98389->98416 98390 2b8e65 98393 2b8e72 98390->98393 98395 2755d6 __fcloseall 83 API calls 98390->98395 98391->98388 98392 2755d6 __fcloseall 83 API calls 98391->98392 98392->98388 98393->98388 98397 2755d6 __fcloseall 83 API calls 98393->98397 98395->98393 98397->98388 98400 2b8ea0 98400->98388 98402 2755d6 __fcloseall 83 API calls 98400->98402 98402->98388 98404 2b9040 98403->98404 98406 2b9029 __tzset_nolock _memmove 98403->98406 98405 275812 __fread_nolock 74 API calls 98404->98405 98405->98406 98406->98380 98408 27594c __malloc_crt 58 API calls 98407->98408 98409 2b8c42 98408->98409 98410 27594c __malloc_crt 58 API calls 98409->98410 98411 2b8c56 98410->98411 98412 27594c __malloc_crt 58 API calls 98411->98412 98413 2b8c6a 98412->98413 98414 2b8f97 58 API calls 98413->98414 98415 2b8c7d 98413->98415 98414->98415 98415->98389 98415->98390 98420 2b8eca 98416->98420 98417 2b8f82 98445 2b91bf 98417->98445 98418 2b8c8f 74 API calls 98418->98420 98420->98417 98420->98418 98423 2b8e8c 98420->98423 98449 2b8d2b 74 API calls 98420->98449 98450 2b909c 80 API calls 98420->98450 98424 2b8f97 98423->98424 98425 2b8fa4 98424->98425 98427 2b8faa 98424->98427 98426 272f95 _free 58 API calls 98425->98426 98426->98427 98428 272f95 _free 58 API calls 98427->98428 98430 2b8fbb 98427->98430 98428->98430 98429 2b8e93 98429->98400 98432 2755d6 98429->98432 98430->98429 98431 272f95 _free 58 API calls 98430->98431 98431->98429 98433 2755e2 __ioinit 98432->98433 98434 2755f6 98433->98434 98435 27560e 98433->98435 98532 278d68 58 API calls __getptd_noexit 98434->98532 98437 276e4e __lock_file 59 API calls 98435->98437 98442 275606 __ioinit 98435->98442 98439 275620 98437->98439 98438 2755fb 98533 278ff6 9 API calls __woutput_l 98438->98533 98516 27556a 98439->98516 98442->98400 98446 2b91cc 98445->98446 98448 2b91dd 98445->98448 98451 274a93 98446->98451 98448->98423 98449->98420 98450->98420 98452 274a9f __ioinit 98451->98452 98453 274ad5 98452->98453 98454 274abd 98452->98454 98455 274acd __ioinit 98452->98455 98456 276e4e __lock_file 59 API calls 98453->98456 98476 278d68 58 API calls __getptd_noexit 98454->98476 98455->98448 98458 274adb 98456->98458 98464 27493a 98458->98464 98459 274ac2 98477 278ff6 9 API calls __woutput_l 98459->98477 98465 274967 98464->98465 98468 274949 98464->98468 98478 274b0d LeaveCriticalSection LeaveCriticalSection __wfsopen 98465->98478 98466 274957 98507 278d68 58 API calls __getptd_noexit 98466->98507 98468->98465 98468->98466 98475 274981 _memmove 98468->98475 98469 27495c 98508 278ff6 9 API calls __woutput_l 98469->98508 98473 274916 __fflush_nolock 58 API calls 98473->98475 98475->98465 98475->98473 98479 27dac6 98475->98479 98509 274c6d 98475->98509 98515 27b05e 78 API calls 7 library calls 98475->98515 98476->98459 98477->98455 98478->98455 98480 27dad2 __ioinit 98479->98480 98481 27daf6 98480->98481 98482 27dadf 98480->98482 98483 27db95 98481->98483 98485 27db0a 98481->98485 98484 278d34 __dosmaperr 58 API calls 98482->98484 98486 278d34 __dosmaperr 58 API calls 98483->98486 98487 27dae4 98484->98487 98488 27db32 98485->98488 98489 27db28 98485->98489 98490 27db2d 98486->98490 98491 278d68 ___libm_error_support 58 API calls 98487->98491 98493 27d446 ___lock_fhandle 59 API calls 98488->98493 98492 278d34 __dosmaperr 58 API calls 98489->98492 98496 278d68 ___libm_error_support 58 API calls 98490->98496 98494 27daeb __ioinit 98491->98494 98492->98490 98495 27db38 98493->98495 98494->98475 98497 27db5e 98495->98497 98498 27db4b 98495->98498 98499 27dba1 98496->98499 98502 278d68 ___libm_error_support 58 API calls 98497->98502 98500 27dbb5 __write_nolock 76 API calls 98498->98500 98501 278ff6 __woutput_l 9 API calls 98499->98501 98503 27db57 98500->98503 98501->98494 98504 27db63 98502->98504 98506 27db8d __write LeaveCriticalSection 98503->98506 98505 278d34 __dosmaperr 58 API calls 98504->98505 98505->98503 98506->98494 98507->98469 98508->98465 98510 274c80 98509->98510 98511 274ca4 98509->98511 98510->98511 98512 274916 __fflush_nolock 58 API calls 98510->98512 98511->98475 98513 274c9d 98512->98513 98514 27dac6 __write 78 API calls 98513->98514 98514->98511 98515->98475 98517 27558d 98516->98517 98518 275579 98516->98518 98520 275589 98517->98520 98522 274c6d __flush 78 API calls 98517->98522 98565 278d68 58 API calls __getptd_noexit 98518->98565 98534 275645 LeaveCriticalSection LeaveCriticalSection __wfsopen 98520->98534 98521 27557e 98566 278ff6 9 API calls __woutput_l 98521->98566 98524 275599 98522->98524 98535 280dc7 98524->98535 98527 274916 __fflush_nolock 58 API calls 98528 2755a7 98527->98528 98539 280c52 98528->98539 98530 2755ad 98530->98520 98531 272f95 _free 58 API calls 98530->98531 98531->98520 98532->98438 98533->98442 98534->98442 98536 2755a1 98535->98536 98537 280dd4 98535->98537 98536->98527 98537->98536 98538 272f95 _free 58 API calls 98537->98538 98538->98536 98540 280c5e __ioinit 98539->98540 98541 280c6b 98540->98541 98542 280c82 98540->98542 98591 278d34 58 API calls __getptd_noexit 98541->98591 98543 280d0d 98542->98543 98546 280c92 98542->98546 98596 278d34 58 API calls __getptd_noexit 98543->98596 98545 280c70 98592 278d68 58 API calls __getptd_noexit 98545->98592 98549 280cba 98546->98549 98550 280cb0 98546->98550 98567 27d446 98549->98567 98593 278d34 58 API calls __getptd_noexit 98550->98593 98551 280cb5 98597 278d68 58 API calls __getptd_noexit 98551->98597 98555 280cc0 98557 280cde 98555->98557 98558 280cd3 98555->98558 98556 280d19 98598 278ff6 9 API calls __woutput_l 98556->98598 98594 278d68 58 API calls __getptd_noexit 98557->98594 98576 280d2d 98558->98576 98562 280c77 __ioinit 98562->98530 98563 280cd9 98595 280d05 LeaveCriticalSection __unlock_fhandle 98563->98595 98565->98521 98566->98520 98569 27d452 __ioinit 98567->98569 98568 27d4a1 EnterCriticalSection 98570 27d4c7 __ioinit 98568->98570 98569->98568 98571 279e4b __lock 58 API calls 98569->98571 98570->98555 98572 27d477 98571->98572 98573 27d48f 98572->98573 98599 27a06b InitializeCriticalSectionAndSpinCount 98572->98599 98600 27d4cb LeaveCriticalSection _doexit 98573->98600 98601 27d703 98576->98601 98578 280d91 98614 27d67d 59 API calls 2 library calls 98578->98614 98579 280d3b 98579->98578 98580 280d6f 98579->98580 98583 27d703 __lseek_nolock 58 API calls 98579->98583 98580->98578 98584 27d703 __lseek_nolock 58 API calls 98580->98584 98582 280d99 98585 280dbb 98582->98585 98615 278d47 58 API calls 2 library calls 98582->98615 98586 280d66 98583->98586 98587 280d7b FindCloseChangeNotification 98584->98587 98585->98563 98589 27d703 __lseek_nolock 58 API calls 98586->98589 98587->98578 98590 280d87 GetLastError 98587->98590 98589->98580 98590->98578 98591->98545 98592->98562 98593->98551 98594->98563 98595->98562 98596->98551 98597->98556 98598->98562 98599->98573 98600->98568 98602 27d723 98601->98602 98603 27d70e 98601->98603 98606 278d34 __dosmaperr 58 API calls 98602->98606 98608 27d748 98602->98608 98604 278d34 __dosmaperr 58 API calls 98603->98604 98605 27d713 98604->98605 98607 278d68 ___libm_error_support 58 API calls 98605->98607 98609 27d752 98606->98609 98610 27d71b 98607->98610 98608->98579 98611 278d68 ___libm_error_support 58 API calls 98609->98611 98610->98579 98612 27d75a 98611->98612 98613 278ff6 __woutput_l 9 API calls 98612->98613 98613->98610 98614->98582 98615->98585 98678 281b90 98616->98678 98619 2548f7 98680 257eec 98619->98680 98620 2548da 98622 257d2c 59 API calls 98620->98622 98623 2548e6 98622->98623 98624 257886 59 API calls 98623->98624 98625 2548f2 98624->98625 98626 2709d5 98625->98626 98627 281b90 __write_nolock 98626->98627 98628 2709e2 GetLongPathNameW 98627->98628 98629 257d2c 59 API calls 98628->98629 98630 25741d 98629->98630 98631 25716b 98630->98631 98632 2577c7 59 API calls 98631->98632 98633 25717d 98632->98633 98634 2548ae 60 API calls 98633->98634 98635 257188 98634->98635 98636 28ecae 98635->98636 98637 257193 98635->98637 98643 28ecc8 98636->98643 98690 257a68 61 API calls 98636->98690 98638 253f84 59 API calls 98637->98638 98640 25719f 98638->98640 98684 2534c2 98640->98684 98642 2571b2 Mailbox 98642->97595 98645 254f3d 136 API calls 98644->98645 98646 2569ef 98645->98646 98647 28e45a 98646->98647 98648 254f3d 136 API calls 98646->98648 98649 2b97e5 122 API calls 98647->98649 98650 256a03 98648->98650 98651 28e46f 98649->98651 98650->98647 98654 256a0b 98650->98654 98652 28e490 98651->98652 98653 28e473 98651->98653 98656 270ff6 Mailbox 59 API calls 98652->98656 98655 254faa 84 API calls 98653->98655 98657 256a17 98654->98657 98658 28e47b 98654->98658 98655->98658 98667 28e4d5 Mailbox 98656->98667 98691 256bec 98657->98691 98798 2b4534 90 API calls _wprintf 98658->98798 98661 28e489 98661->98652 98663 28e689 98664 272f95 _free 58 API calls 98663->98664 98665 28e691 98664->98665 98666 254faa 84 API calls 98665->98666 98672 28e69a 98666->98672 98667->98663 98667->98672 98675 257f41 59 API calls 98667->98675 98784 25766f 98667->98784 98792 2574bd 98667->98792 98799 2afc4d 59 API calls 2 library calls 98667->98799 98800 2afb6e 61 API calls 2 library calls 98667->98800 98801 2b7621 59 API calls Mailbox 98667->98801 98671 272f95 _free 58 API calls 98671->98672 98672->98671 98674 254faa 84 API calls 98672->98674 98802 2afcb1 89 API calls 4 library calls 98672->98802 98674->98672 98675->98667 98679 2548bb GetFullPathNameW 98678->98679 98679->98619 98679->98620 98681 257f06 98680->98681 98682 257ef9 98680->98682 98683 270ff6 Mailbox 59 API calls 98681->98683 98682->98623 98683->98682 98685 2534d4 98684->98685 98689 2534f3 _memmove 98684->98689 98688 270ff6 Mailbox 59 API calls 98685->98688 98686 270ff6 Mailbox 59 API calls 98687 25350a 98686->98687 98687->98642 98688->98689 98689->98686 98690->98636 98692 256c15 98691->98692 98693 28e847 98691->98693 98808 255906 60 API calls Mailbox 98692->98808 98894 2afcb1 89 API calls 4 library calls 98693->98894 98696 256c37 98809 255956 98696->98809 98697 28e85a 98895 2afcb1 89 API calls 4 library calls 98697->98895 98700 256c54 98702 2577c7 59 API calls 98700->98702 98704 256c60 98702->98704 98703 28e876 98732 256cc1 98703->98732 98822 270b9b 60 API calls __write_nolock 98704->98822 98706 28e889 98709 255dcf CloseHandle 98706->98709 98707 256ccf 98710 2577c7 59 API calls 98707->98710 98708 256c6c 98711 2577c7 59 API calls 98708->98711 98712 28e895 98709->98712 98713 256cd8 98710->98713 98714 256c78 98711->98714 98715 254f3d 136 API calls 98712->98715 98716 2577c7 59 API calls 98713->98716 98717 2548ae 60 API calls 98714->98717 98721 28e8b1 98715->98721 98718 256ce1 98716->98718 98719 256c86 98717->98719 98832 2546f9 98718->98832 98823 2559b0 ReadFile SetFilePointerEx 98719->98823 98720 28e8da 98896 2afcb1 89 API calls 4 library calls 98720->98896 98721->98720 98725 2b97e5 122 API calls 98721->98725 98724 256cb2 98824 255c4e 98724->98824 98729 28e8cd 98725->98729 98726 256cf8 98730 257c8e 59 API calls 98726->98730 98733 28e8d5 98729->98733 98734 28e8f6 98729->98734 98735 256d09 SetCurrentDirectoryW 98730->98735 98731 28e8f1 98761 256e6c Mailbox 98731->98761 98732->98706 98732->98707 98736 254faa 84 API calls 98733->98736 98737 254faa 84 API calls 98734->98737 98740 256d1c Mailbox 98735->98740 98736->98720 98738 28e8fb 98737->98738 98739 270ff6 Mailbox 59 API calls 98738->98739 98746 28e92f 98739->98746 98741 270ff6 Mailbox 59 API calls 98740->98741 98744 256d2f 98741->98744 98743 253bcd 98743->97462 98743->97485 98745 25538e 59 API calls 98744->98745 98747 25766f 59 API calls 98746->98747 98779 28e978 Mailbox 98747->98779 98751 28eb69 98901 2b7581 59 API calls Mailbox 98751->98901 98755 28eb8b 98902 2bf835 59 API calls 2 library calls 98755->98902 98758 28eb98 98760 272f95 _free 58 API calls 98758->98760 98760->98761 98803 255934 98761->98803 98765 25766f 59 API calls 98765->98779 98774 257f41 59 API calls 98774->98779 98778 28ebbb 98903 2afcb1 89 API calls 4 library calls 98778->98903 98779->98751 98779->98765 98779->98774 98779->98778 98897 2afc4d 59 API calls 2 library calls 98779->98897 98898 2afb6e 61 API calls 2 library calls 98779->98898 98899 2b7621 59 API calls Mailbox 98779->98899 98900 257373 59 API calls Mailbox 98779->98900 98781 28ebd4 98782 272f95 _free 58 API calls 98781->98782 98783 28ebe7 98782->98783 98783->98761 98785 25770f 98784->98785 98788 257682 _memmove 98784->98788 98787 270ff6 Mailbox 59 API calls 98785->98787 98786 270ff6 Mailbox 59 API calls 98789 257689 98786->98789 98787->98788 98788->98786 98790 270ff6 Mailbox 59 API calls 98789->98790 98791 2576b2 98789->98791 98790->98791 98791->98667 98793 2574d0 98792->98793 98795 25757e 98792->98795 98794 270ff6 Mailbox 59 API calls 98793->98794 98797 257502 98793->98797 98794->98797 98795->98667 98796 270ff6 59 API calls Mailbox 98796->98797 98797->98795 98797->98796 98798->98661 98799->98667 98800->98667 98801->98667 98802->98672 98804 255dcf CloseHandle 98803->98804 98805 25593c Mailbox 98804->98805 98806 255dcf CloseHandle 98805->98806 98807 25594b 98806->98807 98807->98743 98808->98696 98810 255dcf CloseHandle 98809->98810 98811 255962 98810->98811 98906 255df9 98811->98906 98813 255981 98814 2559a4 98813->98814 98914 255770 98813->98914 98814->98697 98814->98700 98816 255993 98931 2553db SetFilePointerEx SetFilePointerEx 98816->98931 98818 28e030 98932 2b3696 SetFilePointerEx SetFilePointerEx WriteFile 98818->98932 98819 25599a 98819->98814 98819->98818 98821 28e060 98821->98814 98822->98708 98823->98724 98831 255c68 98824->98831 98825 255cef SetFilePointerEx 98945 255dae SetFilePointerEx 98825->98945 98826 28e151 98946 255dae SetFilePointerEx 98826->98946 98829 28e16b 98830 255cc3 98830->98732 98831->98825 98831->98826 98831->98830 98833 2577c7 59 API calls 98832->98833 98834 25470f 98833->98834 98835 2577c7 59 API calls 98834->98835 98836 254717 98835->98836 98837 2577c7 59 API calls 98836->98837 98838 25471f 98837->98838 98839 2577c7 59 API calls 98838->98839 98840 254727 98839->98840 98841 28d8fb 98840->98841 98842 25475b 98840->98842 98843 2581a7 59 API calls 98841->98843 98844 2579ab 59 API calls 98842->98844 98845 28d904 98843->98845 98846 254769 98844->98846 98847 257eec 59 API calls 98845->98847 98848 257e8c 59 API calls 98846->98848 98849 25479e 98847->98849 98850 254773 98848->98850 98852 2547de 98849->98852 98854 2547bd 98849->98854 98865 28d924 98849->98865 98850->98849 98851 2579ab 59 API calls 98850->98851 98855 254794 98851->98855 98947 2579ab 98852->98947 98859 257b52 59 API calls 98854->98859 98858 257e8c 59 API calls 98855->98858 98856 2547ef 98860 254801 98856->98860 98863 2581a7 59 API calls 98856->98863 98857 28d9f4 98861 257d2c 59 API calls 98857->98861 98858->98849 98862 2547c7 98859->98862 98864 254811 98860->98864 98866 2581a7 59 API calls 98860->98866 98878 28d9b1 98861->98878 98862->98852 98869 2579ab 59 API calls 98862->98869 98863->98860 98868 254818 98864->98868 98870 2581a7 59 API calls 98864->98870 98865->98857 98867 28d9dd 98865->98867 98877 28d95b 98865->98877 98866->98864 98867->98857 98873 28d9c8 98867->98873 98871 2581a7 59 API calls 98868->98871 98880 25481f Mailbox 98868->98880 98869->98852 98870->98868 98871->98880 98872 257b52 59 API calls 98872->98878 98876 257d2c 59 API calls 98873->98876 98874 28d9b9 98875 257d2c 59 API calls 98874->98875 98875->98878 98876->98878 98877->98874 98881 28d9a4 98877->98881 98878->98852 98878->98872 98960 257a84 59 API calls 2 library calls 98878->98960 98880->98726 98882 257d2c 59 API calls 98881->98882 98882->98878 98894->98697 98895->98703 98896->98731 98897->98779 98898->98779 98899->98779 98900->98779 98901->98755 98902->98758 98903->98781 98907 255e12 CreateFileW 98906->98907 98908 28e181 98906->98908 98909 255e34 98907->98909 98908->98909 98910 28e187 CreateFileW 98908->98910 98909->98813 98910->98909 98911 28e1ad 98910->98911 98912 255c4e 2 API calls 98911->98912 98913 28e1b8 98912->98913 98913->98909 98915 28dfce 98914->98915 98916 25578b 98914->98916 98930 25581a 98915->98930 98939 255e3f 98915->98939 98917 255c4e 2 API calls 98916->98917 98916->98930 98918 2557ad 98917->98918 98919 25538e 59 API calls 98918->98919 98921 2557b7 98919->98921 98921->98915 98922 2557c4 98921->98922 98923 270ff6 Mailbox 59 API calls 98922->98923 98924 2557cf 98923->98924 98925 25538e 59 API calls 98924->98925 98926 2557da 98925->98926 98933 255d20 98926->98933 98929 255c4e 2 API calls 98929->98930 98930->98816 98931->98819 98932->98821 98934 255d93 98933->98934 98938 255d2e 98933->98938 98944 255dae SetFilePointerEx 98934->98944 98936 255807 98936->98929 98937 255d66 ReadFile 98937->98936 98937->98938 98938->98936 98938->98937 98940 255c4e 2 API calls 98939->98940 98941 255e60 98940->98941 98942 255c4e 2 API calls 98941->98942 98943 255e74 98942->98943 98943->98930 98944->98938 98945->98830 98946->98829 98948 257a17 98947->98948 98949 2579ba 98947->98949 98950 257e8c 59 API calls 98948->98950 98949->98948 98951 2579c5 98949->98951 98957 2579e8 _memmove 98950->98957 98952 2579e0 98951->98952 98953 28ef32 98951->98953 98955 258087 59 API calls 98952->98955 98954 258189 59 API calls 98953->98954 98956 28ef3c 98954->98956 98955->98957 98958 270ff6 Mailbox 59 API calls 98956->98958 98957->98856 98959 28ef5c 98958->98959 98960->98878 98962 256ef5 98961->98962 98963 257009 98961->98963 98962->98963 98964 270ff6 Mailbox 59 API calls 98962->98964 98963->97601 98966 256f1c 98964->98966 98965 270ff6 Mailbox 59 API calls 98971 256f91 98965->98971 98966->98965 98968 2574bd 59 API calls 98968->98971 98970 25766f 59 API calls 98970->98971 98971->98963 98971->98968 98971->98970 98974 2563a0 98971->98974 99000 2a6ac9 59 API calls Mailbox 98971->99000 98972->97603 98973->97605 99001 257b76 98974->99001 98976 2565ca 98977 25766f 59 API calls 98976->98977 98978 2565e4 Mailbox 98977->98978 98978->98971 98981 28e41f 99010 2afdba 91 API calls 4 library calls 98981->99010 98982 257eec 59 API calls 98993 2563c5 98982->98993 98983 25766f 59 API calls 98983->98993 98985 2568f9 98985->98978 99011 2afdba 91 API calls 4 library calls 98985->99011 98988 28e42d 98991 28e3bb 98992 258189 59 API calls 98991->98992 98994 28e3c6 98992->98994 98993->98976 98993->98981 98993->98982 98993->98983 98993->98985 98993->98991 98996 257faf 59 API calls 98993->98996 98999 28e3eb _memmove 98993->98999 99006 2560cc 60 API calls 98993->99006 99007 255ea1 59 API calls Mailbox 98993->99007 99008 255fd2 60 API calls 98993->99008 99009 257a84 59 API calls 2 library calls 98993->99009 98998 270ff6 Mailbox 59 API calls 98994->98998 98997 25659b CharUpperBuffW 98996->98997 98997->98993 98998->98999 98999->98981 98999->98985 99000->98971 99002 270ff6 Mailbox 59 API calls 99001->99002 99003 257b9b 99002->99003 99004 258189 59 API calls 99003->99004 99005 257baa 99004->99005 99005->98993 99006->98993 99007->98993 99008->98993 99009->98993 99010->98988 99011->98978 99012->97620 99013->97619 99015 28d638 99014->99015 99016 254227 99014->99016 99015->99016 99103->97648 99104->97648 99105->97648 99544 253633 99545 25366a 99544->99545 99546 2536e7 99545->99546 99547 253688 99545->99547 99584 2536e5 99545->99584 99551 28d31c 99546->99551 99552 2536ed 99546->99552 99548 253695 99547->99548 99549 25375d PostQuitMessage 99547->99549 99553 2536a0 99548->99553 99554 28d38f 99548->99554 99585 2536d8 99549->99585 99550 2536ca DefWindowProcW 99550->99585 99594 2611d0 10 API calls Mailbox 99551->99594 99556 253715 SetTimer RegisterWindowMessageW 99552->99556 99557 2536f2 99552->99557 99560 253767 99553->99560 99561 2536a8 99553->99561 99598 2b2a16 71 API calls _memset 99554->99598 99562 25373e CreatePopupMenu 99556->99562 99556->99585 99558 28d2bf 99557->99558 99559 2536f9 KillTimer 99557->99559 99569 28d2f8 MoveWindow 99558->99569 99570 28d2c4 99558->99570 99589 2544cb Shell_NotifyIconW _memset 99559->99589 99592 254531 64 API calls _memset 99560->99592 99566 2536b3 99561->99566 99574 28d374 99561->99574 99562->99585 99564 28d343 99595 2611f3 341 API calls Mailbox 99564->99595 99575 2536be 99566->99575 99576 25374b 99566->99576 99569->99585 99571 28d2c8 99570->99571 99572 28d2e7 SetFocus 99570->99572 99571->99575 99579 28d2d1 99571->99579 99572->99585 99573 25370c 99590 253114 DeleteObject DestroyWindow Mailbox 99573->99590 99574->99550 99597 2a817e 59 API calls Mailbox 99574->99597 99575->99550 99596 2544cb Shell_NotifyIconW _memset 99575->99596 99591 2545df 81 API calls _memset 99576->99591 99577 28d3a1 99577->99550 99577->99585 99578 25375b 99578->99585 99593 2611d0 10 API calls Mailbox 99579->99593 99584->99550 99587 28d368 99588 2543db 68 API calls 99587->99588 99588->99584 99589->99573 99590->99585 99591->99578 99592->99578 99593->99585 99594->99564 99595->99575 99596->99587 99597->99584 99598->99577 99599 39623b0 99613 3960000 99599->99613 99601 396245f 99616 39622a0 99601->99616 99619 3963490 GetPEB 99613->99619 99615 396068b 99615->99601 99617 39622a9 Sleep 99616->99617 99618 39622b7 99617->99618 99620 39634ba 99619->99620 99620->99615 99621 25107d 99626 2571eb 99621->99626 99623 25108c 99624 272f80 __cinit 67 API calls 99623->99624 99625 251096 99624->99625 99627 2571fb __write_nolock 99626->99627 99628 2577c7 59 API calls 99627->99628 99629 2572b1 99628->99629 99630 254864 61 API calls 99629->99630 99631 2572ba 99630->99631 99657 27074f 99631->99657 99634 257e0b 59 API calls 99635 2572d3 99634->99635 99636 253f84 59 API calls 99635->99636 99637 2572e2 99636->99637 99638 2577c7 59 API calls 99637->99638 99639 2572eb 99638->99639 99640 257eec 59 API calls 99639->99640 99641 2572f4 RegOpenKeyExW 99640->99641 99642 28ecda RegQueryValueExW 99641->99642 99647 257316 Mailbox 99641->99647 99643 28ed6c RegCloseKey 99642->99643 99644 28ecf7 99642->99644 99643->99647 99656 28ed7e _wcscat Mailbox __wsetenvp 99643->99656 99645 270ff6 Mailbox 59 API calls 99644->99645 99646 28ed10 99645->99646 99649 25538e 59 API calls 99646->99649 99647->99623 99648 257b52 59 API calls 99648->99656 99650 28ed1b RegQueryValueExW 99649->99650 99651 28ed38 99650->99651 99653 28ed52 99650->99653 99652 257d2c 59 API calls 99651->99652 99652->99653 99653->99643 99654 257f41 59 API calls 99654->99656 99655 253f84 59 API calls 99655->99656 99656->99647 99656->99648 99656->99654 99656->99655 99658 281b90 __write_nolock 99657->99658 99659 27075c GetFullPathNameW 99658->99659 99660 27077e 99659->99660 99661 257d2c 59 API calls 99660->99661 99662 2572c5 99661->99662 99662->99634 99663 25e70b 99666 25d260 99663->99666 99665 25e719 99667 25d27d 99666->99667 99695 25d4dd 99666->99695 99668 292abb 99667->99668 99669 292b0a 99667->99669 99698 25d2a4 99667->99698 99671 292abe 99668->99671 99680 292ad9 99668->99680 99710 2ca6fb 341 API calls __cinit 99669->99710 99673 292aca 99671->99673 99671->99698 99708 2cad0f 341 API calls 99673->99708 99674 272f80 __cinit 67 API calls 99674->99698 99677 25d594 99702 258bb2 68 API calls 99677->99702 99678 292cdf 99678->99678 99679 25d6ab 99679->99665 99680->99695 99709 2cb1b7 341 API calls 3 library calls 99680->99709 99684 292c26 99714 2caa66 89 API calls 99684->99714 99685 25d5a3 99685->99665 99688 258620 69 API calls 99688->99698 99695->99679 99715 2ba0b5 89 API calls 4 library calls 99695->99715 99696 25a000 341 API calls 99696->99698 99697 2581a7 59 API calls 99697->99698 99698->99674 99698->99677 99698->99679 99698->99684 99698->99688 99698->99695 99698->99696 99698->99697 99700 2588a0 68 API calls __cinit 99698->99700 99701 2586a2 68 API calls 99698->99701 99703 25859a 68 API calls 99698->99703 99704 25d0dc 341 API calls 99698->99704 99705 259f3a 59 API calls Mailbox 99698->99705 99706 25d060 89 API calls 99698->99706 99707 25cedd 341 API calls 99698->99707 99711 258bb2 68 API calls 99698->99711 99712 259e9c 60 API calls Mailbox 99698->99712 99713 2a6d03 60 API calls 99698->99713 99700->99698 99701->99698 99702->99685 99703->99698 99704->99698 99705->99698 99706->99698 99707->99698 99708->99679 99709->99695 99710->99698 99711->99698 99712->99698 99713->99698 99714->99695 99715->99678 99716 28ff06 99717 28ff10 99716->99717 99719 25ac90 Mailbox _memmove 99716->99719 99971 258e34 59 API calls Mailbox 99717->99971 99733 257f41 59 API calls 99719->99733 99742 25a1b7 99719->99742 99744 2cbf80 341 API calls 99719->99744 99745 25a097 Mailbox 99719->99745 99748 25b416 99719->99748 99750 25a000 341 API calls 99719->99750 99751 25b685 99719->99751 99752 290c94 99719->99752 99754 290ca2 99719->99754 99757 25b37c 99719->99757 99759 270ff6 59 API calls Mailbox 99719->99759 99765 25ade2 Mailbox 99719->99765 99924 2cc5f4 99719->99924 99956 2b7be0 99719->99956 99962 2a66f4 99719->99962 99972 2a7405 59 API calls 99719->99972 99973 2cc4a7 85 API calls 2 library calls 99719->99973 99723 25b5d5 99730 2581a7 59 API calls 99723->99730 99724 270ff6 59 API calls Mailbox 99724->99745 99727 25b5da 99981 2ba0b5 89 API calls 4 library calls 99727->99981 99728 2581a7 59 API calls 99728->99745 99730->99742 99731 29047f 99975 2ba0b5 89 API calls 4 library calls 99731->99975 99733->99719 99735 2a7405 59 API calls 99735->99745 99736 29048e 99737 2577c7 59 API calls 99737->99745 99739 272f80 67 API calls __cinit 99739->99745 99740 2a66f4 Mailbox 59 API calls 99740->99742 99741 290e00 99980 2ba0b5 89 API calls 4 library calls 99741->99980 99744->99719 99745->99723 99745->99724 99745->99727 99745->99728 99745->99731 99745->99735 99745->99737 99745->99739 99745->99741 99745->99742 99747 25a6ba 99745->99747 99965 25ca20 341 API calls 2 library calls 99745->99965 99966 25ba60 60 API calls Mailbox 99745->99966 99979 2ba0b5 89 API calls 4 library calls 99747->99979 99970 25f803 341 API calls 99748->99970 99750->99719 99976 2ba0b5 89 API calls 4 library calls 99751->99976 99977 259df0 59 API calls Mailbox 99752->99977 99978 2ba0b5 89 API calls 4 library calls 99754->99978 99756 290c86 99756->99740 99756->99742 99968 259e9c 60 API calls Mailbox 99757->99968 99759->99719 99760 25b38d 99969 259e9c 60 API calls Mailbox 99760->99969 99765->99742 99765->99751 99765->99756 99766 2900e0 VariantClear 99765->99766 99773 2bd2e5 99765->99773 99820 2d251d 99765->99820 99825 262123 99765->99825 99865 2c474d 99765->99865 99874 2bd2e6 99765->99874 99921 2ce237 99765->99921 99967 259df0 59 API calls Mailbox 99765->99967 99974 2a7405 59 API calls 99765->99974 99766->99765 99774 2bd310 99773->99774 99775 2bd305 99773->99775 99779 2577c7 59 API calls 99774->99779 99818 2bd3ea Mailbox 99774->99818 99982 259c9c 59 API calls 99775->99982 99777 270ff6 Mailbox 59 API calls 99778 2bd433 99777->99778 99781 2bd43f 99778->99781 99985 255906 60 API calls Mailbox 99778->99985 99780 2bd334 99779->99780 99782 2577c7 59 API calls 99780->99782 99784 259997 84 API calls 99781->99784 99785 2bd33d 99782->99785 99786 2bd457 99784->99786 99787 259997 84 API calls 99785->99787 99788 255956 67 API calls 99786->99788 99789 2bd349 99787->99789 99790 2bd466 99788->99790 99791 2546f9 59 API calls 99789->99791 99792 2bd46a GetLastError 99790->99792 99802 2bd49e 99790->99802 99793 2bd35e 99791->99793 99798 2bd483 99792->99798 99794 257c8e 59 API calls 99793->99794 99799 2bd391 99794->99799 99795 2bd4c9 99797 270ff6 Mailbox 59 API calls 99795->99797 99796 2bd500 99801 270ff6 Mailbox 59 API calls 99796->99801 99803 2bd4ce 99797->99803 99815 2bd3f3 Mailbox 99798->99815 99986 255a1a CloseHandle 99798->99986 99800 2bd3e3 99799->99800 99806 2b3e73 3 API calls 99799->99806 99984 259c9c 59 API calls 99800->99984 99807 2bd505 99801->99807 99802->99795 99802->99796 99808 2bd4df 99803->99808 99810 2577c7 59 API calls 99803->99810 99809 2bd3a1 99806->99809 99812 2577c7 59 API calls 99807->99812 99807->99815 99987 2bf835 59 API calls 2 library calls 99808->99987 99809->99800 99811 2bd3a5 99809->99811 99810->99808 99814 257f41 59 API calls 99811->99814 99812->99815 99816 2bd3b2 99814->99816 99815->99765 99983 2b3c66 63 API calls Mailbox 99816->99983 99818->99777 99818->99815 99819 2bd3bb Mailbox 99819->99800 99988 2af8f2 99820->99988 99822 2d2529 100007 259b9c 59 API calls Mailbox 99822->100007 99824 2d2545 Mailbox 99824->99765 100009 259bf8 99825->100009 99829 270ff6 Mailbox 59 API calls 99830 262154 99829->99830 99833 262164 99830->99833 100037 255906 60 API calls Mailbox 99830->100037 99831 2969af 99832 262189 99831->99832 100041 2bf7df 59 API calls 99831->100041 99840 262196 99832->99840 100042 259c9c 59 API calls 99832->100042 99835 259997 84 API calls 99833->99835 99837 262172 99835->99837 99839 255956 67 API calls 99837->99839 99838 2969f7 99838->99840 99841 2969ff 99838->99841 99842 262181 99839->99842 99843 255e3f 2 API calls 99840->99843 100043 259c9c 59 API calls 99841->100043 99842->99831 99842->99832 100040 255a1a CloseHandle 99842->100040 99846 26219d 99843->99846 99847 2621b7 99846->99847 99848 296a11 99846->99848 99849 2577c7 59 API calls 99847->99849 99850 270ff6 Mailbox 59 API calls 99848->99850 99851 2621bf 99849->99851 99852 296a17 99850->99852 100022 2556d2 99851->100022 99854 296a2b 99852->99854 100044 2559b0 ReadFile SetFilePointerEx 99852->100044 99859 296a2f _memmove 99854->99859 100045 2b794e 59 API calls 2 library calls 99854->100045 99856 2621ce 99856->99859 100038 259b9c 59 API calls Mailbox 99856->100038 99860 2621e2 Mailbox 99861 26221c 99860->99861 99862 255dcf CloseHandle 99860->99862 99861->99765 99863 262210 99862->99863 99863->99861 100039 255a1a CloseHandle 99863->100039 99866 259997 84 API calls 99865->99866 99867 2c4787 99866->99867 99868 2563a0 94 API calls 99867->99868 99869 2c4797 99868->99869 99870 2c47bc 99869->99870 99871 25a000 341 API calls 99869->99871 99872 259bf8 59 API calls 99870->99872 99873 2c47c0 99870->99873 99871->99870 99872->99873 99873->99765 99875 2bd310 99874->99875 99876 2bd305 99874->99876 99880 2577c7 59 API calls 99875->99880 99919 2bd3ea Mailbox 99875->99919 100069 259c9c 59 API calls 99876->100069 99878 270ff6 Mailbox 59 API calls 99879 2bd433 99878->99879 99882 2bd43f 99879->99882 100072 255906 60 API calls Mailbox 99879->100072 99881 2bd334 99880->99881 99883 2577c7 59 API calls 99881->99883 99885 259997 84 API calls 99882->99885 99886 2bd33d 99883->99886 99887 2bd457 99885->99887 99888 259997 84 API calls 99886->99888 99889 255956 67 API calls 99887->99889 99890 2bd349 99888->99890 99891 2bd466 99889->99891 99892 2546f9 59 API calls 99890->99892 99893 2bd46a GetLastError 99891->99893 99894 2bd49e 99891->99894 99895 2bd35e 99892->99895 99896 2bd483 99893->99896 99898 2bd4c9 99894->99898 99899 2bd500 99894->99899 99897 257c8e 59 API calls 99895->99897 99916 2bd3f3 Mailbox 99896->99916 100073 255a1a CloseHandle 99896->100073 99900 2bd391 99897->99900 99901 270ff6 Mailbox 59 API calls 99898->99901 99903 270ff6 Mailbox 59 API calls 99899->99903 99902 2bd3e3 99900->99902 99907 2b3e73 3 API calls 99900->99907 99904 2bd4ce 99901->99904 100071 259c9c 59 API calls 99902->100071 99908 2bd505 99903->99908 99909 2bd4df 99904->99909 99911 2577c7 59 API calls 99904->99911 99910 2bd3a1 99907->99910 99913 2577c7 59 API calls 99908->99913 99908->99916 100074 2bf835 59 API calls 2 library calls 99909->100074 99910->99902 99912 2bd3a5 99910->99912 99911->99909 99915 257f41 59 API calls 99912->99915 99913->99916 99917 2bd3b2 99915->99917 99916->99765 100070 2b3c66 63 API calls Mailbox 99917->100070 99919->99878 99919->99916 99920 2bd3bb Mailbox 99920->99902 99922 2ccdf1 130 API calls 99921->99922 99923 2ce247 99922->99923 99923->99765 99925 2577c7 59 API calls 99924->99925 99926 2cc608 99925->99926 99927 2577c7 59 API calls 99926->99927 99928 2cc610 99927->99928 99929 2577c7 59 API calls 99928->99929 99930 2cc618 99929->99930 99931 259997 84 API calls 99930->99931 99955 2cc626 99931->99955 99932 257a84 59 API calls 99932->99955 99933 257d2c 59 API calls 99933->99955 99934 2cc80f 99935 2cc83c Mailbox 99934->99935 100077 259b9c 59 API calls Mailbox 99934->100077 99935->99719 99936 2cc7f6 99940 257e0b 59 API calls 99936->99940 99938 2cc811 99941 257e0b 59 API calls 99938->99941 99939 2581a7 59 API calls 99939->99955 99942 2cc803 99940->99942 99943 2cc820 99941->99943 99945 257c8e 59 API calls 99942->99945 99946 257c8e 59 API calls 99943->99946 99944 257faf 59 API calls 99948 2cc6bd CharUpperBuffW 99944->99948 99945->99934 99946->99934 99947 257faf 59 API calls 99949 2cc77d CharUpperBuffW 99947->99949 100075 25859a 68 API calls 99948->100075 100076 25c707 69 API calls 2 library calls 99949->100076 99952 259997 84 API calls 99952->99955 99953 257e0b 59 API calls 99953->99955 99954 257c8e 59 API calls 99954->99955 99955->99932 99955->99933 99955->99934 99955->99935 99955->99936 99955->99938 99955->99939 99955->99944 99955->99947 99955->99952 99955->99953 99955->99954 99957 2b7bec 99956->99957 99958 270ff6 Mailbox 59 API calls 99957->99958 99959 2b7bfa 99958->99959 99960 2b7c08 99959->99960 99961 2577c7 59 API calls 99959->99961 99960->99719 99961->99960 100078 2a6636 99962->100078 99964 2a6702 99964->99719 99965->99745 99966->99745 99967->99765 99968->99760 99969->99748 99970->99751 99971->99719 99972->99719 99973->99719 99974->99765 99975->99736 99976->99756 99977->99756 99978->99756 99979->99742 99980->99727 99981->99742 99982->99774 99983->99819 99984->99818 99985->99781 99986->99815 99987->99815 99989 2577c7 59 API calls 99988->99989 99990 2af905 99989->99990 99991 257b76 59 API calls 99990->99991 99992 2af919 99991->99992 99993 2af658 61 API calls 99992->99993 99999 2af93b 99992->99999 99995 2af935 99993->99995 99994 2af658 61 API calls 99994->99999 99997 2579ab 59 API calls 99995->99997 99995->99999 99996 2af9b5 100000 2579ab 59 API calls 99996->100000 99997->99999 99998 2579ab 59 API calls 99998->99999 99999->99994 99999->99996 99999->99998 100002 257c8e 59 API calls 99999->100002 100001 2af9ce 100000->100001 100003 257c8e 59 API calls 100001->100003 100002->99999 100004 2af9da 100003->100004 100006 2af9e9 Mailbox 100004->100006 100008 2580d7 59 API calls 2 library calls 100004->100008 100006->99822 100007->99824 100008->100006 100010 28fbff 100009->100010 100013 259c08 100009->100013 100011 257d2c 59 API calls 100010->100011 100014 28fc10 100010->100014 100011->100014 100012 257eec 59 API calls 100015 28fc1a 100012->100015 100016 270ff6 Mailbox 59 API calls 100013->100016 100014->100012 100019 259c34 100015->100019 100020 2577c7 59 API calls 100015->100020 100017 259c1b 100016->100017 100017->100015 100018 259c26 100017->100018 100018->100019 100021 257f41 59 API calls 100018->100021 100019->99829 100019->99831 100020->100019 100021->100019 100023 255702 100022->100023 100024 2556dd 100022->100024 100025 257eec 59 API calls 100023->100025 100024->100023 100029 2556ec 100024->100029 100028 2b349a 100025->100028 100026 2b34c9 100026->99856 100028->100026 100046 2b3436 ReadFile SetFilePointerEx 100028->100046 100047 257a84 59 API calls 2 library calls 100028->100047 100048 255c18 100029->100048 100036 2b35d8 Mailbox 100036->99856 100037->99833 100038->99860 100039->99861 100040->99831 100041->99831 100042->99838 100043->99846 100044->99854 100045->99859 100046->100028 100047->100028 100049 270ff6 Mailbox 59 API calls 100048->100049 100050 255c2b 100049->100050 100051 270ff6 Mailbox 59 API calls 100050->100051 100052 255c37 100051->100052 100053 255632 100052->100053 100060 255a2f 100053->100060 100055 255d20 2 API calls 100058 255643 100055->100058 100056 255674 100056->100036 100059 25793a 61 API calls Mailbox 100056->100059 100058->100055 100058->100056 100067 255bda 59 API calls 2 library calls 100058->100067 100059->100036 100061 255a40 100060->100061 100062 28e065 100060->100062 100061->100058 100068 2a6443 59 API calls Mailbox 100062->100068 100064 28e06f 100065 270ff6 Mailbox 59 API calls 100064->100065 100066 28e07b 100065->100066 100067->100058 100068->100064 100069->99875 100070->99920 100071->99919 100072->99882 100073->99916 100074->99916 100075->99955 100076->99955 100077->99935 100079 2a665e 100078->100079 100080 2a6641 100078->100080 100079->99964 100080->100079 100082 2a6621 59 API calls Mailbox 100080->100082 100082->100080 100083 290226 100089 25ade2 Mailbox 100083->100089 100085 290c86 100086 2a66f4 Mailbox 59 API calls 100085->100086 100087 290c8f 100086->100087 100089->100085 100089->100087 100090 2900e0 VariantClear 100089->100090 100091 25b6c1 100089->100091 100093 2d251d 62 API calls 100089->100093 100094 2c474d 341 API calls 100089->100094 100095 262123 95 API calls 100089->100095 100096 2ce237 130 API calls 100089->100096 100097 2bd2e6 101 API calls 100089->100097 100098 2bd2e5 101 API calls 100089->100098 100099 259df0 59 API calls Mailbox 100089->100099 100100 2a7405 59 API calls 100089->100100 100090->100089 100101 2ba0b5 89 API calls 4 library calls 100091->100101 100093->100089 100094->100089 100095->100089 100096->100089 100097->100089 100098->100089 100099->100089 100100->100089 100101->100085 100102 25568a 100103 255c18 59 API calls 100102->100103 100104 25569c 100103->100104 100105 255632 61 API calls 100104->100105 100106 2556aa 100105->100106 100108 2556ba Mailbox 100106->100108 100109 2581c1 61 API calls Mailbox 100106->100109 100109->100108

            Executed Functions

            Function 00253B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00253B7A
            • IsDebuggerPresent.KERNEL32 ref: 00253B8C
            • GetFullPathNameW.KERNEL32(00007FFF,?,?,003162F8,003162E0,?,?), ref: 00253BFD
              • Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66
              • Part of subcall function 00260A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00253C26,003162F8,?,?,?), ref: 00260ACE
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00253C81
            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003093F0,00000010), ref: 0028D4BC
            • SetCurrentDirectoryW.KERNEL32(?,003162F8,?,?,?), ref: 0028D4F4
            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00305D40,003162F8,?,?,?), ref: 0028D57A
            • ShellExecuteW.SHELL32(00000000,?,?), ref: 0028D581
              • Part of subcall function 00253A58: GetSysColorBrush.USER32(0000000F), ref: 00253A62
              • Part of subcall function 00253A58: LoadCursorW.USER32(00000000,00007F00), ref: 00253A71
              • Part of subcall function 00253A58: LoadIconW.USER32(00000063), ref: 00253A88
              • Part of subcall function 00253A58: LoadIconW.USER32(000000A4), ref: 00253A9A
              • Part of subcall function 00253A58: LoadIconW.USER32(000000A2), ref: 00253AAC
              • Part of subcall function 00253A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00253AD2
              • Part of subcall function 00253A58: RegisterClassExW.USER32(?), ref: 00253B28
              • Part of subcall function 002539E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00253A15
              • Part of subcall function 002539E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00253A36
              • Part of subcall function 002539E7: ShowWindow.USER32(00000000,?,?), ref: 00253A4A
              • Part of subcall function 002539E7: ShowWindow.USER32(00000000,?,?), ref: 00253A53
              • Part of subcall function 002543DB: _memset.LIBCMT ref: 00254401
              • Part of subcall function 002543DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002544A6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
            • String ID: This is a third-party compiled AutoIt script.$runas$%.
            • API String ID: 529118366-1956105530
            • Opcode ID: 685ecc2954760e7c925ed54bff4bfed83d2bf7ce11cea28ac55c7553b44144f9
            • Instruction ID: 59d8eed42459e21dd195f8b074aa155227b825055d47b53e2cd0005dfe8ca2a6
            • Opcode Fuzzy Hash: 685ecc2954760e7c925ed54bff4bfed83d2bf7ce11cea28ac55c7553b44144f9
            • Instruction Fuzzy Hash: 2F511D34D25249AACF12EBF4EC16DED7B78AB08341F048466FC51621A1DA744A6ACF28
            Function 00254FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 983 254fe9-255001 CreateStreamOnHGlobal 984 255021-255026 983->984 985 255003-25501a FindResourceExW 983->985 986 28dd5c-28dd6b LoadResource 985->986 987 255020 985->987 986->987 988 28dd71-28dd7f SizeofResource 986->988 987->984 988->987 989 28dd85-28dd90 LockResource 988->989 989->987 990 28dd96-28ddb4 989->990 990->987
            APIs
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00254EEE,?,?,00000000,00000000), ref: 00254FF9
            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00254EEE,?,?,00000000,00000000), ref: 00255010
            • LoadResource.KERNEL32(?,00000000,?,?,00254EEE,?,?,00000000,00000000,?,?,?,?,?,?,00254F8F), ref: 0028DD60
            • SizeofResource.KERNEL32(?,00000000,?,?,00254EEE,?,?,00000000,00000000,?,?,?,?,?,?,00254F8F), ref: 0028DD75
            • LockResource.KERNEL32(N%,?,?,00254EEE,?,?,00000000,00000000,?,?,?,?,?,?,00254F8F,00000000), ref: 0028DD88
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
            • String ID: SCRIPT$N%
            • API String ID: 3051347437-2837872219
            • Opcode ID: ec0d60ce87896989614fd0c793e80610dd76dcf6720b07d568448345201feb17
            • Instruction ID: 43d00c22127ba972c37525bb006742be14ea3030ad31e0567ebb1031df3097a6
            • Opcode Fuzzy Hash: ec0d60ce87896989614fd0c793e80610dd76dcf6720b07d568448345201feb17
            • Instruction Fuzzy Hash: 6C119A75600701AFE7208B65EC5CF277BB9EBC9B12F24816DF806C62A0DB71EC148664
            Function 00254AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1047 254afe-254b5e call 2577c7 GetVersionExW call 257d2c 1052 254b64 1047->1052 1053 254c69-254c6b 1047->1053 1054 254b67-254b6c 1052->1054 1055 28db90-28db9c 1053->1055 1057 254c70-254c71 1054->1057 1058 254b72 1054->1058 1056 28db9d-28dba1 1055->1056 1059 28dba3 1056->1059 1060 28dba4-28dbb0 1056->1060 1061 254b73-254baa call 257e8c call 257886 1057->1061 1058->1061 1059->1060 1060->1056 1062 28dbb2-28dbb7 1060->1062 1070 28dc8d-28dc90 1061->1070 1071 254bb0-254bb1 1061->1071 1062->1054 1064 28dbbd-28dbc4 1062->1064 1064->1055 1066 28dbc6 1064->1066 1069 28dbcb-28dbce 1066->1069 1072 254bf1-254c08 GetCurrentProcess IsWow64Process 1069->1072 1073 28dbd4-28dbf2 1069->1073 1074 28dca9-28dcad 1070->1074 1075 28dc92 1070->1075 1071->1069 1076 254bb7-254bc2 1071->1076 1083 254c0d-254c1e 1072->1083 1084 254c0a 1072->1084 1073->1072 1077 28dbf8-28dbfe 1073->1077 1081 28dc98-28dca1 1074->1081 1082 28dcaf-28dcb8 1074->1082 1078 28dc95 1075->1078 1079 28dc13-28dc19 1076->1079 1080 254bc8-254bca 1076->1080 1087 28dc08-28dc0e 1077->1087 1088 28dc00-28dc03 1077->1088 1078->1081 1091 28dc1b-28dc1e 1079->1091 1092 28dc23-28dc29 1079->1092 1089 254bd0-254bd3 1080->1089 1090 28dc2e-28dc3a 1080->1090 1081->1074 1082->1078 1093 28dcba-28dcbd 1082->1093 1085 254c20-254c30 call 254c95 1083->1085 1086 254c89-254c93 GetSystemInfo 1083->1086 1084->1083 1104 254c32-254c3f call 254c95 1085->1104 1105 254c7d-254c87 GetSystemInfo 1085->1105 1099 254c56-254c66 1086->1099 1087->1072 1088->1072 1097 28dc5a-28dc5d 1089->1097 1098 254bd9-254be8 1089->1098 1094 28dc3c-28dc3f 1090->1094 1095 28dc44-28dc4a 1090->1095 1091->1072 1092->1072 1093->1081 1094->1072 1095->1072 1097->1072 1101 28dc63-28dc78 1097->1101 1102 28dc4f-28dc55 1098->1102 1103 254bee 1098->1103 1106 28dc7a-28dc7d 1101->1106 1107 28dc82-28dc88 1101->1107 1102->1072 1103->1072 1112 254c76-254c7b 1104->1112 1113 254c41-254c45 GetNativeSystemInfo 1104->1113 1109 254c47-254c4b 1105->1109 1106->1072 1107->1072 1109->1099 1111 254c4d-254c50 FreeLibrary 1109->1111 1111->1099 1112->1113 1113->1109
            APIs
            • GetVersionExW.KERNEL32(?), ref: 00254B2B
              • Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66
            • GetCurrentProcess.KERNEL32(?,002DFAEC,00000000,00000000,?), ref: 00254BF8
            • IsWow64Process.KERNEL32(00000000), ref: 00254BFF
            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00254C45
            • FreeLibrary.KERNEL32(00000000), ref: 00254C50
            • GetSystemInfo.KERNEL32(00000000), ref: 00254C81
            • GetSystemInfo.KERNEL32(00000000), ref: 00254C8D
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
            • String ID:
            • API String ID: 1986165174-0
            • Opcode ID: a6e317016744303d4646555074275dbb9f7681fa32032693a19f8affb6254364
            • Instruction ID: 50d929ba09f6c232c687ded54723795641b7c2fa51d57130333c49e7298bffdb
            • Opcode Fuzzy Hash: a6e317016744303d4646555074275dbb9f7681fa32032693a19f8affb6254364
            • Instruction Fuzzy Hash: 8A91243186A7C0DEC731EF6894511AAFFE4AF25305B444A5ED4CB83A81D270E95CCB1D
            Function 0025E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID: Dt1$Dt1$Dt1$Dt1$Variable must be of type 'Object'.
            • API String ID: 0-2946129658
            • Opcode ID: 00cb583b380fbba00f747dd22af45bd8fae2910dbdba3e00ee00d8e81fc735ee
            • Instruction ID: cbf32ec86618798262ec17d5e474bc6d3d11be96d39986b33dddbb457018ecbc
            • Opcode Fuzzy Hash: 00cb583b380fbba00f747dd22af45bd8fae2910dbdba3e00ee00d8e81fc735ee
            • Instruction Fuzzy Hash: 92A2AD74A24206CFCF28CF58C580AA9B7B1FF48315F258059ED06AB351D770EE6ACB85
            Function 002B4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNELBASE(?,0028E7C1), ref: 002B46A6
            • FindFirstFileW.KERNELBASE(?,?), ref: 002B46B7
            • FindClose.KERNEL32(00000000), ref: 002B46C7
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseFirst
            • String ID:
            • API String ID: 48322524-0
            • Opcode ID: 9090f8d3c1a809943e93cd1309883bdf7c1269ea82cbe95ea8e1dc61a758ab0e
            • Instruction ID: 77b6f01f914546fe24a0364bcf27436134300cb61228d0da3d142c5ce3c124b3
            • Opcode Fuzzy Hash: 9090f8d3c1a809943e93cd1309883bdf7c1269ea82cbe95ea8e1dc61a758ab0e
            • Instruction Fuzzy Hash: 4DE0D8318214015B82107738FC8D4EA775C9E06375F100716F836C14E0E7B05D608599
            Function 00260B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00260BBB
            • timeGetTime.WINMM ref: 00260E76
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00260FB3
            • TranslateMessage.USER32(?), ref: 00260FC7
            • DispatchMessageW.USER32(?), ref: 00260FD5
            • Sleep.KERNEL32(0000000A), ref: 00260FDF
            • LockWindowUpdate.USER32(00000000,?,?), ref: 0026105A
            • DestroyWindow.USER32 ref: 00261066
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00261080
            • Sleep.KERNEL32(0000000A,?,?), ref: 002952AD
            • TranslateMessage.USER32(?), ref: 0029608A
            • DispatchMessageW.USER32(?), ref: 00296098
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002960AC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr1$pr1$pr1$pr1
            • API String ID: 4003667617-2604743637
            • Opcode ID: 4d297c5d821cd347cb51c2e54cfb12b2fcdab28ddaa881589efdbdd77f32e8ae
            • Instruction ID: 935d315aa07d61bd3547b939eb9122b98344e8fb46e36bd75d9843e9d063f73b
            • Opcode Fuzzy Hash: 4d297c5d821cd347cb51c2e54cfb12b2fcdab28ddaa881589efdbdd77f32e8ae
            • Instruction Fuzzy Hash: D8B2E670628752DFDB25DF24C884BAAB7E5BF84304F14491DF84A87291DB71E8A4CF86
            Function 002B93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 002B91E9: __time64.LIBCMT ref: 002B91F3
              • Part of subcall function 00255045: _fseek.LIBCMT ref: 0025505D
            • __wsplitpath.LIBCMT ref: 002B94BE
              • Part of subcall function 0027432E: __wsplitpath_helper.LIBCMT ref: 0027436E
            • _wcscpy.LIBCMT ref: 002B94D1
            • _wcscat.LIBCMT ref: 002B94E4
            • __wsplitpath.LIBCMT ref: 002B9509
            • _wcscat.LIBCMT ref: 002B951F
            • _wcscat.LIBCMT ref: 002B9532
              • Part of subcall function 002B922F: _memmove.LIBCMT ref: 002B9268
              • Part of subcall function 002B922F: _memmove.LIBCMT ref: 002B9277
            • _wcscmp.LIBCMT ref: 002B9479
              • Part of subcall function 002B99BE: _wcscmp.LIBCMT ref: 002B9AAE
              • Part of subcall function 002B99BE: _wcscmp.LIBCMT ref: 002B9AC1
            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002B96DC
            • _wcsncpy.LIBCMT ref: 002B974F
            • DeleteFileW.KERNEL32(?,?), ref: 002B9785
            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002B979B
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002B97AC
            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002B97BE
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
            • String ID:
            • API String ID: 1500180987-0
            • Opcode ID: 4824819accefc6b4bed8d09c0c824ed00bc762a872da2da2578633fbc8932f82
            • Instruction ID: 940ed00e7b169b03f3f052c835c5678b3c6d81b34eea819229f0f7c66e2c2fb5
            • Opcode Fuzzy Hash: 4824819accefc6b4bed8d09c0c824ed00bc762a872da2da2578633fbc8932f82
            • Instruction Fuzzy Hash: 2EC13CB1D10229AACF21DFA5CC85EDEB7BDEF49340F0040AAF609E7151DB709A948F65
            Function 00253015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00253074
            • RegisterClassExW.USER32(00000030), ref: 0025309E
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002530AF
            • InitCommonControlsEx.COMCTL32(?), ref: 002530CC
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002530DC
            • LoadIconW.USER32(000000A9), ref: 002530F2
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00253101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: 9c1952d4b01ae093a1c03c177b557e8cb20db96d65491d42bebb811f23671a27
            • Instruction ID: d7f3ecfaecfd0092b59fcd9773a87752e11ac1460eedf34cd9d9825116caff36
            • Opcode Fuzzy Hash: 9c1952d4b01ae093a1c03c177b557e8cb20db96d65491d42bebb811f23671a27
            • Instruction Fuzzy Hash: B53189B1C41309AFDB41CFE4E989BC9BBF4FB09310F14812AE581E62A0D3B50981CF54
            Function 00253041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00253074
            • RegisterClassExW.USER32(00000030), ref: 0025309E
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002530AF
            • InitCommonControlsEx.COMCTL32(?), ref: 002530CC
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002530DC
            • LoadIconW.USER32(000000A9), ref: 002530F2
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00253101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: d50465569a358886c021122ea07802f18a09a16e48bd25dc3c371bd5f4309ba5
            • Instruction ID: dac222f050766737aa6250b799455b7d60a6048df0acc2b2baf6c1d6697996d1
            • Opcode Fuzzy Hash: d50465569a358886c021122ea07802f18a09a16e48bd25dc3c371bd5f4309ba5
            • Instruction Fuzzy Hash: 9F21E4B1D11318AFDB41DFE4E949BDDBBF8FB08701F00812AF911A62A0D7B149448F95
            Function 002571EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00254864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003162F8,?,002537C0,?), ref: 00254882
              • Part of subcall function 0027074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,002572C5), ref: 00270771
            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00257308
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0028ECF1
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0028ED32
            • RegCloseKey.ADVAPI32(?), ref: 0028ED70
            • _wcscat.LIBCMT ref: 0028EDC9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
            • API String ID: 2673923337-2727554177
            • Opcode ID: 8428ffcf6e0aa3e8fd8406c64502625e8d8d4f106cba4f06fa49132183934fd9
            • Instruction ID: 6ab0edd962c1e5511cb6b0a8bdf6a588051f50a2192883422a11ef07764c1bb8
            • Opcode Fuzzy Hash: 8428ffcf6e0aa3e8fd8406c64502625e8d8d4f106cba4f06fa49132183934fd9
            • Instruction Fuzzy Hash: AE717D714693019EC715EF25EC8189BB7FCFF59350F48882EF845832A0EB70996ACB56
            Function 00253633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 760 253633-253681 762 2536e1-2536e3 760->762 763 253683-253686 760->763 762->763 766 2536e5 762->766 764 2536e7 763->764 765 253688-25368f 763->765 770 28d31c-28d34a call 2611d0 call 2611f3 764->770 771 2536ed-2536f0 764->771 767 253695-25369a 765->767 768 25375d-253765 PostQuitMessage 765->768 769 2536ca-2536d2 DefWindowProcW 766->769 772 2536a0-2536a2 767->772 773 28d38f-28d3a3 call 2b2a16 767->773 776 253711-253713 768->776 775 2536d8-2536de 769->775 807 28d34f-28d356 770->807 777 253715-25373c SetTimer RegisterWindowMessageW 771->777 778 2536f2-2536f3 771->778 781 253767-253776 call 254531 772->781 782 2536a8-2536ad 772->782 773->776 800 28d3a9 773->800 776->775 777->776 783 25373e-253749 CreatePopupMenu 777->783 779 28d2bf-28d2c2 778->779 780 2536f9-25370c KillTimer call 2544cb call 253114 778->780 792 28d2f8-28d317 MoveWindow 779->792 793 28d2c4-28d2c6 779->793 780->776 781->776 787 2536b3-2536b8 782->787 788 28d374-28d37b 782->788 783->776 798 2536be-2536c4 787->798 799 25374b-25375b call 2545df 787->799 788->769 797 28d381-28d38a call 2a817e 788->797 792->776 794 28d2c8-28d2cb 793->794 795 28d2e7-28d2f3 SetFocus 793->795 794->798 803 28d2d1-28d2e2 call 2611d0 794->803 795->776 797->769 798->769 798->807 799->776 800->769 803->776 807->769 811 28d35c-28d36f call 2544cb call 2543db 807->811 811->769
            APIs
            • DefWindowProcW.USER32(?,?,?,?), ref: 002536D2
            • KillTimer.USER32(?,00000001), ref: 002536FC
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0025371F
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0025372A
            • CreatePopupMenu.USER32 ref: 0025373E
            • PostQuitMessage.USER32(00000000), ref: 0025375F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
            • String ID: TaskbarCreated$%.
            • API String ID: 129472671-2498375929
            • Opcode ID: fefc568bb5431d7ab8d37169257e36e9d83d6e6079fe556d9b7df0fbf875d1ea
            • Instruction ID: 0d85753fe65724d0a7ef51e061e21cdc42400f9457d9725beb24ed8cfd12eb7b
            • Opcode Fuzzy Hash: fefc568bb5431d7ab8d37169257e36e9d83d6e6079fe556d9b7df0fbf875d1ea
            • Instruction Fuzzy Hash: E2414BB5630106BBDB15EF64EC0ABF9775CE708382F141529FD02822E1CAB09E79976D
            Function 00253A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00253A62
            • LoadCursorW.USER32(00000000,00007F00), ref: 00253A71
            • LoadIconW.USER32(00000063), ref: 00253A88
            • LoadIconW.USER32(000000A4), ref: 00253A9A
            • LoadIconW.USER32(000000A2), ref: 00253AAC
            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00253AD2
            • RegisterClassExW.USER32(?), ref: 00253B28
              • Part of subcall function 00253041: GetSysColorBrush.USER32(0000000F), ref: 00253074
              • Part of subcall function 00253041: RegisterClassExW.USER32(00000030), ref: 0025309E
              • Part of subcall function 00253041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002530AF
              • Part of subcall function 00253041: InitCommonControlsEx.COMCTL32(?), ref: 002530CC
              • Part of subcall function 00253041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002530DC
              • Part of subcall function 00253041: LoadIconW.USER32(000000A9), ref: 002530F2
              • Part of subcall function 00253041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00253101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
            • String ID: #$0$AutoIt v3
            • API String ID: 423443420-4155596026
            • Opcode ID: 3a073bb1da58b4502b25ece85f88088302f194128ea41b26506cc37a8ac10a98
            • Instruction ID: 94e49130ca5f140aa5a2f4a8ec10ffb972f0ecca5391e70dcdfa6ef8ff5c9160
            • Opcode Fuzzy Hash: 3a073bb1da58b4502b25ece85f88088302f194128ea41b26506cc37a8ac10a98
            • Instruction Fuzzy Hash: D7213C70D11304AFEB129FA4ED0ABDD7BB8FB0C711F00852AE504A62A0D7B65A55CF48
            Function 00253778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
            Download Yara Rule

            Control-flow Graph

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b1
            • API String ID: 1825951767-457443653
            • Opcode ID: 9591a284a41ddd9d65b78eb3eba2e36fdb5475f8b63ddc28ab689bfd8d64d478
            • Instruction ID: 7b90a382f91946eeedfe8509c1b53edc9b3e2a3c56916d0e55268b8070e987e4
            • Opcode Fuzzy Hash: 9591a284a41ddd9d65b78eb3eba2e36fdb5475f8b63ddc28ab689bfd8d64d478
            • Instruction Fuzzy Hash: 8EA14F718202299ACF05EFA0CC969EEB7B8BF14341F44442AF816B7191DB749A6DCF64
            Function 0025F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 002703A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002703D3
              • Part of subcall function 002703A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 002703DB
              • Part of subcall function 002703A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002703E6
              • Part of subcall function 002703A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002703F1
              • Part of subcall function 002703A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 002703F9
              • Part of subcall function 002703A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00270401
              • Part of subcall function 00266259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0025FA90), ref: 002662B4
            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0025FB2D
            • OleInitialize.OLE32(00000000), ref: 0025FBAA
            • CloseHandle.KERNEL32(00000000), ref: 002949F2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
            • String ID: <g1$\d1$%.$c1
            • API String ID: 1986988660-374475462
            • Opcode ID: b083b7291b89e4ae871f2a7181be7221c6c6b876dcb9040f824f60476f515999
            • Instruction ID: 29a12e363d892856d151c276b68e5bcc190450c346fdb71fc6779f7fbf378674
            • Opcode Fuzzy Hash: b083b7291b89e4ae871f2a7181be7221c6c6b876dcb9040f824f60476f515999
            • Instruction Fuzzy Hash: 7981DAB49112408ED38ADFEAED576D4BAEDEB8C308B11C57E9419C72B2EB314458CF18
            Function 039625E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 993 39625e0-396268e call 3960000 996 3962695-39626bb call 39634f0 CreateFileW 993->996 999 39626c2-39626d2 996->999 1000 39626bd 996->1000 1005 39626d4 999->1005 1006 39626d9-39626f3 VirtualAlloc 999->1006 1001 396280d-3962811 1000->1001 1002 3962853-3962856 1001->1002 1003 3962813-3962817 1001->1003 1007 3962859-3962860 1002->1007 1008 3962823-3962827 1003->1008 1009 3962819-396281c 1003->1009 1005->1001 1010 39626f5 1006->1010 1011 39626fa-3962711 ReadFile 1006->1011 1012 39628b5-39628ca 1007->1012 1013 3962862-396286d 1007->1013 1014 3962837-396283b 1008->1014 1015 3962829-3962833 1008->1015 1009->1008 1010->1001 1018 3962713 1011->1018 1019 3962718-3962758 VirtualAlloc 1011->1019 1022 39628cc-39628d7 VirtualFree 1012->1022 1023 39628da-39628e2 1012->1023 1020 3962871-396287d 1013->1020 1021 396286f 1013->1021 1016 396283d-3962847 1014->1016 1017 396284b 1014->1017 1015->1014 1016->1017 1017->1002 1018->1001 1024 396275f-396277a call 3963740 1019->1024 1025 396275a 1019->1025 1026 3962891-396289d 1020->1026 1027 396287f-396288f 1020->1027 1021->1012 1022->1023 1033 3962785-396278f 1024->1033 1025->1001 1030 396289f-39628a8 1026->1030 1031 39628aa-39628b0 1026->1031 1029 39628b3 1027->1029 1029->1007 1030->1029 1031->1029 1034 39627c2-39627d6 call 3963550 1033->1034 1035 3962791-39627c0 call 3963740 1033->1035 1040 39627da-39627de 1034->1040 1041 39627d8 1034->1041 1035->1033 1043 39627e0-39627e4 FindCloseChangeNotification 1040->1043 1044 39627ea-39627ee 1040->1044 1041->1001 1043->1044 1045 39627f0-39627fb VirtualFree 1044->1045 1046 39627fe-3962807 1044->1046 1045->1046 1046->996 1046->1001
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 039626B1
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 039628D7
            Memory Dump Source
            • Source File: 00000000.00000002.1652104101.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3960000_Attendance list.jbxd
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
            • Instruction ID: 719a891209b8d3c4c8a2652e96dccbd19c2d46a30c9f7a9cf176924a5e23412d
            • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
            • Instruction Fuzzy Hash: 38A12A74E01209EBDB14CFA4C894BEEB7B9FF48304F248999E541BB280D775AA41CF94
            Function 002539E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1114 2539e7-253a57 CreateWindowExW * 2 ShowWindow * 2
            APIs
            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00253A15
            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00253A36
            • ShowWindow.USER32(00000000,?,?), ref: 00253A4A
            • ShowWindow.USER32(00000000,?,?), ref: 00253A53
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$CreateShow
            • String ID: AutoIt v3$edit
            • API String ID: 1584632944-3779509399
            • Opcode ID: 3086a95e3d7eb3443014238f9a57721dc3cd512bda94aa3e639f7ef0b342c342
            • Instruction ID: 2ca2c35b60160f10e0239c92bb38c580f42cf635441c1d964e0d4937d9baf1b6
            • Opcode Fuzzy Hash: 3086a95e3d7eb3443014238f9a57721dc3cd512bda94aa3e639f7ef0b342c342
            • Instruction Fuzzy Hash: 66F03A70A012907EEA3217636C0EEA72E7DD7CAF50F01842AB900A2270C2B50C12CAB4
            Function 039623B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1115 39623b0-39624d5 call 3960000 call 39622a0 CreateFileW 1122 39624d7 1115->1122 1123 39624dc-39624ec 1115->1123 1124 396258c-3962591 1122->1124 1126 39624f3-396250d VirtualAlloc 1123->1126 1127 39624ee 1123->1127 1128 3962511-3962528 ReadFile 1126->1128 1129 396250f 1126->1129 1127->1124 1130 396252c-3962566 call 39622e0 call 39612a0 1128->1130 1131 396252a 1128->1131 1129->1124 1136 3962582-396258a ExitProcess 1130->1136 1137 3962568-396257d call 3962330 1130->1137 1131->1124 1136->1124 1137->1136
            APIs
              • Part of subcall function 039622A0: Sleep.KERNELBASE(000001F4), ref: 039622B1
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 039624CB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1652104101.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3960000_Attendance list.jbxd
            Similarity
            • API ID: CreateFileSleep
            • String ID: 3ZQXA6OJB7KDC9WEKF2
            • API String ID: 2694422964-1262096003
            • Opcode ID: beb02d66af6a32757d277410fe79211a67d08cfc7b8a7c38dd82ec641aab9745
            • Instruction ID: d8a7e4606519d2f13d89efc0df21afa026e816c0e07e56ce476d70a4ed5f08d3
            • Opcode Fuzzy Hash: beb02d66af6a32757d277410fe79211a67d08cfc7b8a7c38dd82ec641aab9745
            • Instruction Fuzzy Hash: 3C51C130D05299EBEF21DBE4C814BEEBB78AF44300F044599E249BB2C0D7B90B48CB65
            Function 0025410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1139 25410d-254123 1140 254200-254204 1139->1140 1141 254129-25413e call 257b76 1139->1141 1144 254144-254164 call 257d2c 1141->1144 1145 28d5dd-28d5ec LoadStringW 1141->1145 1148 28d5f7-28d60f call 257c8e call 257143 1144->1148 1149 25416a-25416e 1144->1149 1145->1148 1159 25417e-2541fb call 273020 call 25463e call 272ffc Shell_NotifyIconW call 255a64 1148->1159 1161 28d615-28d633 call 257e0b call 257143 call 257e0b 1148->1161 1151 254205-25420e call 2581a7 1149->1151 1152 254174-254179 call 257c8e 1149->1152 1151->1159 1152->1159 1159->1140 1161->1159
            APIs
            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0028D5EC
              • Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66
            • _memset.LIBCMT ref: 0025418D
            • _wcscpy.LIBCMT ref: 002541E1
            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002541F1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
            • String ID: Line:
            • API String ID: 3942752672-1585850449
            • Opcode ID: cbd6d336c76b739663b9f1ffeeacd60089e0e5efe8a04648d582ccc198345187
            • Instruction ID: 3485344f3e8c5d4c842059b86e3eda08f329e1e290712de001b5ad660748bb30
            • Opcode Fuzzy Hash: cbd6d336c76b739663b9f1ffeeacd60089e0e5efe8a04648d582ccc198345187
            • Instruction Fuzzy Hash: 1C31F7310283045AD322FB60EC46FDB73ECAF44305F10891AF98992091DB74A6ADCB9B
            Function 0027564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
            • String ID:
            • API String ID: 1559183368-0
            • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
            • Instruction ID: 4704e9535c69d164ad692ba2fd26497108561b0a70f618968e37d657cfbdd0a3
            • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
            • Instruction Fuzzy Hash: AA518634A20B26DBDB289E69888566EF7A5AF40320F64C729E82D961D0D7F09D718F40
            Function 002569CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00254F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,003162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254F6F
            • _free.LIBCMT ref: 0028E68C
            • _free.LIBCMT ref: 0028E6D3
              • Part of subcall function 00256BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00256D0D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _free$CurrentDirectoryLibraryLoad
            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
            • API String ID: 2861923089-1757145024
            • Opcode ID: e6c814a266b62aa98441b00ad0374c922946c091a8900c56f7ddbbb74f2cb9b3
            • Instruction ID: bb84983cd8a140514129f1faee31215403d846042dbf6e55898627e37262b4aa
            • Opcode Fuzzy Hash: e6c814a266b62aa98441b00ad0374c922946c091a8900c56f7ddbbb74f2cb9b3
            • Instruction Fuzzy Hash: BE917F75930229DFCF04EFA4C8919EDB7B8BF15314F14442AF815AB291EB749928CF54
            Function 002535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002535A1,SwapMouseButtons,00000004,?), ref: 002535D4
            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002535A1,SwapMouseButtons,00000004,?,?,?,?,00252754), ref: 002535F5
            • RegCloseKey.KERNELBASE(00000000,?,?,002535A1,SwapMouseButtons,00000004,?,?,?,?,00252754), ref: 00253617
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: Control Panel\Mouse
            • API String ID: 3677997916-824357125
            • Opcode ID: 20d02c0009e48378c3b0d77738316feddcfc5f0ae7e8a3b24f1677bb022afdd0
            • Instruction ID: 31cec260d37ed567aef6a01631f15da5a0f4ab2ab1e5251848f3776cd14cb6f2
            • Opcode Fuzzy Hash: 20d02c0009e48378c3b0d77738316feddcfc5f0ae7e8a3b24f1677bb022afdd0
            • Instruction Fuzzy Hash: 45115A71921209BFDB20CF64EC44EAEB7BCEF04781F00946AF805D7210D2719F649768
            Function 039612A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 03961A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03961AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03961B13
            Memory Dump Source
            • Source File: 00000000.00000002.1652104101.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3960000_Attendance list.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
            • Instruction ID: 5fe9e54f045f664e1d0346ce9919bf39b31262b63adf11ed3b5b390b2397d043
            • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
            • Instruction Fuzzy Hash: F0621C30A15258DBEB24CFA4C850BDEB376EF58300F1095A9D10DEB3A4E7799E81CB59
            Function 002B97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00255045: _fseek.LIBCMT ref: 0025505D
              • Part of subcall function 002B99BE: _wcscmp.LIBCMT ref: 002B9AAE
              • Part of subcall function 002B99BE: _wcscmp.LIBCMT ref: 002B9AC1
            • _free.LIBCMT ref: 002B992C
            • _free.LIBCMT ref: 002B9933
            • _free.LIBCMT ref: 002B999E
              • Part of subcall function 00272F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00279C64), ref: 00272FA9
              • Part of subcall function 00272F95: GetLastError.KERNEL32(00000000,?,00279C64), ref: 00272FBB
            • _free.LIBCMT ref: 002B99A6
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
            • String ID:
            • API String ID: 1552873950-0
            • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
            • Instruction ID: 7f9c199c9fabec108272d0d144bffbae187047e09721a23e44783598c8c381a3
            • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
            • Instruction Fuzzy Hash: 785160B1914628AFDF249F64CC41ADEBBB9EF48300F0044AEF649A7281DB715E94CF59
            Function 0027493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
            • String ID:
            • API String ID: 2782032738-0
            • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
            • Instruction ID: c3529ee5dc4b76c270797b771abd925f1b8f3b9e99b7afd20f97e188737a4428
            • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
            • Instruction Fuzzy Hash: E341E531660607DBDF28AE69C89196F77A9EF80360B24C16DE95D87640D770DD608B44
            Function 00254DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memmove
            • String ID: AU3!P/.$EA06
            • API String ID: 4104443479-1743673582
            • Opcode ID: 96ee2576c9b6f645c8f135b5ce8e136fdfe68581f9532f896b31e25ea8a34497
            • Instruction ID: 3225dcc73824a5825242bc4dd689dcce7774b731994d0af299c918d33d106296
            • Opcode Fuzzy Hash: 96ee2576c9b6f645c8f135b5ce8e136fdfe68581f9532f896b31e25ea8a34497
            • Instruction Fuzzy Hash: F5418E32A341646BCF117F6488637BEFFA1AB0530AF584065EC429A182C5719DEC87E5
            Function 002573E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 0028EE62
            • GetOpenFileNameW.COMDLG32(?), ref: 0028EEAC
              • Part of subcall function 002548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002548A1,?,?,002537C0,?), ref: 002548CE
              • Part of subcall function 002709D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002709F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Name$Path$FileFullLongOpen_memset
            • String ID: X
            • API String ID: 3777226403-3081909835
            • Opcode ID: b8652a5bac7ba2cef65ea20dfa06d96e950352f6ae77d478926593983e976f6f
            • Instruction ID: ea413ef448030ab2ac5047d53e29b908c1de578a3c56b4248c9e8759c24fe9b1
            • Opcode Fuzzy Hash: b8652a5bac7ba2cef65ea20dfa06d96e950352f6ae77d478926593983e976f6f
            • Instruction Fuzzy Hash: 2221C6709212589BCF01DF94D8457EE7BFC9F49315F00801AE808E7281DBB4599D8F95
            Function 002B901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __fread_nolock_memmove
            • String ID: EA06
            • API String ID: 1988441806-3962188686
            • Opcode ID: 3a72650d7ab04f31b265e0e1c1f2698c280570da539c86c5cd9a6c61a54c4cf8
            • Instruction ID: 44966f5a93b31538df0699578cc9ddabb7623e2e317fd5ffe4f44404974a1189
            • Opcode Fuzzy Hash: 3a72650d7ab04f31b265e0e1c1f2698c280570da539c86c5cd9a6c61a54c4cf8
            • Instruction Fuzzy Hash: 6201F971814218AFDB28CAA8C856FEEBBF89B01301F00859EF556D2181E5B5A6148B60
            Function 002B9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?), ref: 002B9B82
            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 002B9B99
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Temp$FileNamePath
            • String ID: aut
            • API String ID: 3285503233-3010740371
            • Opcode ID: 091cce91700174d8981bc1202437de790333ae22e9a5ad3d427901987d5abfc7
            • Instruction ID: c5d6fe9f5f05749694257cc4b9086db73a3c5ac0788ac112ccf7112026ce0059
            • Opcode Fuzzy Hash: 091cce91700174d8981bc1202437de790333ae22e9a5ad3d427901987d5abfc7
            • Instruction Fuzzy Hash: C5D05E7994130DABDB509B90EC0EFEA772CE704700F0042A2BE55911A1DEB059988B95
            Function 002CCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8d3d74bf4a41de24a59667f5b64fa21e10c87acd0f41d5bb4fa2ae9c5240276d
            • Instruction ID: 0d4af923a3515e87eeb9cfea6117e9a4bf226a15288ca19844aadc81567d05e7
            • Opcode Fuzzy Hash: 8d3d74bf4a41de24a59667f5b64fa21e10c87acd0f41d5bb4fa2ae9c5240276d
            • Instruction Fuzzy Hash: CCF13A719183019FCB14DF28C484A6ABBE5FF88314F14892EF89A9B352D771E955CF82
            Function 002543DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00254401
            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 002544A6
            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 002544C3
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: IconNotifyShell_$_memset
            • String ID:
            • API String ID: 1505330794-0
            • Opcode ID: a061067e175f1cc662be32f2c53b814c63eeddedec7828d799810d9b33d56b68
            • Instruction ID: 55ffd512fb0ce0cc9af1824d641d252de2efaae2bd2254ab0169686dd62554c3
            • Opcode Fuzzy Hash: a061067e175f1cc662be32f2c53b814c63eeddedec7828d799810d9b33d56b68
            • Instruction Fuzzy Hash: FE3193705157018FD721EF64E88579BFBF8FB48309F00492EF99A83241D7B16998CB56
            Function 0027594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • __FF_MSGBANNER.LIBCMT ref: 00275963
              • Part of subcall function 0027A3AB: __NMSG_WRITE.LIBCMT ref: 0027A3D2
              • Part of subcall function 0027A3AB: __NMSG_WRITE.LIBCMT ref: 0027A3DC
            • __NMSG_WRITE.LIBCMT ref: 0027596A
              • Part of subcall function 0027A408: GetModuleFileNameW.KERNEL32(00000000,003143BA,00000104,?,00000001,00000000), ref: 0027A49A
              • Part of subcall function 0027A408: ___crtMessageBoxW.LIBCMT ref: 0027A548
              • Part of subcall function 002732DF: ___crtCorExitProcess.LIBCMT ref: 002732E5
              • Part of subcall function 002732DF: ExitProcess.KERNEL32 ref: 002732EE
              • Part of subcall function 00278D68: __getptd_noexit.LIBCMT ref: 00278D68
            • RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000000,?,?,?,00271013,?), ref: 0027598F
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
            • String ID:
            • API String ID: 1372826849-0
            • Opcode ID: 6f00322d93364478a58aff3bb43c4007d0d3a468c45e8a7ccbbee956246edb3f
            • Instruction ID: 2a1d62d6b2ced265589ab8a772da79f80e47f2e2da2a0d7afd30a02a07098f9a
            • Opcode Fuzzy Hash: 6f00322d93364478a58aff3bb43c4007d0d3a468c45e8a7ccbbee956246edb3f
            • Instruction Fuzzy Hash: 7701D231371B26DEE6216B35EC42A6EB2888F41770F10C02AF60D9B1C1DEF09D218AA4
            Function 002B9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,002B97D2,?,?,?,?,?,00000004), ref: 002B9B45
            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,002B97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 002B9B5B
            • CloseHandle.KERNEL32(00000000,?,002B97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002B9B62
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: File$CloseCreateHandleTime
            • String ID:
            • API String ID: 3397143404-0
            • Opcode ID: 2790719ba6c59ba4e18e7ea8d3e19e69d6b7c76a02bdce0bf6f96d517e6fc632
            • Instruction ID: 340137ee2cd930f586de80fb6b105c700cadfbad85ab2cc7fa83cbbd274254ff
            • Opcode Fuzzy Hash: 2790719ba6c59ba4e18e7ea8d3e19e69d6b7c76a02bdce0bf6f96d517e6fc632
            • Instruction Fuzzy Hash: 07E08632581224B7D7611F54FC0DFCA7B18AB05765F114121FB15690E087B16A21979C
            Function 002B8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 002B8FA5
              • Part of subcall function 00272F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00279C64), ref: 00272FA9
              • Part of subcall function 00272F95: GetLastError.KERNEL32(00000000,?,00279C64), ref: 00272FBB
            • _free.LIBCMT ref: 002B8FB6
            • _free.LIBCMT ref: 002B8FC8
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
            • Instruction ID: d6891382f5af99b8b7aea906dec61b20f56fcce9ee5a2fc98b8bdedf88e0bb5b
            • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
            • Instruction Fuzzy Hash: 4CE012A16297028ACA24A978AD40AE357FE5F48390758081DF55DEB942DE34E865C924
            Function 0025AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID: CALL
            • API String ID: 0-4196123274
            • Opcode ID: a96c3e7ef824998e1b886b4ae53126050c8649d43731a0ca3ba7c3b50a15db41
            • Instruction ID: eb12c4fbca46d4f18f7c8e61f9400226579fee1cfab0a2a8e24647ef2d60b0d7
            • Opcode Fuzzy Hash: a96c3e7ef824998e1b886b4ae53126050c8649d43731a0ca3ba7c3b50a15db41
            • Instruction Fuzzy Hash: D9224970528201CFCB25DF14C495B6ABBF1BF48305F14895DE88A8B362D771EDA9CB86
            Function 0025492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • IsThemeActive.UXTHEME ref: 00254992
              • Part of subcall function 002735AC: __lock.LIBCMT ref: 002735B2
              • Part of subcall function 002735AC: DecodePointer.KERNEL32(00000001,?,002549A7,002A81BC), ref: 002735BE
              • Part of subcall function 002735AC: EncodePointer.KERNEL32(?,?,002549A7,002A81BC), ref: 002735C9
              • Part of subcall function 00254A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00254A73
              • Part of subcall function 00254A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00254A88
              • Part of subcall function 00253B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00253B7A
              • Part of subcall function 00253B4C: IsDebuggerPresent.KERNEL32 ref: 00253B8C
              • Part of subcall function 00253B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,003162F8,003162E0,?,?), ref: 00253BFD
              • Part of subcall function 00253B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00253C81
            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002549D2
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
            • String ID:
            • API String ID: 1438897964-0
            • Opcode ID: c5015905dd28e5d1733b1883e0e02573de0d627e8c3e5ee7cd070a7e87cb3d0e
            • Instruction ID: a420caf86db6d19fa99fa7e71e8ce09c2b464c81833378186b91ad9fcc82ffe5
            • Opcode Fuzzy Hash: c5015905dd28e5d1733b1883e0e02573de0d627e8c3e5ee7cd070a7e87cb3d0e
            • Instruction Fuzzy Hash: E41190719243119BC701EF69EC0694AFFF8EB99710F00891EF44583271DB709969CF9A
            Function 00255DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00255981,?,?,?,?), ref: 00255E27
            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00255981,?,?,?,?), ref: 0028E19C
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 8699348c5a8800b503fb7d95d0650126aca2a54c18f613d1c0be61d49fd44573
            • Instruction ID: f25f0a3e8eaf381c0f7c56db7d6ff3caf4c4b7ce6985c3b29939bd26592d3530
            • Opcode Fuzzy Hash: 8699348c5a8800b503fb7d95d0650126aca2a54c18f613d1c0be61d49fd44573
            • Instruction Fuzzy Hash: 2301F570260319BEF7240E24CC8BF623B9CEB01769F108319BEE95A1E0C6B05E598B18
            Function 00270FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 0027594C: __FF_MSGBANNER.LIBCMT ref: 00275963
              • Part of subcall function 0027594C: __NMSG_WRITE.LIBCMT ref: 0027596A
              • Part of subcall function 0027594C: RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000000,?,?,?,00271013,?), ref: 0027598F
            • std::exception::exception.LIBCMT ref: 0027102C
            • __CxxThrowException@8.LIBCMT ref: 00271041
              • Part of subcall function 002787DB: RaiseException.KERNEL32(?,?,?,0030BAF8,00000000,?,?,?,?,00271046,?,0030BAF8,?,00000001), ref: 00278830
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
            • String ID:
            • API String ID: 3902256705-0
            • Opcode ID: 40817dd6fc2d9f9fb1c96200231bffceee029053407b4c60fd4e178bda9f8cdc
            • Instruction ID: 52bb930d66b9873c829b0e242bc378a4121481168888fc17782b18302bc0763a
            • Opcode Fuzzy Hash: 40817dd6fc2d9f9fb1c96200231bffceee029053407b4c60fd4e178bda9f8cdc
            • Instruction Fuzzy Hash: 19F02D3456025DE6CB20BE59DC059DFB7AC9F00350F508015FD0DA5581EFF08AB496E0
            Function 0027582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __lock_file_memset
            • String ID:
            • API String ID: 26237723-0
            • Opcode ID: fe6717009c5a1397361f3c4b7a1d81c6c2815dedd98e4baa7af39a486693c794
            • Instruction ID: c524f8a35d43c2369b64021d9618551105b082ca9770fbb9edd537b28eb0873f
            • Opcode Fuzzy Hash: fe6717009c5a1397361f3c4b7a1d81c6c2815dedd98e4baa7af39a486693c794
            • Instruction Fuzzy Hash: DE01AC71C50616EBCF12AFA58C0599FBB61BF40360F14C215F81C5B1A1DB718671DF92
            Function 002755D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00278D68: __getptd_noexit.LIBCMT ref: 00278D68
            • __lock_file.LIBCMT ref: 0027561B
              • Part of subcall function 00276E4E: __lock.LIBCMT ref: 00276E71
            • __fclose_nolock.LIBCMT ref: 00275626
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
            • String ID:
            • API String ID: 2800547568-0
            • Opcode ID: ae8fa6a6307733f08eeafc73725d9b03d190923cb4f6d30ad62c4f1676914f4f
            • Instruction ID: 4ed15289dfd12e7c4254b930dd7113c1e13fcda5506205ccd505ba02e17c81e7
            • Opcode Fuzzy Hash: ae8fa6a6307733f08eeafc73725d9b03d190923cb4f6d30ad62c4f1676914f4f
            • Instruction Fuzzy Hash: 13F0F031920A259AD720AF34880AB6EB6A46F01334F54C209E41CAB0C1CFFC8A218F51
            Function 0396129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 03961A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03961AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03961B13
            Memory Dump Source
            • Source File: 00000000.00000002.1652104101.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3960000_Attendance list.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
            • Instruction ID: e6d3a7b8fad23d9431d5f34146d3802767ef14b6c2c9304d2369b6d4980d6eb1
            • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
            • Instruction Fuzzy Hash: B812DD24E24658C6EB24DF64D8507DEB232EF68340F1094E9910DEB7A4E77A4F81CF5A
            Function 00262123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fde91d0ccc852fca08faefac1c7bb7d768e604a2a6493fb497412820c85c51cc
            • Instruction ID: 172233f57c4428f9a2f972a7ef1426efdbc66dd72ac0b2c958fa15f13dcae86a
            • Opcode Fuzzy Hash: fde91d0ccc852fca08faefac1c7bb7d768e604a2a6493fb497412820c85c51cc
            • Instruction Fuzzy Hash: 15519035620614EFCF14EF54C9A5E6D77E5AF45310F1480A8F90AAB392CB30ED68CB55
            Function 00255C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00255CF6
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: FilePointer
            • String ID:
            • API String ID: 973152223-0
            • Opcode ID: e815150de78a2f38bcd817dc83cc05d9ba122d62579d390d1a37f5c67057f9f6
            • Instruction ID: 132a26c2e276d78f0772ca3cf1d8c1b91f80a24e48680f0d8e04bef7653e34f5
            • Opcode Fuzzy Hash: e815150de78a2f38bcd817dc83cc05d9ba122d62579d390d1a37f5c67057f9f6
            • Instruction Fuzzy Hash: 06317C31A20B2AABCB08DF69C49465DB7B1FF48312F14862AEC1993710D770AD64CB94
            Function 002900D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: 87a9e634221024ea84750492796837a6da429ac5bd2235b50ea9a90437a45bb3
            • Instruction ID: 8d4117bbdd20794febf6d7babd98c769ed9ec305b25c6bd3b807c3850691d26e
            • Opcode Fuzzy Hash: 87a9e634221024ea84750492796837a6da429ac5bd2235b50ea9a90437a45bb3
            • Instruction Fuzzy Hash: 8E411574528351CFDB25DF14C485B1ABBE0BF45319F1989ACE8894B362C332E8A9CF56
            Function 002579AB Relevance: 1.6, APIs: 1, Instructions: 71COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
            • Instruction ID: 0b2734b5001ed1721e417a0db9e3c0ead5ae6a5efec357b2c642998a12665ff8
            • Opcode Fuzzy Hash: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
            • Instruction Fuzzy Hash: 7211D631269205AFD714DF28D481C7EB7A9EF45324724851AFD19DB290DB32EC298BD4
            Function 00254F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00254D13: FreeLibrary.KERNEL32(00000000,?), ref: 00254D4D
              • Part of subcall function 0027548B: __wfsopen.LIBCMT ref: 00275496
            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,003162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254F6F
              • Part of subcall function 00254CC8: FreeLibrary.KERNEL32(00000000), ref: 00254D02
              • Part of subcall function 00254DD0: _memmove.LIBCMT ref: 00254E1A
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Library$Free$Load__wfsopen_memmove
            • String ID:
            • API String ID: 1396898556-0
            • Opcode ID: a7d976f9c95e0aa3b529a4f8e0d0a3823e6af3538592913065f077eec0a89118
            • Instruction ID: f5fd3fc2a7cef319f582616119344fb997a7dc89616db25905bb7ee782f47124
            • Opcode Fuzzy Hash: a7d976f9c95e0aa3b529a4f8e0d0a3823e6af3538592913065f077eec0a89118
            • Instruction Fuzzy Hash: F5112732620205ABCB14FF74CC12BAEB3A49F44706F10842AFD42A61D1DA719E689F64
            Function 002901AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: 472faebafb05665f4bc7d7b36e7ab421b88ab7455ef40c28404d624be15ed872
            • Instruction ID: 4bf0e12d3bc36d265582c368a840bdeff6dbf1061b5aaaae084f5a535922cc43
            • Opcode Fuzzy Hash: 472faebafb05665f4bc7d7b36e7ab421b88ab7455ef40c28404d624be15ed872
            • Instruction Fuzzy Hash: B8212474528351CFCB14DF54C486B1ABBE0BF88304F048968E98A57721D731E869CF56
            Function 00255D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
            Download Yara Rule
            APIs
            • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00255807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00255D76
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: 0af660f69d76c12c96fff4cd3e35ae3f2b7d66ef12747578b67db858bc7cc6fd
            • Instruction ID: dfb5e0270dc56fcf21f4998ba161db11c39252b11b0a0bae4ae3764f22dc3f80
            • Opcode Fuzzy Hash: 0af660f69d76c12c96fff4cd3e35ae3f2b7d66ef12747578b67db858bc7cc6fd
            • Instruction Fuzzy Hash: C4116A32211B019FD3308F05C498B62B7F8EF44711F10C92EE8AA86A50D7B1E958CF64
            Function 00274A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
            Download Yara Rule
            APIs
            • __lock_file.LIBCMT ref: 00274AD6
              • Part of subcall function 00278D68: __getptd_noexit.LIBCMT ref: 00278D68
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __getptd_noexit__lock_file
            • String ID:
            • API String ID: 2597487223-0
            • Opcode ID: c9b417848030b7895b60a0d5ecee00162042aae1709192936d87344d20272af4
            • Instruction ID: d4c1556753a152f7ef34410491540ebeb8c0017998c2f72b2151c572eaa6ee25
            • Opcode Fuzzy Hash: c9b417848030b7895b60a0d5ecee00162042aae1709192936d87344d20272af4
            • Instruction Fuzzy Hash: 3EF0AF319A120AEBDF61BF748C0A79E76A1AF00329F04C514F42CAA1D1CB788A70DF51
            Function 00254FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(?,?,003162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254FDE
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID:
            • API String ID: 3664257935-0
            • Opcode ID: 0b031d228b42d6d142b7b1f6d4681b7d43ad6a0926cbc779d14c0739d734c4a4
            • Instruction ID: 8d7642c9dbf47118efe5425cb8bd27d9acd2ed4db940083dd8e787b608685dda
            • Opcode Fuzzy Hash: 0b031d228b42d6d142b7b1f6d4681b7d43ad6a0926cbc779d14c0739d734c4a4
            • Instruction Fuzzy Hash: 59F03071525712CFC734AF68E494812FBE1BF0432A3208A3EE9DB82A10C77198A8DF54
            Function 002709D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002709F4
              • Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: LongNamePath_memmove
            • String ID:
            • API String ID: 2514874351-0
            • Opcode ID: 4212307c855c711274544f1c640ff0ce68f55e3d6ce0cbdecfd644fc267a6b12
            • Instruction ID: cf6218e692e8685c8db2e22311af2965bb6ab4d6be07ff37f21b8a4fedb75c17
            • Opcode Fuzzy Hash: 4212307c855c711274544f1c640ff0ce68f55e3d6ce0cbdecfd644fc267a6b12
            • Instruction Fuzzy Hash: 63E0CD36D4522C57C720E658AC09FFA77EDDF88791F0401B6FC0CD7248E9709C918A94
            Function 002B9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID:
            • API String ID: 2638373210-0
            • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
            • Instruction ID: 230ffc75b2b22f34aa48cfa0f9f69f2394e5e73203f0d63bf8cc60681fb22294
            • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
            • Instruction Fuzzy Hash: 46E092B0124B019FDB348E28D8107E373E0AB06315F00081DF29A83342EB6378919B59
            Function 00255DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0028E16B,?,?,00000000), ref: 00255DBF
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: FilePointer
            • String ID:
            • API String ID: 973152223-0
            • Opcode ID: cb545517628dab97f44014f65b13ede567ff628e21ff309c4222e5c26ba1001e
            • Instruction ID: f238e8d0115b5e0a5f40148145118efdaca9b7819e8e9e401a35d7385e8fde70
            • Opcode Fuzzy Hash: cb545517628dab97f44014f65b13ede567ff628e21ff309c4222e5c26ba1001e
            • Instruction Fuzzy Hash: 84D0C77564020CBFE710DB80DC46FA9777CD705710F100195FD0456290D6B27D508795
            Function 0027548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __wfsopen
            • String ID:
            • API String ID: 197181222-0
            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
            • Instruction ID: d636dcaa9a2545f698226f4ea514482b92241b73bb873e05ddaa0239f5330103
            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
            • Instruction Fuzzy Hash: AAB0927684020C77DE012E92EC02A597B199B40678F808020FB0C18162A6B3A6B0AA89
            Function 002BD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000002,00000000), ref: 002BD46A
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ErrorLast
            • String ID:
            • API String ID: 1452528299-0
            • Opcode ID: 7f53c93129b94ba67af92e3e83002962104cc635ddc698900074c367f937213e
            • Instruction ID: bb56458de19ac1817830de69baacf6864abe597afb33f4f7fdb0067dd2da48d6
            • Opcode Fuzzy Hash: 7f53c93129b94ba67af92e3e83002962104cc635ddc698900074c367f937213e
            • Instruction Fuzzy Hash: DA717334624302CFC714EF24D491AAAB7E4AF88355F04496DF8968B3A2DB30ED59CF56
            Function 00270E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction ID: d3c8d695638a2084ab5fb2a1900bf36ef1d10a35266949a773dba4e5a9489507
            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction Fuzzy Hash: 1831C170A20106DBC718DE58C4C0969F7A6FB59300B64CAA5E409CB651DB71EDE5CB80
            Function 039622A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000001F4), ref: 039622B1
            Memory Dump Source
            • Source File: 00000000.00000002.1652104101.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3960000_Attendance list.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction ID: 71ba045d96cefe08a01161bea0d426da72cbe89cab1dc6df8c6eb339d1db0629
            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction Fuzzy Hash: BBE0E67494110EDFDB00EFB8D54969E7FB4EF04701F1005A1FD01D2280D6309D508A72

            Non-executed Functions

            Function 002DCDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002DCE50
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002DCE91
            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 002DCED6
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002DCF00
            • SendMessageW.USER32 ref: 002DCF29
            • _wcsncpy.LIBCMT ref: 002DCFA1
            • GetKeyState.USER32(00000011), ref: 002DCFC2
            • GetKeyState.USER32(00000009), ref: 002DCFCF
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002DCFE5
            • GetKeyState.USER32(00000010), ref: 002DCFEF
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002DD018
            • SendMessageW.USER32 ref: 002DD03F
            • SendMessageW.USER32(?,00001030,?,002DB602), ref: 002DD145
            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002DD15B
            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002DD16E
            • SetCapture.USER32(?), ref: 002DD177
            • ClientToScreen.USER32(?,?), ref: 002DD1DC
            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002DD1E9
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002DD203
            • ReleaseCapture.USER32 ref: 002DD20E
            • GetCursorPos.USER32(?), ref: 002DD248
            • ScreenToClient.USER32(?,?), ref: 002DD255
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 002DD2B1
            • SendMessageW.USER32 ref: 002DD2DF
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 002DD31C
            • SendMessageW.USER32 ref: 002DD34B
            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002DD36C
            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 002DD37B
            • GetCursorPos.USER32(?), ref: 002DD39B
            • ScreenToClient.USER32(?,?), ref: 002DD3A8
            • GetParent.USER32(?), ref: 002DD3C8
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 002DD431
            • SendMessageW.USER32 ref: 002DD462
            • ClientToScreen.USER32(?,?), ref: 002DD4C0
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002DD4F0
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 002DD51A
            • SendMessageW.USER32 ref: 002DD53D
            • ClientToScreen.USER32(?,?), ref: 002DD58F
            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002DD5C3
              • Part of subcall function 002525DB: GetWindowLongW.USER32(?,000000EB), ref: 002525EC
            • GetWindowLongW.USER32(?,000000F0), ref: 002DD65F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
            • String ID: @GUI_DRAGID$F$pr1
            • API String ID: 3977979337-427288994
            • Opcode ID: 3477d4a997cf3e6777fe32c372013c553cbfc53d4a6d99a46edca39559be4923
            • Instruction ID: beaa1aa17ff84220dc7027b98c3c973cc80c844886a7cb2656439e218a70e918
            • Opcode Fuzzy Hash: 3477d4a997cf3e6777fe32c372013c553cbfc53d4a6d99a46edca39559be4923
            • Instruction Fuzzy Hash: 41429C70519242AFC725CF68D848AAABBE9FF48314F24451EF656873A0C731DC64CF92
            Function 002D804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 002D873F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: %d/%02d/%02d
            • API String ID: 3850602802-328681919
            • Opcode ID: 8ed5c7ca96340c23669ce7966ac05e7a248dfb1249e014ccf9ab95a8eea1a448
            • Instruction ID: 27842e00674c81df5bedef5f07398a1829a1e732fb19cf61bafaa6837d89fb3b
            • Opcode Fuzzy Hash: 8ed5c7ca96340c23669ce7966ac05e7a248dfb1249e014ccf9ab95a8eea1a448
            • Instruction Fuzzy Hash: 0112F371921245ABEB258F28DC49FAE7BB8EF45310F20416AF916DA2E0DF709D51CF50
            Function 0026710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memmove$_memset
            • String ID: 0w0$DEFINE$Oa&$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
            • API String ID: 1357608183-2339167416
            • Opcode ID: f6de47ed5f63ea0f80736e1613be1a8379b8e53b4830d6abd9681b5fc01c79b2
            • Instruction ID: 678c59247b9a6dcb74713e14679f284645f3b76d0cfe30091bfeb04009b1cd93
            • Opcode Fuzzy Hash: f6de47ed5f63ea0f80736e1613be1a8379b8e53b4830d6abd9681b5fc01c79b2
            • Instruction Fuzzy Hash: D793A371E20216DFDB24CF58D8817ADB7B1FF49714F24816AE945EB280EBB09E91CB50
            Function 00254A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(00000000,?), ref: 00254A3D
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0028DA8E
            • IsIconic.USER32(?), ref: 0028DA97
            • ShowWindow.USER32(?,00000009), ref: 0028DAA4
            • SetForegroundWindow.USER32(?), ref: 0028DAAE
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0028DAC4
            • GetCurrentThreadId.KERNEL32 ref: 0028DACB
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0028DAD7
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0028DAE8
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0028DAF0
            • AttachThreadInput.USER32(00000000,?,00000001), ref: 0028DAF8
            • SetForegroundWindow.USER32(?), ref: 0028DAFB
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0028DB10
            • keybd_event.USER32(00000012,00000000), ref: 0028DB1B
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0028DB25
            • keybd_event.USER32(00000012,00000000), ref: 0028DB2A
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0028DB33
            • keybd_event.USER32(00000012,00000000), ref: 0028DB38
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0028DB42
            • keybd_event.USER32(00000012,00000000), ref: 0028DB47
            • SetForegroundWindow.USER32(?), ref: 0028DB4A
            • AttachThreadInput.USER32(?,?,00000000), ref: 0028DB71
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
            • String ID: Shell_TrayWnd
            • API String ID: 4125248594-2988720461
            • Opcode ID: 42c6e06d8947184dec322d2979118277cd74e1ee19ab594bd5ece65ad2a6085a
            • Instruction ID: efdce47a8ccc10a3d85cd626a3e61f78afea90d12d712b030a20628a551b6408
            • Opcode Fuzzy Hash: 42c6e06d8947184dec322d2979118277cd74e1ee19ab594bd5ece65ad2a6085a
            • Instruction Fuzzy Hash: 0631B375E91318BBEB206F61AD49F7E3F6CEB44B50F104066FA01E61D1C6B05D10ABA4
            Function 002A8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A8D0D
              • Part of subcall function 002A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A8D3A
              • Part of subcall function 002A8CC3: GetLastError.KERNEL32 ref: 002A8D47
            • _memset.LIBCMT ref: 002A889B
            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002A88ED
            • CloseHandle.KERNEL32(?), ref: 002A88FE
            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002A8915
            • GetProcessWindowStation.USER32 ref: 002A892E
            • SetProcessWindowStation.USER32(00000000), ref: 002A8938
            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 002A8952
              • Part of subcall function 002A8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002A8851), ref: 002A8728
              • Part of subcall function 002A8713: CloseHandle.KERNEL32(?,?,002A8851), ref: 002A873A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
            • String ID: $default$winsta0
            • API String ID: 2063423040-1027155976
            • Opcode ID: 1d06943c894ec4230e4c0eebe675e64ec52e26a9af0ca192edb87aba58f2de22
            • Instruction ID: 957b460e0304ba4633f58817e4cd6c5ab7cc4181d2c3da3b18a8745010653227
            • Opcode Fuzzy Hash: 1d06943c894ec4230e4c0eebe675e64ec52e26a9af0ca192edb87aba58f2de22
            • Instruction Fuzzy Hash: F5815E71D1120AAFDF11DFA4DD49AEEBB78EF05304F08416AF915A6161DF318E24DB60
            Function 002C425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(002DF910), ref: 002C4284
            • IsClipboardFormatAvailable.USER32(0000000D), ref: 002C4292
            • GetClipboardData.USER32(0000000D), ref: 002C429A
            • CloseClipboard.USER32 ref: 002C42A6
            • GlobalLock.KERNEL32(00000000), ref: 002C42C2
            • CloseClipboard.USER32 ref: 002C42CC
            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 002C42E1
            • IsClipboardFormatAvailable.USER32(00000001), ref: 002C42EE
            • GetClipboardData.USER32(00000001), ref: 002C42F6
            • GlobalLock.KERNEL32(00000000), ref: 002C4303
            • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 002C4337
            • CloseClipboard.USER32 ref: 002C4447
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
            • String ID:
            • API String ID: 3222323430-0
            • Opcode ID: e800cabbba4ec79d97f37797c1de310d8380f6fbdbf3839f8339863211828ae4
            • Instruction ID: 2d809eb0ae6d67a148baff834220b1f9b66b559880a20d9c36cd44bf2ef82927
            • Opcode Fuzzy Hash: e800cabbba4ec79d97f37797c1de310d8380f6fbdbf3839f8339863211828ae4
            • Instruction Fuzzy Hash: DA519031614302ABD311FF60ED9AF6F77A8AF84B01F10462EF956D21A1DB70DD148B6A
            Function 002BC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 002BC9F8
            • FindClose.KERNEL32(00000000), ref: 002BCA4C
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002BCA71
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002BCA88
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 002BCAAF
            • __swprintf.LIBCMT ref: 002BCAFB
            • __swprintf.LIBCMT ref: 002BCB3E
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
            • __swprintf.LIBCMT ref: 002BCB92
              • Part of subcall function 002738D8: __woutput_l.LIBCMT ref: 00273931
            • __swprintf.LIBCMT ref: 002BCBE0
              • Part of subcall function 002738D8: __flsbuf.LIBCMT ref: 00273953
              • Part of subcall function 002738D8: __flsbuf.LIBCMT ref: 0027396B
            • __swprintf.LIBCMT ref: 002BCC2F
            • __swprintf.LIBCMT ref: 002BCC7E
            • __swprintf.LIBCMT ref: 002BCCCD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
            • API String ID: 3953360268-2428617273
            • Opcode ID: 43f9d29545a258d012557fa70f54a415ef127e8c8c185d08c43e4c93b4586099
            • Instruction ID: 55c0c1c0d98a23030d6c16b583fe3dc095a039adafc9f00083866654603afc37
            • Opcode Fuzzy Hash: 43f9d29545a258d012557fa70f54a415ef127e8c8c185d08c43e4c93b4586099
            • Instruction Fuzzy Hash: DBA13EB1428305ABC700EF64D995DAFB7ECFF98701F404929B986C3191EB34DA58CB66
            Function 002BF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 002BF221
            • _wcscmp.LIBCMT ref: 002BF236
            • _wcscmp.LIBCMT ref: 002BF24D
            • GetFileAttributesW.KERNEL32(?), ref: 002BF25F
            • SetFileAttributesW.KERNEL32(?,?), ref: 002BF279
            • FindNextFileW.KERNEL32(00000000,?), ref: 002BF291
            • FindClose.KERNEL32(00000000), ref: 002BF29C
            • FindFirstFileW.KERNEL32(*.*,?), ref: 002BF2B8
            • _wcscmp.LIBCMT ref: 002BF2DF
            • _wcscmp.LIBCMT ref: 002BF2F6
            • SetCurrentDirectoryW.KERNEL32(?), ref: 002BF308
            • SetCurrentDirectoryW.KERNEL32(0030A5A0), ref: 002BF326
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 002BF330
            • FindClose.KERNEL32(00000000), ref: 002BF33D
            • FindClose.KERNEL32(00000000), ref: 002BF34F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
            • String ID: *.*
            • API String ID: 1803514871-438819550
            • Opcode ID: aa4233322d4255a521576d8198fd9459d9cef51ec3f142355394e3582323fc4c
            • Instruction ID: 4b1aeb34790adddb45aa909c11cd234c34f9daf1a32c91e17f242503dcd6e202
            • Opcode Fuzzy Hash: aa4233322d4255a521576d8198fd9459d9cef51ec3f142355394e3582323fc4c
            • Instruction Fuzzy Hash: F631263691124A6ADB90DFB4ED5DAEEB3ECAF093A0F1441B6E845D3090EB30DE50CA54
            Function 002D0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
            Download Yara Rule
            APIs
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D0BDE
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,002DF910,00000000,?,00000000,?,?), ref: 002D0C4C
            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002D0C94
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 002D0D1D
            • RegCloseKey.ADVAPI32(?), ref: 002D103D
            • RegCloseKey.ADVAPI32(00000000), ref: 002D104A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Close$ConnectCreateRegistryValue
            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
            • API String ID: 536824911-966354055
            • Opcode ID: 71f960699c0923c44cabb6cbb84fe86f4705e5dd7fe3aefb8d0d29c81d726ccc
            • Instruction ID: 6e51b271afec77b3ad22a13f73b5e692834062a7d7eafb51f50fd5e88210ccc7
            • Opcode Fuzzy Hash: 71f960699c0923c44cabb6cbb84fe86f4705e5dd7fe3aefb8d0d29c81d726ccc
            • Instruction Fuzzy Hash: F5025B752246119FCB14EF24C895A2AB7E5EF88714F04885DF88A9B762CB30ED64CF85
            Function 002BF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 002BF37E
            • _wcscmp.LIBCMT ref: 002BF393
            • _wcscmp.LIBCMT ref: 002BF3AA
              • Part of subcall function 002B45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002B45DC
            • FindNextFileW.KERNEL32(00000000,?), ref: 002BF3D9
            • FindClose.KERNEL32(00000000), ref: 002BF3E4
            • FindFirstFileW.KERNEL32(*.*,?), ref: 002BF400
            • _wcscmp.LIBCMT ref: 002BF427
            • _wcscmp.LIBCMT ref: 002BF43E
            • SetCurrentDirectoryW.KERNEL32(?), ref: 002BF450
            • SetCurrentDirectoryW.KERNEL32(0030A5A0), ref: 002BF46E
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 002BF478
            • FindClose.KERNEL32(00000000), ref: 002BF485
            • FindClose.KERNEL32(00000000), ref: 002BF497
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
            • String ID: *.*
            • API String ID: 1824444939-438819550
            • Opcode ID: c94724e791c7e0e76ecb456b601d85c7f369da101e5532c851c5713fe82ac303
            • Instruction ID: 0f2ca40455aa648fce58ded33f6cb99bb3d22c27b39314132c4c16295b22958c
            • Opcode Fuzzy Hash: c94724e791c7e0e76ecb456b601d85c7f369da101e5532c851c5713fe82ac303
            • Instruction Fuzzy Hash: 6F31183251125A6FCB50DF64ED88AEE77BC9F093A0F1042B6E944E30E0E770DE64CA64
            Function 00266843 Relevance: 22.1, Strings: 17, Instructions: 883COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa&$PJ/$UCP)$UTF)$UTF16)$rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
            • API String ID: 0-3443878948
            • Opcode ID: 178b538b4af80d8a7ae5f0323b94486dd8e25e0c4010c17c5e4448771c6efc76
            • Instruction ID: 3a2208e93db283506052b7c83ca2057e00c2e82c063cebbbf8f875043f35c5f8
            • Opcode Fuzzy Hash: 178b538b4af80d8a7ae5f0323b94486dd8e25e0c4010c17c5e4448771c6efc76
            • Instruction Fuzzy Hash: 17728275E2021ADBDF14CF58C8847AEB7B5FF49720F14816AE845EB280DB709DA1CB90
            Function 002A81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002A8766
              • Part of subcall function 002A874A: GetLastError.KERNEL32(?,002A822A,?,?,?), ref: 002A8770
              • Part of subcall function 002A874A: GetProcessHeap.KERNEL32(00000008,?,?,002A822A,?,?,?), ref: 002A877F
              • Part of subcall function 002A874A: HeapAlloc.KERNEL32(00000000,?,002A822A,?,?,?), ref: 002A8786
              • Part of subcall function 002A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002A879D
              • Part of subcall function 002A87E7: GetProcessHeap.KERNEL32(00000008,002A8240,00000000,00000000,?,002A8240,?), ref: 002A87F3
              • Part of subcall function 002A87E7: HeapAlloc.KERNEL32(00000000,?,002A8240,?), ref: 002A87FA
              • Part of subcall function 002A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002A8240,?), ref: 002A880B
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002A825B
            • _memset.LIBCMT ref: 002A8270
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002A828F
            • GetLengthSid.ADVAPI32(?), ref: 002A82A0
            • GetAce.ADVAPI32(?,00000000,?), ref: 002A82DD
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002A82F9
            • GetLengthSid.ADVAPI32(?), ref: 002A8316
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002A8325
            • HeapAlloc.KERNEL32(00000000), ref: 002A832C
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002A834D
            • CopySid.ADVAPI32(00000000), ref: 002A8354
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002A8385
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002A83AB
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002A83BF
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: f181dbe1741f478031f879d9bc1bfa52ebf475ac1f2599b2c94e0f32bcd82bfa
            • Instruction ID: aedbd344ee4976cdec722c63469109ce5960afdb5f5552b4f9962f2f923d3d63
            • Opcode Fuzzy Hash: f181dbe1741f478031f879d9bc1bfa52ebf475ac1f2599b2c94e0f32bcd82bfa
            • Instruction Fuzzy Hash: 48615B7191020AEBDF00DFA5DD48AAEBBB9FF05700F14816AE916A7291DF319A15CF60
            Function 002D0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002D0038,?,?), ref: 002D10BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D0737
              • Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
              • Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C
            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002D07D6
            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002D086E
            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 002D0AAD
            • RegCloseKey.ADVAPI32(00000000), ref: 002D0ABA
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
            • String ID:
            • API String ID: 1240663315-0
            • Opcode ID: c7e792b9b3b3319dff4c26299f3bf8a2727156d518a53b80249b32cd745763f0
            • Instruction ID: 39ab3dae8a8754e50ab850d2f31afd28ea954eb0c242366079fc99f78a49f32e
            • Opcode Fuzzy Hash: c7e792b9b3b3319dff4c26299f3bf8a2727156d518a53b80249b32cd745763f0
            • Instruction Fuzzy Hash: 85E15B31614211AFCB14DF24D994E6ABBE4EF89714F04846EF84ADB3A2DA30ED54CF51
            Function 002B0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 002B0241
            • GetAsyncKeyState.USER32(000000A0), ref: 002B02C2
            • GetKeyState.USER32(000000A0), ref: 002B02DD
            • GetAsyncKeyState.USER32(000000A1), ref: 002B02F7
            • GetKeyState.USER32(000000A1), ref: 002B030C
            • GetAsyncKeyState.USER32(00000011), ref: 002B0324
            • GetKeyState.USER32(00000011), ref: 002B0336
            • GetAsyncKeyState.USER32(00000012), ref: 002B034E
            • GetKeyState.USER32(00000012), ref: 002B0360
            • GetAsyncKeyState.USER32(0000005B), ref: 002B0378
            • GetKeyState.USER32(0000005B), ref: 002B038A
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: 4457c185a992f815fea27225879726b37316c9ff487bf2578cd8c445998ed2e2
            • Instruction ID: 70931a6f86f7e7a16b1cbc158f5eced5ac47850b7ac75238b3fe1ba312fb41ca
            • Opcode Fuzzy Hash: 4457c185a992f815fea27225879726b37316c9ff487bf2578cd8c445998ed2e2
            • Instruction Fuzzy Hash: 7141A7249247CB6EFF724E64948C3EBBAE0AF11380F4840DED9C6461C2DB945DE88792
            Function 00264140 Relevance: 15.1, APIs: 1, Strings: 7, Instructions: 1132COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID: ERCP$Oa&$VUUU$VUUU$VUUU$VUUU$rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
            • API String ID: 0-859897010
            • Opcode ID: 0a6b1026b563255bb039267ba81325e0b8844dc100b57de8a080c46307a648da
            • Instruction ID: a6af00a88ca4fa2e8e191c076716a21b64bd88ab8b46a1a0b3f5200e0e215245
            • Opcode Fuzzy Hash: 0a6b1026b563255bb039267ba81325e0b8844dc100b57de8a080c46307a648da
            • Instruction Fuzzy Hash: D9A2A170E2421ACBDF24DF58C9907ADB7B1BF55314F2481AAD89AA7280D7709EE1CF50
            Function 002C4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
            • String ID:
            • API String ID: 1737998785-0
            • Opcode ID: 7fdffa0053181a9f095d40e2ffa37452f9e74580f7470284350f9c7d444d04f6
            • Instruction ID: 620f1e16de52f0b9948515d54b925d4aec52ae62d2d29c2d23562bcd37cd47cb
            • Opcode Fuzzy Hash: 7fdffa0053181a9f095d40e2ffa37452f9e74580f7470284350f9c7d444d04f6
            • Instruction Fuzzy Hash: 6421D1356112119FDB10AF60ED1DF6A7BA8EF14311F14802AF807DB2A1DB70ED10CB98
            Function 002B3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002548A1,?,?,002537C0,?), ref: 002548CE
              • Part of subcall function 002B4CD3: GetFileAttributesW.KERNEL32(?,002B3947), ref: 002B4CD4
            • FindFirstFileW.KERNEL32(?,?), ref: 002B3ADF
            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 002B3B87
            • MoveFileW.KERNEL32(?,?), ref: 002B3B9A
            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 002B3BB7
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 002B3BD9
            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 002B3BF5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
            • String ID: \*.*
            • API String ID: 4002782344-1173974218
            • Opcode ID: 145d77200c814ec72e6e32c4d006ab361a757f20e41c7ec40cc42f9f5533b5b0
            • Instruction ID: 56a76ab3e3f181f7dfeeba7175184d9ae8a635ee036ad2a3e611140080b7495e
            • Opcode Fuzzy Hash: 145d77200c814ec72e6e32c4d006ab361a757f20e41c7ec40cc42f9f5533b5b0
            • Instruction Fuzzy Hash: 045190318112499ACF05EBA0DE929EDB7B8AF14345F6441AAE84277191EF306F1DCFA4
            Function 002BF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 002BF6AB
            • Sleep.KERNEL32(0000000A), ref: 002BF6DB
            • _wcscmp.LIBCMT ref: 002BF6EF
            • _wcscmp.LIBCMT ref: 002BF70A
            • FindNextFileW.KERNEL32(?,?), ref: 002BF7A8
            • FindClose.KERNEL32(00000000), ref: 002BF7BE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
            • String ID: *.*
            • API String ID: 713712311-438819550
            • Opcode ID: 8b6aebff715b2eb691b1608ef3660d53bff2b9f975a079a2627c8a5bffc1a73b
            • Instruction ID: 9324b9f50b11caf68e2196039f51018248822a2068e6c9ca43b379212e9d3a5b
            • Opcode Fuzzy Hash: 8b6aebff715b2eb691b1608ef3660d53bff2b9f975a079a2627c8a5bffc1a73b
            • Instruction Fuzzy Hash: 7E41A27182020AAFCF51DF64CD49AEEBBB4FF05350F1445A6EC15A2191EB309E64DF90
            Function 002658C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: b95a5dbf669be0fd9eccd7c04214d12808f7829a2e3314afefeb23e6415262cf
            • Instruction ID: 87b04e98f939807e20733a9c6e2c25efbc918f812e01c3d43a7118a69486230f
            • Opcode Fuzzy Hash: b95a5dbf669be0fd9eccd7c04214d12808f7829a2e3314afefeb23e6415262cf
            • Instruction Fuzzy Hash: F212AB70A20A1ADFDF14CFA4D981AAEB3F5FF48300F108529E806E7251EB35AD65CB54
            Function 00265680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00270FF6: std::exception::exception.LIBCMT ref: 0027102C
              • Part of subcall function 00270FF6: __CxxThrowException@8.LIBCMT ref: 00271041
            • _memmove.LIBCMT ref: 002A062F
            • _memmove.LIBCMT ref: 002A0744
            • _memmove.LIBCMT ref: 002A07EB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memmove$Exception@8Throwstd::exception::exception
            • String ID: yZ&
            • API String ID: 1300846289-909687534
            • Opcode ID: 95d4b2d324896af53b6526992fdb2d1d1b0e938b9efde7edd926c4f7bf46aac1
            • Instruction ID: 3ae362635fa00d53e5fb327dc0c9290e23a7e74d6286c7059ab33c04b20401e8
            • Opcode Fuzzy Hash: 95d4b2d324896af53b6526992fdb2d1d1b0e938b9efde7edd926c4f7bf46aac1
            • Instruction Fuzzy Hash: C002AF70E20205DBDF04DF68D992AAEBBB5FF45300F148069E80ADB255EB31DA64CF95
            Function 002B545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A8D0D
              • Part of subcall function 002A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A8D3A
              • Part of subcall function 002A8CC3: GetLastError.KERNEL32 ref: 002A8D47
            • ExitWindowsEx.USER32(?,00000000), ref: 002B549B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
            • String ID: $@$SeShutdownPrivilege
            • API String ID: 2234035333-194228
            • Opcode ID: 44d4d9f2bf2d140a1ec731f19ebdc5060a197b9a1efcbdadf1113bad64f883c8
            • Instruction ID: 4e720cc20419788b450fd2ac6aba69785c2766f3ed836688c8778fbe7cd3fad8
            • Opcode Fuzzy Hash: 44d4d9f2bf2d140a1ec731f19ebdc5060a197b9a1efcbdadf1113bad64f883c8
            • Instruction Fuzzy Hash: 5201FC31675B366BE7686E74EC4ABF67378EB053D3F240521FD07DA0D2DA901CA045A4
            Function 00263190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __itow__swprintf
            • String ID: Oa&
            • API String ID: 674341424-711773428
            • Opcode ID: e4de16db341f2ea7ee4c9d9f166ab99e2b15e1663dea6cb362681d1bd3af5224
            • Instruction ID: 81a5ef6757ee7ac7a5ba04c46a42c2ec4b2a472f9c4cf0bb8015aee40378609e
            • Opcode Fuzzy Hash: e4de16db341f2ea7ee4c9d9f166ab99e2b15e1663dea6cb362681d1bd3af5224
            • Instruction Fuzzy Hash: 12228E715283019FCB24DF24C891B6FB7E4AF84704F14491DF89A97291DB71EAA8CB92
            Function 002C6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002C65EF
            • WSAGetLastError.WSOCK32(00000000), ref: 002C65FE
            • bind.WSOCK32(00000000,?,00000010), ref: 002C661A
            • listen.WSOCK32(00000000,00000005), ref: 002C6629
            • WSAGetLastError.WSOCK32(00000000), ref: 002C6643
            • closesocket.WSOCK32(00000000,00000000), ref: 002C6657
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ErrorLast$bindclosesocketlistensocket
            • String ID:
            • API String ID: 1279440585-0
            • Opcode ID: 0e02717c8522e0d9becb22ac998a6599a744cc6695cd065cb95889b7e1bc6fb6
            • Instruction ID: befc8705444eaa8326af9a6f13499fb30ed44a88d458f3314892ac186ab8929f
            • Opcode Fuzzy Hash: 0e02717c8522e0d9becb22ac998a6599a744cc6695cd065cb95889b7e1bc6fb6
            • Instruction Fuzzy Hash: 3C21CC306102009FDB00EF24D989F6EB7A9EF48321F24826AE917E72D1CB70AD549B55
            Function 00251287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
            • DefDlgProcW.USER32(?,?,?,?,?), ref: 002519FA
            • GetSysColor.USER32(0000000F), ref: 00251A4E
            • SetBkColor.GDI32(?,00000000), ref: 00251A61
              • Part of subcall function 00251290: DefDlgProcW.USER32(?,00000020,?), ref: 002512D8
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ColorProc$LongWindow
            • String ID:
            • API String ID: 3744519093-0
            • Opcode ID: e4040d4aceded65145035e6a1d7868bbd266680aa1a6a08777f6072ad86450f7
            • Instruction ID: 4b1717136a1fe58b8d7b55d13ff0da56a2fed27701cc78dedf407a37a393267c
            • Opcode Fuzzy Hash: e4040d4aceded65145035e6a1d7868bbd266680aa1a6a08777f6072ad86450f7
            • Instruction Fuzzy Hash: 63A14678136486BAD62BAE285C49FBF255CDB4A347F24011EFC02D21D2CA708D39D779
            Function 002C6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002C80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002C80CB
            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 002C6AB1
            • WSAGetLastError.WSOCK32(00000000), ref: 002C6ADA
            • bind.WSOCK32(00000000,?,00000010), ref: 002C6B13
            • WSAGetLastError.WSOCK32(00000000), ref: 002C6B20
            • closesocket.WSOCK32(00000000,00000000), ref: 002C6B34
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ErrorLast$bindclosesocketinet_addrsocket
            • String ID:
            • API String ID: 99427753-0
            • Opcode ID: 6136b7c235d8da57260a3054bb5adba3465df25d8191b47a2c5e76396ba167b9
            • Instruction ID: 53e5103d00d63732b9b0d1a859babb4c3c1d0c9916040b6e0d20f62047404833
            • Opcode Fuzzy Hash: 6136b7c235d8da57260a3054bb5adba3465df25d8191b47a2c5e76396ba167b9
            • Instruction Fuzzy Hash: 1D41E275B20210AFEB10AF24DC8AF6E77A9DB08710F04815DFD0AAB3C2CB709D148B95
            Function 002D55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$EnabledForegroundIconicVisibleZoomed
            • String ID:
            • API String ID: 292994002-0
            • Opcode ID: 8f8aa5ac4167e4edb78b298bcfa97e0d454674da1155e3a439f92a8ebde29913
            • Instruction ID: 89eb66d73c87f21f6c8448b886b220f69428f59177621d034adf28a4be839c72
            • Opcode Fuzzy Hash: 8f8aa5ac4167e4edb78b298bcfa97e0d454674da1155e3a439f92a8ebde29913
            • Instruction Fuzzy Hash: 9A11B2317219216FE7211F26EC48A2FBB9CEF84721B84402AE806D7341CBB0DD118EE8
            Function 002BC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 002BC69D
            • CoCreateInstance.OLE32(002E2D6C,00000000,00000001,002E2BDC,?), ref: 002BC6B5
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
            • CoUninitialize.OLE32 ref: 002BC922
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CreateInitializeInstanceUninitialize_memmove
            • String ID: .lnk
            • API String ID: 2683427295-24824748
            • Opcode ID: 55b5963476aebd75ab5ca1ffe0222d2fee0624073a95c2638f4ffab76bc8c749
            • Instruction ID: 96bb24a9fd45d7a31c8ba4cb78cc32ef1a554b254eea02f0544ec98d981bdfad
            • Opcode Fuzzy Hash: 55b5963476aebd75ab5ca1ffe0222d2fee0624073a95c2638f4ffab76bc8c749
            • Instruction Fuzzy Hash: 98A16D71124201AFD700EF64C891EABB7ECFF85305F00496CF556972A2DB70EA59CB66
            Function 002CC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00291D88,?), ref: 002CC312
            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002CC324
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetSystemWow64DirectoryW$kernel32.dll
            • API String ID: 2574300362-1816364905
            • Opcode ID: 9c8ec002cf79e20ce273acd2cfab2a414adbccf507fbd6bb2e365b45235ff6ba
            • Instruction ID: 5becace87a8b302bb3d9da442f353ba1a7a0b85310334625b67bbbb6cea2d93c
            • Opcode Fuzzy Hash: 9c8ec002cf79e20ce273acd2cfab2a414adbccf507fbd6bb2e365b45235ff6ba
            • Instruction Fuzzy Hash: 92E08C74621343CFCB214F29E808F86B6D4EB0C305B9084BEE89EC3250E770D8A1CB60
            Function 002CF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 002CF151
            • Process32FirstW.KERNEL32(00000000,?), ref: 002CF15F
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
            • Process32NextW.KERNEL32(00000000,?), ref: 002CF21F
            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 002CF22E
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
            • String ID:
            • API String ID: 2576544623-0
            • Opcode ID: 33acb54429455ca89bf9d12c8be3aa78ef04ca4b21f8e53e8740cea3c0db8dec
            • Instruction ID: a32075b5cbd996382d55cae5d516c0418e94105ab1eae99034c19f892fcbf302
            • Opcode Fuzzy Hash: 33acb54429455ca89bf9d12c8be3aa78ef04ca4b21f8e53e8740cea3c0db8dec
            • Instruction Fuzzy Hash: 26517C71514311AFD310EF24DC86E6BBBE8EF88710F14492DF89697291EB70E918CB96
            Function 002AEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 002AEB19
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: ($|
            • API String ID: 1659193697-1631851259
            • Opcode ID: 6586a0553cea9c6e98972ec1883d03723904f4693f7c63eeb918f45b918d0cf3
            • Instruction ID: 4168d206ec4faa136d3f8c3d266ba1b6101aec62451475f17064fcbe56025554
            • Opcode Fuzzy Hash: 6586a0553cea9c6e98972ec1883d03723904f4693f7c63eeb918f45b918d0cf3
            • Instruction Fuzzy Hash: C5323675A107059FDB28CF19C481A6AB7F1FF48320B12C46EE49ACB7A1DB70E952CB50
            Function 002C25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 002C26D5
            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 002C270C
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Internet$AvailableDataFileQueryRead
            • String ID:
            • API String ID: 599397726-0
            • Opcode ID: 20a72e3c5c19d87094cc80998d2850e553640c65f90a3f3f8dc6833e27c0e730
            • Instruction ID: 41fbd8ff3cd03874d7c350b6acc231cf3f2f943a2f8efa2063271aabada2c4b4
            • Opcode Fuzzy Hash: 20a72e3c5c19d87094cc80998d2850e553640c65f90a3f3f8dc6833e27c0e730
            • Instruction Fuzzy Hash: ED41D57192020AFFEB20DE54DCC5FBBB7BCEB40714F20416EF605A6140DEB19D699A64
            Function 002BB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 002BB5AE
            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 002BB608
            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 002BB655
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ErrorMode$DiskFreeSpace
            • String ID:
            • API String ID: 1682464887-0
            • Opcode ID: 19c1a7b51d0b76391012efcad083697498aa45e1e8630bddd173e51c9b63b975
            • Instruction ID: 0138c29dbb932f5958cdfe0e5f927efd4b52b7f6410438352d301df8c36a1b34
            • Opcode Fuzzy Hash: 19c1a7b51d0b76391012efcad083697498aa45e1e8630bddd173e51c9b63b975
            • Instruction Fuzzy Hash: C1216035A10218EFCB00EF65D884AEDBBB8FF48311F1480AAE806AB351DB319D55CF55
            Function 002A8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00270FF6: std::exception::exception.LIBCMT ref: 0027102C
              • Part of subcall function 00270FF6: __CxxThrowException@8.LIBCMT ref: 00271041
            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A8D0D
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A8D3A
            • GetLastError.KERNEL32 ref: 002A8D47
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
            • String ID:
            • API String ID: 1922334811-0
            • Opcode ID: 3e194bca4bf5100f2bfcfd284e7350c42a50523dc8c8d5ab4548275e7104baac
            • Instruction ID: f03e1760b5b32a40e9239ed7bf2629a7bbfafa8331e8424a05182f6a3f625ed0
            • Opcode Fuzzy Hash: 3e194bca4bf5100f2bfcfd284e7350c42a50523dc8c8d5ab4548275e7104baac
            • Instruction Fuzzy Hash: AD11BFB1824209AFD7289F64EC89D6BB7FCEB05710B20852EF44683241EF30BC508A20
            Function 002B4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002B404B
            • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 002B4088
            • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002B4091
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle
            • String ID:
            • API String ID: 33631002-0
            • Opcode ID: aee1c5781db0ceda884f179739652d481d21862397ea58f46c3463f50002e3ac
            • Instruction ID: c113cfeb434d9c34d2dfb3a8403773e47d20a0d737859e7ee11386dab7f98b7b
            • Opcode Fuzzy Hash: aee1c5781db0ceda884f179739652d481d21862397ea58f46c3463f50002e3ac
            • Instruction Fuzzy Hash: E71182B1D15229BEE710ABECDC48FEFBBBCEB08750F004656BA15E7191C2B45E1487A1
            Function 002B4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 002B4C2C
            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002B4C43
            • FreeSid.ADVAPI32(?), ref: 002B4C53
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AllocateCheckFreeInitializeMembershipToken
            • String ID:
            • API String ID: 3429775523-0
            • Opcode ID: 57614fe386a768636e77bda44c71c57c7af39e1575a08513ff256cd561da8781
            • Instruction ID: 77a37d7d2fc4501f5ed0c1d594b92e286ec7bf5b51b225a1099fa047be120c0a
            • Opcode Fuzzy Hash: 57614fe386a768636e77bda44c71c57c7af39e1575a08513ff256cd561da8781
            • Instruction Fuzzy Hash: 28F04F75D1130DBFDF04DFF0DD89AADBBBCEF08201F404469A502E3282D6705A048B54
            Function 002B8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • __time64.LIBCMT ref: 002B8B25
              • Part of subcall function 0027543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,002B91F8,00000000,?,?,?,?,002B93A9,00000000,?), ref: 00275443
              • Part of subcall function 0027543A: __aulldiv.LIBCMT ref: 00275463
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Time$FileSystem__aulldiv__time64
            • String ID: 0u1
            • API String ID: 2893107130-3636244747
            • Opcode ID: 09ee00bd989a8d60c430b362df88f56ad75fb9bc06798cf9fc729d7796f3a279
            • Instruction ID: 8a0f46a8e2a30b542c9056c47bd2b5caf9f7df6c9580f96fda1ef69bd1d8e922
            • Opcode Fuzzy Hash: 09ee00bd989a8d60c430b362df88f56ad75fb9bc06798cf9fc729d7796f3a279
            • Instruction Fuzzy Hash: 5521B472635511CBC72ACF35D441A92B3E5EBA9311F28CE6CD0E9CB2D0CA74B945CB94
            Function 0025E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 461abf27490add402840fafd9f4e6852f13d97a86a20e2b1f25adab49b41f4f7
            • Instruction ID: 1c3597b3583141b6372fee88b4c3b668d6974e60f1fe6353c4a7b4e84bcfcd8f
            • Opcode Fuzzy Hash: 461abf27490add402840fafd9f4e6852f13d97a86a20e2b1f25adab49b41f4f7
            • Instruction Fuzzy Hash: 47228D70920216DFDF28DF54C480ABEB7B0FF04301F158469EC5A9B341E774AAA9CB95
            Function 002BC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 002BC966
            • FindClose.KERNEL32(00000000), ref: 002BC996
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: d9bbb25b84bc8dcb73082a5a08137e8227aa7e966d8705a089a0c233ab7a46e5
            • Instruction ID: 261c9bfbba173d6f940a82b2cc2852b761a62b333094162b8f97ab124f588e8a
            • Opcode Fuzzy Hash: d9bbb25b84bc8dcb73082a5a08137e8227aa7e966d8705a089a0c233ab7a46e5
            • Instruction Fuzzy Hash: 5D11A5316106009FDB10DF29D84992AF7E5FF44321F14851EF8A6D7291DB70AC14CF95
            Function 002BA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,002C977D,?,002DFB84,?), ref: 002BA302
            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,002C977D,?,002DFB84,?), ref: 002BA314
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ErrorFormatLastMessage
            • String ID:
            • API String ID: 3479602957-0
            • Opcode ID: 383af283d2f79255cac917a40bd9fc376f342946ee3bcdd5fcc29a99dbb382a4
            • Instruction ID: 6ca1355efcfb76d1fbd31e9176594fe539c7e4c20fb89d15c338cfd02d7ba0dd
            • Opcode Fuzzy Hash: 383af283d2f79255cac917a40bd9fc376f342946ee3bcdd5fcc29a99dbb382a4
            • Instruction Fuzzy Hash: 3DF0E23596522DABDB20AFA4DC49FEA736DBF08361F0041A6B809D2180D6309910CBA1
            Function 002A8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002A8851), ref: 002A8728
            • CloseHandle.KERNEL32(?,?,002A8851), ref: 002A873A
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AdjustCloseHandlePrivilegesToken
            • String ID:
            • API String ID: 81990902-0
            • Opcode ID: feffaf198117f492f5d386c770adad6e49891d7b29f16eb2047c296efe443799
            • Instruction ID: d4f243b0d556138bd2d7a80c5964de89074c8a1cebdfc81eada4f251c62bc245
            • Opcode Fuzzy Hash: feffaf198117f492f5d386c770adad6e49891d7b29f16eb2047c296efe443799
            • Instruction Fuzzy Hash: 42E04636020610EFE7612B24FD08D73BBE9EF00350724C82AF89A80430CB32ACA0DB10
            Function 0027A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00278F97,?,?,?,00000001), ref: 0027A39A
            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0027A3A3
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 632a21d1779542346ac6fef68a0c88734ba6e5b3ac3630f622a34311d953dc12
            • Instruction ID: 9ff05b1e8d1e85512cb73e41824b74a20cfe9277360aed6246e3edda3dc73465
            • Opcode Fuzzy Hash: 632a21d1779542346ac6fef68a0c88734ba6e5b3ac3630f622a34311d953dc12
            • Instruction Fuzzy Hash: 99B09231455248ABCAC02B95FD0DB883F68EB44AA2F4180A2FE0E84060CB6258508A99
            Function 0027F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fa5986d9bdd44b58e5de6d31e182df707e97d2fa45c508003d4ba0cf8e1f78dc
            • Instruction ID: 8b9741144a4ee15cb32387397f151b3c1e97675f98d607cfff726cc24794ac56
            • Opcode Fuzzy Hash: fa5986d9bdd44b58e5de6d31e182df707e97d2fa45c508003d4ba0cf8e1f78dc
            • Instruction Fuzzy Hash: 36320421D7DF424DD7639634E976336A248AFB73C8F15D73BE819B99A6EB3884834100
            Function 0028267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4eb1a77e857704eb8317ded26f6d4ef54ff8e0ff63962f43b603ad1f6456298e
            • Instruction ID: e46e1b59e984e673e838245b48413fc9c48dd7b18658b27e26f4a78e91a6ec1f
            • Opcode Fuzzy Hash: 4eb1a77e857704eb8317ded26f6d4ef54ff8e0ff63962f43b603ad1f6456298e
            • Instruction Fuzzy Hash: 92B12120D6AF804DD323A6399875336B74CAFBB2C5F52D31BFC2638D62EB2190834241
            Function 002C41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
            Download Yara Rule
            APIs
            • BlockInput.USER32(00000001), ref: 002C4218
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: BlockInput
            • String ID:
            • API String ID: 3456056419-0
            • Opcode ID: 58c47ba090b58bba86f401743c31a8a66b3040ee79834e6a88aa5c30081c97ec
            • Instruction ID: ea4199b147679b860f35d0d88244f486a31451b32f0d691012b759b447fd4860
            • Opcode Fuzzy Hash: 58c47ba090b58bba86f401743c31a8a66b3040ee79834e6a88aa5c30081c97ec
            • Instruction Fuzzy Hash: A9E012312601149FC710AF59D845E9AB7D8AF54761F00801AFC4AC7251DA70EC548BA5
            Function 002B4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 002B4F18
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: mouse_event
            • String ID:
            • API String ID: 2434400541-0
            • Opcode ID: 6699ce699c5f55045f18141fd747c74dbffe12d8b706922d507974fe0c70b329
            • Instruction ID: 59356a08c6b853ecce2ebd906a6fb933aa0a383deb0f0c00974315156e1c9bca
            • Opcode Fuzzy Hash: 6699ce699c5f55045f18141fd747c74dbffe12d8b706922d507974fe0c70b329
            • Instruction Fuzzy Hash: B0D067A457460679E8186F20AC9FBF61209A3507D1F9459897202969C398E5B8A0A435
            Function 002A8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,002A88D1), ref: 002A8CB3
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: LogonUser
            • String ID:
            • API String ID: 1244722697-0
            • Opcode ID: c3154eb5025181ffd8357e6ed18d04d79eb7b2920d6f94ebe49b0d21b7ae637e
            • Instruction ID: 28aae296ab75f9c3c1be57ebc8185d81a69417abbcb9d3fd3790941d82762fc5
            • Opcode Fuzzy Hash: c3154eb5025181ffd8357e6ed18d04d79eb7b2920d6f94ebe49b0d21b7ae637e
            • Instruction Fuzzy Hash: 3DD05E3226050EABEF018EA4ED05EAE3B69EB04B01F408111FE16C61A1C775D935AB60
            Function 00292230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
            Download Yara Rule
            APIs
            • GetUserNameW.ADVAPI32(?,?), ref: 00292242
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: NameUser
            • String ID:
            • API String ID: 2645101109-0
            • Opcode ID: fc7ec68df081b38aedcdb6b62f41dad16ca816a332ffc8ba3ebc68fb1598d111
            • Instruction ID: f1b62df488ccb414509c7019112b4e245d67a32e79453c37f9912007d708191f
            • Opcode Fuzzy Hash: fc7ec68df081b38aedcdb6b62f41dad16ca816a332ffc8ba3ebc68fb1598d111
            • Instruction Fuzzy Hash: 91C04CF1C11109DBDB05DB90DA98DEE77BCAB04305F104056A102F2140D7749B548A71
            Function 0027A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0027A36A
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 666793bc01bc300e0e8f2d42c25d927b36fc6c44582d057f1d7725a3a860d072
            • Instruction ID: 4ef6534a693a9a4c3f29c7bfdc7719f7bacd8f4e3908aa18c591c863a901c23a
            • Opcode Fuzzy Hash: 666793bc01bc300e0e8f2d42c25d927b36fc6c44582d057f1d7725a3a860d072
            • Instruction Fuzzy Hash: 80A0123000010CA7CA401B45FC084447F5CD6001907004061FC0D40021873258104584
            Function 00268A0E Relevance: .6, Instructions: 608COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5ee937e9b35a10c20e32567adff04a797a3c79fbb39d79ba7efdeefaa9359255
            • Instruction ID: fb12cbe2fc4e840bceba2c989ba3aa3f25535592d70fd93ab799374b2a44fcdb
            • Opcode Fuzzy Hash: 5ee937e9b35a10c20e32567adff04a797a3c79fbb39d79ba7efdeefaa9359255
            • Instruction Fuzzy Hash: 13221730931627CBDF2C8F14C49467EB7A1EB42304F68866BD9429B2A1DF749DE1CB60
            Function 00272405 Relevance: .3, Instructions: 345COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
            • Instruction ID: 55dc55e53faa888554acdadee8b764a410b7a8ef6b47844b31629b09a8608a54
            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
            • Instruction Fuzzy Hash: 8BC194322261934ADB2D4E3D943503EBAE15EA27B131A875DE4BACB5C4EF30D538D620
            Function 0027283A Relevance: .3, Instructions: 341COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
            • Instruction ID: 58a4691652ad2d57ce424727ade7b0860515674208a63efb0eb5b718b54088cd
            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
            • Instruction Fuzzy Hash: 87C1C43222619349DB2D4E3E843113EBBE15EA27B131A576DE4BADB5C4EF30D5389620
            Function 03963600 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1652104101.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3960000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
            • Instruction ID: 909b297ea054101785f80a3bc3bb04946ae2d33f3a0a81dbe85ee381c4e42ab2
            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
            • Instruction Fuzzy Hash: 3341A2B1D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB50
            Function 03963490 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1652104101.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3960000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
            • Instruction ID: fd6d2d0fa6ddadb24f032f43103d7b669b8f6e7b9a8d5aa6ade504463f07bfed
            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
            • Instruction Fuzzy Hash: 97018078A01209EFCB45DF98C5909AEF7B9FB88210B648599D809A7711D730AE41DB80
            Function 039634F0 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1652104101.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3960000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
            • Instruction ID: a1ae488828b6ce7357c395881aa9332308bd8a8d619d776957b7690a99791b9e
            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
            • Instruction Fuzzy Hash: F401A478A05209EFCB45DF98C5909AEF7F9FF88310F648699D809A7711E730AE41DB80
            Function 03961E70 Relevance: .0, Instructions: 6COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1652104101.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3960000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
            Function 002C7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 002C7B70
            • DeleteObject.GDI32(00000000), ref: 002C7B82
            • DestroyWindow.USER32 ref: 002C7B90
            • GetDesktopWindow.USER32 ref: 002C7BAA
            • GetWindowRect.USER32(00000000), ref: 002C7BB1
            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 002C7CF2
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 002C7D02
            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7D4A
            • GetClientRect.USER32(00000000,?), ref: 002C7D56
            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002C7D90
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DB2
            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DC5
            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DD0
            • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DD9
            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DE8
            • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DF1
            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7DF8
            • GlobalFree.KERNEL32(00000000), ref: 002C7E03
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7E15
            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,002E2CAC,00000000), ref: 002C7E2B
            • GlobalFree.KERNEL32(00000000), ref: 002C7E3B
            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 002C7E61
            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 002C7E80
            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7EA2
            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C808F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
            • String ID: $AutoIt v3$DISPLAY$static
            • API String ID: 2211948467-2373415609
            • Opcode ID: ae771f8fdbcfb4f3b3d50138cfffcff7a582b8f6565f00ebea17d5649c193b32
            • Instruction ID: b343039158586cc0040e8c8eb2da9c92997c35be90a435dc60a62e218405cefe
            • Opcode Fuzzy Hash: ae771f8fdbcfb4f3b3d50138cfffcff7a582b8f6565f00ebea17d5649c193b32
            • Instruction Fuzzy Hash: AD02AD71910109EFDB14DFA4DD89EAE7BB8EF48311F14855AF916AB2A0CB30AD11CF64
            Function 002D37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,002DF910), ref: 002D38AF
            • IsWindowVisible.USER32(?), ref: 002D38D3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: BuffCharUpperVisibleWindow
            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
            • API String ID: 4105515805-45149045
            • Opcode ID: 2b1191a1c51aa3c4f18f9d275381834e096cda893b02400d99086bda1ce5d2a4
            • Instruction ID: a0c9f1011fc3dffaad0fb33c59fc028d6fec170f59e56be71e9c96ce9ed2f3be
            • Opcode Fuzzy Hash: 2b1191a1c51aa3c4f18f9d275381834e096cda893b02400d99086bda1ce5d2a4
            • Instruction Fuzzy Hash: B9D18134234306DBCB14EF11C491A6AB7A5EF54344F14845AB8865B3E2CB71EE6ACF92
            Function 002DA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
            Download Yara Rule
            APIs
            • SetTextColor.GDI32(?,00000000), ref: 002DA89F
            • GetSysColorBrush.USER32(0000000F), ref: 002DA8D0
            • GetSysColor.USER32(0000000F), ref: 002DA8DC
            • SetBkColor.GDI32(?,000000FF), ref: 002DA8F6
            • SelectObject.GDI32(?,?), ref: 002DA905
            • InflateRect.USER32(?,000000FF,000000FF), ref: 002DA930
            • GetSysColor.USER32(00000010), ref: 002DA938
            • CreateSolidBrush.GDI32(00000000), ref: 002DA93F
            • FrameRect.USER32(?,?,00000000), ref: 002DA94E
            • DeleteObject.GDI32(00000000), ref: 002DA955
            • InflateRect.USER32(?,000000FE,000000FE), ref: 002DA9A0
            • FillRect.USER32(?,?,?), ref: 002DA9D2
            • GetWindowLongW.USER32(?,000000F0), ref: 002DA9FD
              • Part of subcall function 002DAB60: GetSysColor.USER32(00000012), ref: 002DAB99
              • Part of subcall function 002DAB60: SetTextColor.GDI32(?,?), ref: 002DAB9D
              • Part of subcall function 002DAB60: GetSysColorBrush.USER32(0000000F), ref: 002DABB3
              • Part of subcall function 002DAB60: GetSysColor.USER32(0000000F), ref: 002DABBE
              • Part of subcall function 002DAB60: GetSysColor.USER32(00000011), ref: 002DABDB
              • Part of subcall function 002DAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002DABE9
              • Part of subcall function 002DAB60: SelectObject.GDI32(?,00000000), ref: 002DABFA
              • Part of subcall function 002DAB60: SetBkColor.GDI32(?,00000000), ref: 002DAC03
              • Part of subcall function 002DAB60: SelectObject.GDI32(?,?), ref: 002DAC10
              • Part of subcall function 002DAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 002DAC2F
              • Part of subcall function 002DAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002DAC46
              • Part of subcall function 002DAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 002DAC5B
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
            • String ID:
            • API String ID: 4124339563-0
            • Opcode ID: 5bcdc3f3d18559c4c3ca3d1565b88b0d6b2be489926965519b2f999d3dddb409
            • Instruction ID: d2f012af22a32baa40523f3f21b0325a604e014ef359fe8196c1ede658723258
            • Opcode Fuzzy Hash: 5bcdc3f3d18559c4c3ca3d1565b88b0d6b2be489926965519b2f999d3dddb409
            • Instruction Fuzzy Hash: 83A1AF72419302AFD7509F64ED0CE5B7BA9FF88321F104A2AF966962A0D770DD44CB52
            Function 00252C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?), ref: 00252CA2
            • DeleteObject.GDI32(00000000), ref: 00252CE8
            • DeleteObject.GDI32(00000000), ref: 00252CF3
            • DestroyIcon.USER32(00000000,?,?,?), ref: 00252CFE
            • DestroyWindow.USER32(00000000,?,?,?), ref: 00252D09
            • SendMessageW.USER32(?,00001308,?,00000000), ref: 0028C68B
            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0028C6C4
            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0028CAED
              • Part of subcall function 00251B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00252036,?,00000000,?,?,?,?,002516CB,00000000,?), ref: 00251B9A
            • SendMessageW.USER32(?,00001053), ref: 0028CB2A
            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0028CB41
            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0028CB57
            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0028CB62
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
            • String ID: 0
            • API String ID: 464785882-4108050209
            • Opcode ID: 90da34d38519ff3dda8fffd2a761bc7e6e016e61a11500e888a362e69273e2bd
            • Instruction ID: 203f6cc4c4182e45a0af6b9451cc64a2c2f8fe01e8e5e25c06e3b58c2c4ebbb9
            • Opcode Fuzzy Hash: 90da34d38519ff3dda8fffd2a761bc7e6e016e61a11500e888a362e69273e2bd
            • Instruction Fuzzy Hash: 7112D234521202DFDB15DF24C988BA9B7E5BF05302F64416AF856CB692C731EC69CF64
            Function 002C77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(00000000), ref: 002C77F1
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002C78B0
            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002C78EE
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 002C7900
            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 002C7946
            • GetClientRect.USER32(00000000,?), ref: 002C7952
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 002C7996
            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002C79A5
            • GetStockObject.GDI32(00000011), ref: 002C79B5
            • SelectObject.GDI32(00000000,00000000), ref: 002C79B9
            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002C79C9
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002C79D2
            • DeleteDC.GDI32(00000000), ref: 002C79DB
            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002C7A07
            • SendMessageW.USER32(00000030,00000000,00000001), ref: 002C7A1E
            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 002C7A59
            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 002C7A6D
            • SendMessageW.USER32(00000404,00000001,00000000), ref: 002C7A7E
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 002C7AAE
            • GetStockObject.GDI32(00000011), ref: 002C7AB9
            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002C7AC4
            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 002C7ACE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
            • API String ID: 2910397461-517079104
            • Opcode ID: b1ed17ce4d36628925cbef1dd36cd8172f7972a8b227d998113090c532591d81
            • Instruction ID: 91dec428f103f9e074098ab4d0bad9a02e751243ce1c3ad4d27a9116a0de8e15
            • Opcode Fuzzy Hash: b1ed17ce4d36628925cbef1dd36cd8172f7972a8b227d998113090c532591d81
            • Instruction Fuzzy Hash: 2EA1AF71A10219BFEB109BA4DD4AFAE7BBDEB48711F008215FA15A72E0C770AD10CF64
            Function 002BAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 002BAF89
            • GetDriveTypeW.KERNEL32(?,002DFAC0,?,\\.\,002DF910), ref: 002BB066
            • SetErrorMode.KERNEL32(00000000,002DFAC0,?,\\.\,002DF910), ref: 002BB1C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ErrorMode$DriveType
            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
            • API String ID: 2907320926-4222207086
            • Opcode ID: cdb71ccd0ccb2745068d049e6b4c5eba906e14f0097c529268491426971adb84
            • Instruction ID: 939a0301ae61c8e5c74dcb1a965dc5255774edf62add61f52cb662967b672239
            • Opcode Fuzzy Hash: cdb71ccd0ccb2745068d049e6b4c5eba906e14f0097c529268491426971adb84
            • Instruction Fuzzy Hash: E25109306B5705DBCB02EF58D9629FD73B0AB187C17208415E54EA72D0C7F59D66CB42
            Function 00256A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
            • API String ID: 1038674560-86951937
            • Opcode ID: 3cd91eed3e3822d9d0d8457241d3186604283634be454e3b6f38131eb3cd169b
            • Instruction ID: a8cb855ca3c5e35ebc120dea8fd56e2deef76d2a9262d5c0631b39a11cbd496b
            • Opcode Fuzzy Hash: 3cd91eed3e3822d9d0d8457241d3186604283634be454e3b6f38131eb3cd169b
            • Instruction Fuzzy Hash: 2B812770670316AACF21BE20CD87FAE7768AF15305F448021FD45AB1C2EB70DA79CA59
            Function 002DAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000012), ref: 002DAB99
            • SetTextColor.GDI32(?,?), ref: 002DAB9D
            • GetSysColorBrush.USER32(0000000F), ref: 002DABB3
            • GetSysColor.USER32(0000000F), ref: 002DABBE
            • CreateSolidBrush.GDI32(?), ref: 002DABC3
            • GetSysColor.USER32(00000011), ref: 002DABDB
            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 002DABE9
            • SelectObject.GDI32(?,00000000), ref: 002DABFA
            • SetBkColor.GDI32(?,00000000), ref: 002DAC03
            • SelectObject.GDI32(?,?), ref: 002DAC10
            • InflateRect.USER32(?,000000FF,000000FF), ref: 002DAC2F
            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002DAC46
            • GetWindowLongW.USER32(00000000,000000F0), ref: 002DAC5B
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002DACA7
            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002DACCE
            • InflateRect.USER32(?,000000FD,000000FD), ref: 002DACEC
            • DrawFocusRect.USER32(?,?), ref: 002DACF7
            • GetSysColor.USER32(00000011), ref: 002DAD05
            • SetTextColor.GDI32(?,00000000), ref: 002DAD0D
            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 002DAD21
            • SelectObject.GDI32(?,002DA869), ref: 002DAD38
            • DeleteObject.GDI32(?), ref: 002DAD43
            • SelectObject.GDI32(?,?), ref: 002DAD49
            • DeleteObject.GDI32(?), ref: 002DAD4E
            • SetTextColor.GDI32(?,?), ref: 002DAD54
            • SetBkColor.GDI32(?,?), ref: 002DAD5E
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
            • String ID:
            • API String ID: 1996641542-0
            • Opcode ID: 6b614b05b84f0693116f8a8a2158d5bd706adeafb64b7bc92839df31964ab675
            • Instruction ID: 620eaaa2198cd99850f000175c50a76e241787addeb673566d374fa7ff8c9c48
            • Opcode Fuzzy Hash: 6b614b05b84f0693116f8a8a2158d5bd706adeafb64b7bc92839df31964ab675
            • Instruction Fuzzy Hash: 84617D71D11219AFDB109FA4ED48EAE7BB9EB08320F148127F916AB2A1D6719D50CF90
            Function 002D8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002D8D34
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D8D45
            • CharNextW.USER32(0000014E), ref: 002D8D74
            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002D8DB5
            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002D8DCB
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D8DDC
            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 002D8DF9
            • SetWindowTextW.USER32(?,0000014E), ref: 002D8E45
            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 002D8E5B
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 002D8E8C
            • _memset.LIBCMT ref: 002D8EB1
            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 002D8EFA
            • _memset.LIBCMT ref: 002D8F59
            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 002D8F83
            • SendMessageW.USER32(?,00001074,?,00000001), ref: 002D8FDB
            • SendMessageW.USER32(?,0000133D,?,?), ref: 002D9088
            • InvalidateRect.USER32(?,00000000,00000001), ref: 002D90AA
            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002D90F4
            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002D9121
            • DrawMenuBar.USER32(?), ref: 002D9130
            • SetWindowTextW.USER32(?,0000014E), ref: 002D9158
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
            • String ID: 0
            • API String ID: 1073566785-4108050209
            • Opcode ID: e30ca3cae7e5822388dbe1ef526e6664d02a34bd1021710a394a7ce0c57fc842
            • Instruction ID: f48c4b35c453639c02dcd1b907061e28a9c7794f3f4163a1de93ae1a298e8d53
            • Opcode Fuzzy Hash: e30ca3cae7e5822388dbe1ef526e6664d02a34bd1021710a394a7ce0c57fc842
            • Instruction Fuzzy Hash: 73E17F7092120AABDF219F60DC88EEE7B79EF05710F108157F9199A2D0DB709E95DF60
            Function 002D4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 002D4C51
            • GetDesktopWindow.USER32 ref: 002D4C66
            • GetWindowRect.USER32(00000000), ref: 002D4C6D
            • GetWindowLongW.USER32(?,000000F0), ref: 002D4CCF
            • DestroyWindow.USER32(?), ref: 002D4CFB
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002D4D24
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002D4D42
            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002D4D68
            • SendMessageW.USER32(?,00000421,?,?), ref: 002D4D7D
            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002D4D90
            • IsWindowVisible.USER32(?), ref: 002D4DB0
            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 002D4DCB
            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 002D4DDF
            • GetWindowRect.USER32(?,?), ref: 002D4DF7
            • MonitorFromPoint.USER32(?,?,00000002), ref: 002D4E1D
            • GetMonitorInfoW.USER32(00000000,?), ref: 002D4E37
            • CopyRect.USER32(?,?), ref: 002D4E4E
            • SendMessageW.USER32(?,00000412,00000000), ref: 002D4EB9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
            • String ID: ($0$tooltips_class32
            • API String ID: 698492251-4156429822
            • Opcode ID: 0d0b0dc7c38555d080de5f1460e718f694545b2434406f32bef9357f8292f212
            • Instruction ID: 2c03ccd0db0624c6cfe6c16a14c51cd1dc7c00b5e7d4770420d82447d3edc124
            • Opcode Fuzzy Hash: 0d0b0dc7c38555d080de5f1460e718f694545b2434406f32bef9357f8292f212
            • Instruction Fuzzy Hash: 54B1AC70628341AFDB44EF24C949B5ABBE4FF88300F00891EF9999B2A1D770EC54CB95
            Function 002527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002528BC
            • GetSystemMetrics.USER32(00000007), ref: 002528C4
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002528EF
            • GetSystemMetrics.USER32(00000008), ref: 002528F7
            • GetSystemMetrics.USER32(00000004), ref: 0025291C
            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00252939
            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00252949
            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0025297C
            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00252990
            • GetClientRect.USER32(00000000,000000FF), ref: 002529AE
            • GetStockObject.GDI32(00000011), ref: 002529CA
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 002529D5
              • Part of subcall function 00252344: GetCursorPos.USER32(?), ref: 00252357
              • Part of subcall function 00252344: ScreenToClient.USER32(003167B0,?), ref: 00252374
              • Part of subcall function 00252344: GetAsyncKeyState.USER32(00000001), ref: 00252399
              • Part of subcall function 00252344: GetAsyncKeyState.USER32(00000002), ref: 002523A7
            • SetTimer.USER32(00000000,00000000,00000028,00251256), ref: 002529FC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
            • String ID: AutoIt v3 GUI
            • API String ID: 1458621304-248962490
            • Opcode ID: 3cb519be69491d468a29cdafe3da2dafc7b7f55f371c07b07a69820ed6f486a2
            • Instruction ID: a7202162fca2ed77e2ee0c8d5db92fc34a362e9fa384639bf6c68f96091ac3f8
            • Opcode Fuzzy Hash: 3cb519be69491d468a29cdafe3da2dafc7b7f55f371c07b07a69820ed6f486a2
            • Instruction Fuzzy Hash: 89B19D34A1120AEFDB15DFA8DD49BED7BA4FB08311F108129FA16A62D0CB70D865CB64
            Function 002D4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 002D40F6
            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002D41B6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
            • API String ID: 3974292440-719923060
            • Opcode ID: b1f3542e8b1c2cd0c68a8190a6f40bae479744a781e518fba3ac8205a1b5d449
            • Instruction ID: b7771f76927a3f284a298df860582abf9a992b4e599e937c201f6e6363ed8413
            • Opcode Fuzzy Hash: b1f3542e8b1c2cd0c68a8190a6f40bae479744a781e518fba3ac8205a1b5d449
            • Instruction Fuzzy Hash: BFA1A130234301DFCB14FF14C951A6AB3A5AF45314F14886AB89A5B7D2DB30ED69CF51
            Function 002C52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
            Download Yara Rule
            APIs
            • LoadCursorW.USER32(00000000,00007F89), ref: 002C5309
            • LoadCursorW.USER32(00000000,00007F8A), ref: 002C5314
            • LoadCursorW.USER32(00000000,00007F00), ref: 002C531F
            • LoadCursorW.USER32(00000000,00007F03), ref: 002C532A
            • LoadCursorW.USER32(00000000,00007F8B), ref: 002C5335
            • LoadCursorW.USER32(00000000,00007F01), ref: 002C5340
            • LoadCursorW.USER32(00000000,00007F81), ref: 002C534B
            • LoadCursorW.USER32(00000000,00007F88), ref: 002C5356
            • LoadCursorW.USER32(00000000,00007F80), ref: 002C5361
            • LoadCursorW.USER32(00000000,00007F86), ref: 002C536C
            • LoadCursorW.USER32(00000000,00007F83), ref: 002C5377
            • LoadCursorW.USER32(00000000,00007F85), ref: 002C5382
            • LoadCursorW.USER32(00000000,00007F82), ref: 002C538D
            • LoadCursorW.USER32(00000000,00007F84), ref: 002C5398
            • LoadCursorW.USER32(00000000,00007F04), ref: 002C53A3
            • LoadCursorW.USER32(00000000,00007F02), ref: 002C53AE
            • GetCursorInfo.USER32(?), ref: 002C53BE
            • GetLastError.KERNEL32(00000001,00000000), ref: 002C53E9
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Cursor$Load$ErrorInfoLast
            • String ID:
            • API String ID: 3215588206-0
            • Opcode ID: 8bab174778084916be153dc87273d75639729e920e3432c52ffc73ab3e79ef51
            • Instruction ID: 872f3c04365d57e550a015ef99d909f50f444eb0b0b34fbf5d51132f603060e7
            • Opcode Fuzzy Hash: 8bab174778084916be153dc87273d75639729e920e3432c52ffc73ab3e79ef51
            • Instruction Fuzzy Hash: 64418670E143296ADB209FB68C49D6FFFF8EF51B10B10452FE509E7290DAB8A440CE61
            Function 002AAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000100), ref: 002AAAA5
            • __swprintf.LIBCMT ref: 002AAB46
            • _wcscmp.LIBCMT ref: 002AAB59
            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 002AABAE
            • _wcscmp.LIBCMT ref: 002AABEA
            • GetClassNameW.USER32(?,?,00000400), ref: 002AAC21
            • GetDlgCtrlID.USER32(?), ref: 002AAC73
            • GetWindowRect.USER32(?,?), ref: 002AACA9
            • GetParent.USER32(?), ref: 002AACC7
            • ScreenToClient.USER32(00000000), ref: 002AACCE
            • GetClassNameW.USER32(?,?,00000100), ref: 002AAD48
            • _wcscmp.LIBCMT ref: 002AAD5C
            • GetWindowTextW.USER32(?,?,00000400), ref: 002AAD82
            • _wcscmp.LIBCMT ref: 002AAD96
              • Part of subcall function 0027386C: _iswctype.LIBCMT ref: 00273874
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
            • String ID: %s%u
            • API String ID: 3744389584-679674701
            • Opcode ID: 400542082af294f9e6f58ed9e1a383b70b5d57bc7e5faeea13d69aecc1877bbe
            • Instruction ID: 709b0ffd3a182539823258072041fc32beae4d13eb37065ba15dad87471b942c
            • Opcode Fuzzy Hash: 400542082af294f9e6f58ed9e1a383b70b5d57bc7e5faeea13d69aecc1877bbe
            • Instruction Fuzzy Hash: 95A1C071224707AFD714DF24C884BEAF7E8FF06315F00862AF99982591DB30E965CB92
            Function 002AB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(00000008,?,00000400), ref: 002AB3DB
            • _wcscmp.LIBCMT ref: 002AB3EC
            • GetWindowTextW.USER32(00000001,?,00000400), ref: 002AB414
            • CharUpperBuffW.USER32(?,00000000), ref: 002AB431
            • _wcscmp.LIBCMT ref: 002AB44F
            • _wcsstr.LIBCMT ref: 002AB460
            • GetClassNameW.USER32(00000018,?,00000400), ref: 002AB498
            • _wcscmp.LIBCMT ref: 002AB4A8
            • GetWindowTextW.USER32(00000002,?,00000400), ref: 002AB4CF
            • GetClassNameW.USER32(00000018,?,00000400), ref: 002AB518
            • _wcscmp.LIBCMT ref: 002AB528
            • GetClassNameW.USER32(00000010,?,00000400), ref: 002AB550
            • GetWindowRect.USER32(00000004,?), ref: 002AB5B9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
            • String ID: @$ThumbnailClass
            • API String ID: 1788623398-1539354611
            • Opcode ID: 4f18a93a15363820cb0ae2ee73505a3c10cd71efef6b0791d8349899036c3611
            • Instruction ID: 544d62f71628ef0428d371c0c8617392af5ace66f9c30e6777c8ed97aef9af19
            • Opcode Fuzzy Hash: 4f18a93a15363820cb0ae2ee73505a3c10cd71efef6b0791d8349899036c3611
            • Instruction Fuzzy Hash: 7D81C0714243069BDB06DF10D885FAABBE8EF45714F0481AAFD898A093DF30DD69CB61
            Function 002DC8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
            • DragQueryPoint.SHELL32(?,?), ref: 002DC917
              • Part of subcall function 002DADF1: ClientToScreen.USER32(?,?), ref: 002DAE1A
              • Part of subcall function 002DADF1: GetWindowRect.USER32(?,?), ref: 002DAE90
              • Part of subcall function 002DADF1: PtInRect.USER32(?,?,002DC304), ref: 002DAEA0
            • SendMessageW.USER32(?,000000B0,?,?), ref: 002DC980
            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002DC98B
            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002DC9AE
            • _wcscat.LIBCMT ref: 002DC9DE
            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 002DC9F5
            • SendMessageW.USER32(?,000000B0,?,?), ref: 002DCA0E
            • SendMessageW.USER32(?,000000B1,?,?), ref: 002DCA25
            • SendMessageW.USER32(?,000000B1,?,?), ref: 002DCA47
            • DragFinish.SHELL32(?), ref: 002DCA4E
            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002DCB41
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr1
            • API String ID: 169749273-2184659058
            • Opcode ID: 5fb83230029b37b35ac8a0e5bcfaaeb8cf56461bf51a83a598ba15715255346e
            • Instruction ID: e30d828521bbfa72c727a3f4d5bbd1929c0a79919d377793023a72f9f02c16d5
            • Opcode Fuzzy Hash: 5fb83230029b37b35ac8a0e5bcfaaeb8cf56461bf51a83a598ba15715255346e
            • Instruction Fuzzy Hash: C7617B71518301AFC701DF64DC89D9FBBE8EF88710F104A2EF992922A1DB709A59CF56
            Function 002AB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
            • API String ID: 1038674560-1810252412
            • Opcode ID: eff6b0c3de63ec115d574b64c4e330d30f53c40a5fc68dee358f62f5fa9fd6fb
            • Instruction ID: 398286b50348ddc78b0a71acb6184ce25bffed6b77e6167d028225e3a6bcea53
            • Opcode Fuzzy Hash: eff6b0c3de63ec115d574b64c4e330d30f53c40a5fc68dee358f62f5fa9fd6fb
            • Instruction Fuzzy Hash: 6F31F031A64209A6DB12FA60DC63FEE77A89F25711F600026F805710D3EFB26E28C955
            Function 002AC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000063), ref: 002AC4D4
            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002AC4E6
            • SetWindowTextW.USER32(?,?), ref: 002AC4FD
            • GetDlgItem.USER32(?,000003EA), ref: 002AC512
            • SetWindowTextW.USER32(00000000,?), ref: 002AC518
            • GetDlgItem.USER32(?,000003E9), ref: 002AC528
            • SetWindowTextW.USER32(00000000,?), ref: 002AC52E
            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 002AC54F
            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 002AC569
            • GetWindowRect.USER32(?,?), ref: 002AC572
            • SetWindowTextW.USER32(?,?), ref: 002AC5DD
            • GetDesktopWindow.USER32 ref: 002AC5E3
            • GetWindowRect.USER32(00000000), ref: 002AC5EA
            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 002AC636
            • GetClientRect.USER32(?,?), ref: 002AC643
            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 002AC668
            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 002AC693
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
            • String ID:
            • API String ID: 3869813825-0
            • Opcode ID: eb72e017ac9dbd770709a95e0f6ccb3568207accb7fb3e1a9991e82639209668
            • Instruction ID: 8669e10c68a8d2ff94ba9c4257c968ba757cfb73b13219fef85068e575097147
            • Opcode Fuzzy Hash: eb72e017ac9dbd770709a95e0f6ccb3568207accb7fb3e1a9991e82639209668
            • Instruction Fuzzy Hash: 22516070D00709AFDB20DFA8DE89B6EBBF9FF04704F104529E692A25A0DB74E914CB54
            Function 002DA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 002DA4C8
            • DestroyWindow.USER32(?,?), ref: 002DA542
              • Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002DA5BC
            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002DA5DE
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002DA5F1
            • DestroyWindow.USER32(00000000), ref: 002DA613
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00250000,00000000), ref: 002DA64A
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002DA663
            • GetDesktopWindow.USER32 ref: 002DA67C
            • GetWindowRect.USER32(00000000), ref: 002DA683
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002DA69B
            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002DA6B3
              • Part of subcall function 002525DB: GetWindowLongW.USER32(?,000000EB), ref: 002525EC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
            • String ID: 0$tooltips_class32
            • API String ID: 1297703922-3619404913
            • Opcode ID: f2ef1db47d899478773879b0a21566f7035aaac302aec013a07e1af1d2bc70c8
            • Instruction ID: 65a2855b0a6116243fc71c783a4ca1bb60e77f56bb80f1b429dd5e3f25139a37
            • Opcode Fuzzy Hash: f2ef1db47d899478773879b0a21566f7035aaac302aec013a07e1af1d2bc70c8
            • Instruction Fuzzy Hash: 0E718A71551205AFDB21CF28D849FA677E9EB88300F08492EF996872A0D770ED16CB96
            Function 002D4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 002D46AB
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002D46F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
            • API String ID: 3974292440-4258414348
            • Opcode ID: 8c1ed2a59bf875694f8f05e553b301da995e4d05640115930ee3166ae2cf9395
            • Instruction ID: 4eb00beb247a4dab93fc4185e8eeb2f6242895c272eb0fcc88b97ec60af9045f
            • Opcode Fuzzy Hash: 8c1ed2a59bf875694f8f05e553b301da995e4d05640115930ee3166ae2cf9395
            • Instruction Fuzzy Hash: A6918F34224305DFCB14EF20C891A6AB7A1AF59314F04845EFC965B7A2CB71ED6ACF85
            Function 002DBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002DBB6E
            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,002D6D80,?), ref: 002DBBCA
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002DBC03
            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002DBC46
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002DBC7D
            • FreeLibrary.KERNEL32(?), ref: 002DBC89
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002DBC99
            • DestroyIcon.USER32(?), ref: 002DBCA8
            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002DBCC5
            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002DBCD1
              • Part of subcall function 0027313D: __wcsicmp_l.LIBCMT ref: 002731C6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
            • String ID: .dll$.exe$.icl
            • API String ID: 1212759294-1154884017
            • Opcode ID: a055931698f428427983fe7747f99b61d25d441ede441f4eb227968c87b9482a
            • Instruction ID: 76594e9bb53199060dcb49436fcdaf67cc3e33538aa3c5dd5207a27cd67272f5
            • Opcode Fuzzy Hash: a055931698f428427983fe7747f99b61d25d441ede441f4eb227968c87b9482a
            • Instruction Fuzzy Hash: 9E61BD71A20219FEEB15DF64DD45BBA77A8FB08711F108117F815D62C0DBB4AEA4CBA0
            Function 002BA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,002DFB78), ref: 002BA0FC
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
            • LoadStringW.USER32(?,?,00000FFF,?), ref: 002BA11E
            • __swprintf.LIBCMT ref: 002BA177
            • __swprintf.LIBCMT ref: 002BA190
            • _wprintf.LIBCMT ref: 002BA246
            • _wprintf.LIBCMT ref: 002BA264
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: LoadString__swprintf_wprintf$_memmove
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%.
            • API String ID: 311963372-3105223538
            • Opcode ID: 6313160c8fbff4d3fa126bc31fdeda28ee57c8827f509f3b4343cf3acc1991b9
            • Instruction ID: abbd639db831fe30bee09d092badafea0f8efbde1165c216e8ef293c8b2e78b1
            • Opcode Fuzzy Hash: 6313160c8fbff4d3fa126bc31fdeda28ee57c8827f509f3b4343cf3acc1991b9
            • Instruction Fuzzy Hash: FA51B131860209ABCF15EBE0DD92EEEB779AF08301F104165F905721A1EB316F69DF51
            Function 002BA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
              • Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C
            • CharLowerBuffW.USER32(?,?), ref: 002BA636
            • GetDriveTypeW.KERNEL32 ref: 002BA683
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BA6CB
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BA702
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BA730
              • Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
            • API String ID: 2698844021-4113822522
            • Opcode ID: 0acc2afb317910aeacb704088a7b770470c5509944e4b156de075d2d772fc7e3
            • Instruction ID: d637bfaea3e9eff11e62ea896bb5d029f1d1d110a4aac977b9cc7f8643c27b77
            • Opcode Fuzzy Hash: 0acc2afb317910aeacb704088a7b770470c5509944e4b156de075d2d772fc7e3
            • Instruction Fuzzy Hash: 6D516A711287099FC700EF20D8918AAB3F4EF94758F14896DF886572A1DB31EE1ACF52
            Function 002BA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002BA47A
            • __swprintf.LIBCMT ref: 002BA49C
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 002BA4D9
            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002BA4FE
            • _memset.LIBCMT ref: 002BA51D
            • _wcsncpy.LIBCMT ref: 002BA559
            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002BA58E
            • CloseHandle.KERNEL32(00000000), ref: 002BA599
            • RemoveDirectoryW.KERNEL32(?), ref: 002BA5A2
            • CloseHandle.KERNEL32(00000000), ref: 002BA5AC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
            • String ID: :$\$\??\%s
            • API String ID: 2733774712-3457252023
            • Opcode ID: 8f8b558cef77844d7c3ee2ff8f13b7bcfd2aff2e5e8cfd0aef6600039be2ea3a
            • Instruction ID: fe0ab0705b666e3f36d207abe5d4a8dfe60edcc44d3fd4f88c7fbdd9437f244c
            • Opcode Fuzzy Hash: 8f8b558cef77844d7c3ee2ff8f13b7bcfd2aff2e5e8cfd0aef6600039be2ea3a
            • Instruction Fuzzy Hash: 3E31D4B591011AABDB21DFA0DC48FEB33BCEF88741F5040B6F909D2160E7709B548B25
            Function 0028AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
            • String ID:
            • API String ID: 884005220-0
            • Opcode ID: 49b83021533893cbdefdc78713c24c7092742a52e3450607da84c630c45989fd
            • Instruction ID: 0ea4d26f5580f07dbd0d19b82de17a220249edf9c2beb1bfc80307f392d67bf8
            • Opcode Fuzzy Hash: 49b83021533893cbdefdc78713c24c7092742a52e3450607da84c630c45989fd
            • Instruction Fuzzy Hash: A061F476923202EFFB217F24D842B6977A9EF21325F14812BE805DB1D1DF749861CB92
            Function 002BDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • __wsplitpath.LIBCMT ref: 002BDC7B
            • _wcscat.LIBCMT ref: 002BDC93
            • _wcscat.LIBCMT ref: 002BDCA5
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002BDCBA
            • SetCurrentDirectoryW.KERNEL32(?), ref: 002BDCCE
            • GetFileAttributesW.KERNEL32(?), ref: 002BDCE6
            • SetFileAttributesW.KERNEL32(?,00000000), ref: 002BDD00
            • SetCurrentDirectoryW.KERNEL32(?), ref: 002BDD12
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
            • String ID: *.*
            • API String ID: 34673085-438819550
            • Opcode ID: a46d151dfacfc7f099b2ae0301dfda36b6d7acc1f1bfd16e50ecc90e8f2538b7
            • Instruction ID: 7e328396406a0f7f13b5c11815b78f1eb456db7f32666064a68af20441682992
            • Opcode Fuzzy Hash: a46d151dfacfc7f099b2ae0301dfda36b6d7acc1f1bfd16e50ecc90e8f2538b7
            • Instruction Fuzzy Hash: A18182765242429FCB64EF24C8459EEB7E8BB88394F19882EF889C7250F770DD54CB52
            Function 002DC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002DC4EC
            • GetFocus.USER32 ref: 002DC4FC
            • GetDlgCtrlID.USER32(00000000), ref: 002DC507
            • _memset.LIBCMT ref: 002DC632
            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002DC65D
            • GetMenuItemCount.USER32(?), ref: 002DC67D
            • GetMenuItemID.USER32(?,00000000), ref: 002DC690
            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002DC6C4
            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002DC70C
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002DC744
            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 002DC779
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
            • String ID: 0
            • API String ID: 1296962147-4108050209
            • Opcode ID: b96636791d072210e71a94c783df101cdbedc888ae57af1c21f85a87b7145565
            • Instruction ID: 2f01160ae3881f3b69b1081685ff7cb1b298f629575aa4ec10d8cbb6ef4b3645
            • Opcode Fuzzy Hash: b96636791d072210e71a94c783df101cdbedc888ae57af1c21f85a87b7145565
            • Instruction Fuzzy Hash: 53815B706283029FD711CF14D984AABBBE8EB88314F20452EF99597391D770ED25CF92
            Function 002A83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002A8766
              • Part of subcall function 002A874A: GetLastError.KERNEL32(?,002A822A,?,?,?), ref: 002A8770
              • Part of subcall function 002A874A: GetProcessHeap.KERNEL32(00000008,?,?,002A822A,?,?,?), ref: 002A877F
              • Part of subcall function 002A874A: HeapAlloc.KERNEL32(00000000,?,002A822A,?,?,?), ref: 002A8786
              • Part of subcall function 002A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002A879D
              • Part of subcall function 002A87E7: GetProcessHeap.KERNEL32(00000008,002A8240,00000000,00000000,?,002A8240,?), ref: 002A87F3
              • Part of subcall function 002A87E7: HeapAlloc.KERNEL32(00000000,?,002A8240,?), ref: 002A87FA
              • Part of subcall function 002A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002A8240,?), ref: 002A880B
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002A8458
            • _memset.LIBCMT ref: 002A846D
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002A848C
            • GetLengthSid.ADVAPI32(?), ref: 002A849D
            • GetAce.ADVAPI32(?,00000000,?), ref: 002A84DA
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002A84F6
            • GetLengthSid.ADVAPI32(?), ref: 002A8513
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002A8522
            • HeapAlloc.KERNEL32(00000000), ref: 002A8529
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002A854A
            • CopySid.ADVAPI32(00000000), ref: 002A8551
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002A8582
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002A85A8
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002A85BC
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: 4c8edffb0edc7e5b770a66905a5f4cca2943ed5d1095fcda1a836393c8e7fbde
            • Instruction ID: 6c2836f7f2fd11e2974f8f9567fc34837ee2a63ea3ba3364514d850e842ad538
            • Opcode Fuzzy Hash: 4c8edffb0edc7e5b770a66905a5f4cca2943ed5d1095fcda1a836393c8e7fbde
            • Instruction Fuzzy Hash: 11615B71D1020AABDF04DFA0DD48AAEBBB9FF05301F44812AE915A7291DF309A24CF60
            Function 002C762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 002C76A2
            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 002C76AE
            • CreateCompatibleDC.GDI32(?), ref: 002C76BA
            • SelectObject.GDI32(00000000,?), ref: 002C76C7
            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 002C771B
            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 002C7757
            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 002C777B
            • SelectObject.GDI32(00000006,?), ref: 002C7783
            • DeleteObject.GDI32(?), ref: 002C778C
            • DeleteDC.GDI32(00000006), ref: 002C7793
            • ReleaseDC.USER32(00000000,?), ref: 002C779E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
            • String ID: (
            • API String ID: 2598888154-3887548279
            • Opcode ID: eb895b341d9f774bb5ef88f972daeb6f25af06d36eedc8ef3b666d8b9684cc7b
            • Instruction ID: 8b0da6275a7db81d74cbcc591a1bb76f07bbffb8cdc1aaa50d0c7b8952a0ed09
            • Opcode Fuzzy Hash: eb895b341d9f774bb5ef88f972daeb6f25af06d36eedc8ef3b666d8b9684cc7b
            • Instruction Fuzzy Hash: DE513875914209EFCB15CFA8DC88EAEBBB9EF48710F14852EE95A97210D631AD508F60
            Function 00256BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00270B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00256C6C,?,00008000), ref: 00270BB7
              • Part of subcall function 002548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002548A1,?,?,002537C0,?), ref: 002548CE
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00256D0D
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00256E5A
              • Part of subcall function 002559CD: _wcscpy.LIBCMT ref: 00255A05
              • Part of subcall function 0027387D: _iswctype.LIBCMT ref: 00273885
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
            • API String ID: 537147316-1018226102
            • Opcode ID: d1644f53a2b9c71faa856b82e91f8bfb8b7ce52e5f8991f06242b49fedfd845b
            • Instruction ID: be635a8e861d43781a312f600982207411cbfc1fa0fe1ef8dcff15b9c91f7b75
            • Opcode Fuzzy Hash: d1644f53a2b9c71faa856b82e91f8bfb8b7ce52e5f8991f06242b49fedfd845b
            • Instruction Fuzzy Hash: A402B0351283419FCB24EF24C891AAFBBE5BF99314F04491DF886932A1DB30D969CF46
            Function 002545DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 002545F9
            • GetMenuItemCount.USER32(00316890), ref: 0028D7CD
            • GetMenuItemCount.USER32(00316890), ref: 0028D87D
            • GetCursorPos.USER32(?), ref: 0028D8C1
            • SetForegroundWindow.USER32(00000000), ref: 0028D8CA
            • TrackPopupMenuEx.USER32(00316890,00000000,?,00000000,00000000,00000000), ref: 0028D8DD
            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0028D8E9
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
            • String ID:
            • API String ID: 2751501086-0
            • Opcode ID: 0f2ef2d7c3ef523d8b3a571fb2b9a663667b86316d24a33bec36aa32d6f04561
            • Instruction ID: 9ef59abd1934033fc3f7a9520f8a9eba2750f2a6414674fe9830fc5219fc85ce
            • Opcode Fuzzy Hash: 0f2ef2d7c3ef523d8b3a571fb2b9a663667b86316d24a33bec36aa32d6f04561
            • Instruction Fuzzy Hash: 2C714934662206BEEB20AF14DC49FAAFF69FF05358F100216F925661D0C7B19C78DB94
            Function 002C8BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 002C8BEC
            • CoInitialize.OLE32(00000000), ref: 002C8C19
            • CoUninitialize.OLE32 ref: 002C8C23
            • GetRunningObjectTable.OLE32(00000000,?), ref: 002C8D23
            • SetErrorMode.KERNEL32(00000001,00000029), ref: 002C8E50
            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,002E2C0C), ref: 002C8E84
            • CoGetObject.OLE32(?,00000000,002E2C0C,?), ref: 002C8EA7
            • SetErrorMode.KERNEL32(00000000), ref: 002C8EBA
            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002C8F3A
            • VariantClear.OLEAUT32(?), ref: 002C8F4A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
            • String ID: ,,.
            • API String ID: 2395222682-737214711
            • Opcode ID: 19629521603088c3ae0ff31b346f27896a38450fa52ce0534014cec9b4853fa9
            • Instruction ID: 09ffbdab82ec37572f887b99dacbb52c2b0f0e611b046f90b79d7d5144d34ad0
            • Opcode Fuzzy Hash: 19629521603088c3ae0ff31b346f27896a38450fa52ce0534014cec9b4853fa9
            • Instruction Fuzzy Hash: 68C13371618305AFD700DF24C884E2AB7E9BF89348F008A2DF98A9B251DB71ED15CB52
            Function 002D10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,002D0038,?,?), ref: 002D10BC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
            • API String ID: 3964851224-909552448
            • Opcode ID: a42108a6b18bdd85dd301230aa26e8c43d6b33add18eaeb308001df2e5f817f4
            • Instruction ID: 6e7662e2a9fd88abbe8b316e2d478210d4e91463b4477fef2b7ae516bc1bc092
            • Opcode Fuzzy Hash: a42108a6b18bdd85dd301230aa26e8c43d6b33add18eaeb308001df2e5f817f4
            • Instruction Fuzzy Hash: BF416A3016125AEBCF25EF90D8A5AEB3724EF19300F108456FC955B792DB71AD3ACB60
            Function 002B5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66
              • Part of subcall function 00257A84: _memmove.LIBCMT ref: 00257B0D
            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002B55D2
            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002B55E8
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002B55F9
            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002B560B
            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002B561C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: SendString$_memmove
            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
            • API String ID: 2279737902-1007645807
            • Opcode ID: b03bf0602b98cdedc90bc2d8a72e29f49592cf379ba31b9e981c61cc7ddbaaea
            • Instruction ID: ad8b4aeb8d47ee673bc1f91f69f9eb8eeec8a9adf42660ff5d96306f26324110
            • Opcode Fuzzy Hash: b03bf0602b98cdedc90bc2d8a72e29f49592cf379ba31b9e981c61cc7ddbaaea
            • Instruction Fuzzy Hash: 721108209B166979D721F671EC5ADFFBB7CEF95B40F400459B801960C1DEB00D58C9A1
            Function 002B48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
            • String ID: 0.0.0.0
            • API String ID: 208665112-3771769585
            • Opcode ID: eb8e31811009e333485c6430ad5195a4a8fdb049092695234a8e3c0af5e38537
            • Instruction ID: 2813da69e1212e0a4cd587610e670a4fa2d5e118a88e8717f27814b037f3a9d1
            • Opcode Fuzzy Hash: eb8e31811009e333485c6430ad5195a4a8fdb049092695234a8e3c0af5e38537
            • Instruction Fuzzy Hash: 3911D231924115ABDB24FB24AD4AEDB77AC9F01750F0481B6F40996092EFB09EA19A62
            Function 002B5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
            Download Yara Rule
            APIs
            • timeGetTime.WINMM ref: 002B521C
              • Part of subcall function 00270719: timeGetTime.WINMM(?,75C0B400,00260FF9), ref: 0027071D
            • Sleep.KERNEL32(0000000A), ref: 002B5248
            • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 002B526C
            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 002B528E
            • SetActiveWindow.USER32 ref: 002B52AD
            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002B52BB
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 002B52DA
            • Sleep.KERNEL32(000000FA), ref: 002B52E5
            • IsWindow.USER32 ref: 002B52F1
            • EndDialog.USER32(00000000), ref: 002B5302
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
            • String ID: BUTTON
            • API String ID: 1194449130-3405671355
            • Opcode ID: b497d08cf7ed30b8702c871f6fe9d3143b194f27cf7eb27bc71e456c04eea2c6
            • Instruction ID: d81dd3bfa7ac25ef83dc2a54d9ed38e47fe6ed22950ea2f1eeb7df78f8dde562
            • Opcode Fuzzy Hash: b497d08cf7ed30b8702c871f6fe9d3143b194f27cf7eb27bc71e456c04eea2c6
            • Instruction Fuzzy Hash: 53210470516705AFE7425F60FE8DBE53B6EEB093C6F088469F402852B1CBB19C248B65
            Function 002BD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
              • Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C
            • CoInitialize.OLE32(00000000), ref: 002BD855
            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002BD8E8
            • SHGetDesktopFolder.SHELL32(?), ref: 002BD8FC
            • CoCreateInstance.OLE32(002E2D7C,00000000,00000001,0030A89C,?), ref: 002BD948
            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002BD9B7
            • CoTaskMemFree.OLE32(?,?), ref: 002BDA0F
            • _memset.LIBCMT ref: 002BDA4C
            • SHBrowseForFolderW.SHELL32(?), ref: 002BDA88
            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002BDAAB
            • CoTaskMemFree.OLE32(00000000), ref: 002BDAB2
            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 002BDAE9
            • CoUninitialize.OLE32(00000001,00000000), ref: 002BDAEB
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
            • String ID:
            • API String ID: 1246142700-0
            • Opcode ID: 76a232133cf040507dcaa8a2c641a8f9420e85faf2c12fa8f327ffeed5e85794
            • Instruction ID: d164649bee3a0b43e5995cab723d7021322a6b1c0cd68db058d83f2970c121c0
            • Opcode Fuzzy Hash: 76a232133cf040507dcaa8a2c641a8f9420e85faf2c12fa8f327ffeed5e85794
            • Instruction Fuzzy Hash: 55B11975A10109AFDB04DFA4C888EAEBBB9EF48305B148469E90AEB251DB30ED55CF54
            Function 002B052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 002B05A7
            • SetKeyboardState.USER32(?), ref: 002B0612
            • GetAsyncKeyState.USER32(000000A0), ref: 002B0632
            • GetKeyState.USER32(000000A0), ref: 002B0649
            • GetAsyncKeyState.USER32(000000A1), ref: 002B0678
            • GetKeyState.USER32(000000A1), ref: 002B0689
            • GetAsyncKeyState.USER32(00000011), ref: 002B06B5
            • GetKeyState.USER32(00000011), ref: 002B06C3
            • GetAsyncKeyState.USER32(00000012), ref: 002B06EC
            • GetKeyState.USER32(00000012), ref: 002B06FA
            • GetAsyncKeyState.USER32(0000005B), ref: 002B0723
            • GetKeyState.USER32(0000005B), ref: 002B0731
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: fc0a4a8eec429f9a03c5cb97456fa99d648e9ca7bad8c20e3d4c44cd01ef4c13
            • Instruction ID: 9ccb25d06aa19a034308cdc30d4bed959189d8675f85305dc7609bb7131be1b2
            • Opcode Fuzzy Hash: fc0a4a8eec429f9a03c5cb97456fa99d648e9ca7bad8c20e3d4c44cd01ef4c13
            • Instruction Fuzzy Hash: D2510A20A1478919FB36DFA084947EFFFB4AF013C0F48459AC5C2565C2DA64ABACCF65
            Function 002AC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,00000001), ref: 002AC746
            • GetWindowRect.USER32(00000000,?), ref: 002AC758
            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 002AC7B6
            • GetDlgItem.USER32(?,00000002), ref: 002AC7C1
            • GetWindowRect.USER32(00000000,?), ref: 002AC7D3
            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 002AC827
            • GetDlgItem.USER32(?,000003E9), ref: 002AC835
            • GetWindowRect.USER32(00000000,?), ref: 002AC846
            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 002AC889
            • GetDlgItem.USER32(?,000003EA), ref: 002AC897
            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002AC8B4
            • InvalidateRect.USER32(?,00000000,00000001), ref: 002AC8C1
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$ItemMoveRect$Invalidate
            • String ID:
            • API String ID: 3096461208-0
            • Opcode ID: f899a1b9cd995a0f180a9a1eab12f9bad8dc4befda5d358e302ed5c71d4b608c
            • Instruction ID: 5711b7f6851562cc88b959f0d7bdb560873499f86bd68c1e61d51d1aff7ae833
            • Opcode Fuzzy Hash: f899a1b9cd995a0f180a9a1eab12f9bad8dc4befda5d358e302ed5c71d4b608c
            • Instruction Fuzzy Hash: CF513F71F10205AFDB18CF69DD89AAEBBBAFB89310F24812DF516D6690DB709D008B54
            Function 0025201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00251B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00252036,?,00000000,?,?,?,?,002516CB,00000000,?), ref: 00251B9A
            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002520D3
            • KillTimer.USER32(-00000001,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0025216E
            • DestroyAcceleratorTable.USER32(00000000), ref: 0028BEF6
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0028BF27
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0028BF3E
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0028BF5A
            • DeleteObject.GDI32(00000000), ref: 0028BF6C
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
            • String ID:
            • API String ID: 641708696-0
            • Opcode ID: eb57ce9a7d88cc8cb2a669337527c24c34b2004ce84840fc3f489dc48d3cfa94
            • Instruction ID: d6e1598f9604d78c2023fae2df7094822abb78304fba74bd795a3b6dd5cba9ec
            • Opcode Fuzzy Hash: eb57ce9a7d88cc8cb2a669337527c24c34b2004ce84840fc3f489dc48d3cfa94
            • Instruction Fuzzy Hash: D461BB34522601DFCB36AF14DD49B6AB7F1FB65312F10842DE942869E1C771ACA9CF88
            Function 002521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002525DB: GetWindowLongW.USER32(?,000000EB), ref: 002525EC
            • GetSysColor.USER32(0000000F), ref: 002521D3
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ColorLongWindow
            • String ID:
            • API String ID: 259745315-0
            • Opcode ID: d2d57e836c1171c08f8d5acb7c765a66618b273c38cc60eb71867effcb5263a2
            • Instruction ID: f72b04e7435c6cf2af571cdf03f01e559b310aca90ee96ebb7d770e597e91daa
            • Opcode Fuzzy Hash: d2d57e836c1171c08f8d5acb7c765a66618b273c38cc60eb71867effcb5263a2
            • Instruction Fuzzy Hash: E041D535411101DFDB255F28EC88BB93765EB07332F688266FD6ACA1E2C7318C5ADB25
            Function 002BAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?,002DF910), ref: 002BAB76
            • GetDriveTypeW.KERNEL32(00000061,0030A620,00000061), ref: 002BAC40
            • _wcscpy.LIBCMT ref: 002BAC6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: BuffCharDriveLowerType_wcscpy
            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
            • API String ID: 2820617543-1000479233
            • Opcode ID: a358ced1e74d562b56068a8cbd518ddeea0904a8a4d60a6c6413b583a421acf3
            • Instruction ID: 74590baa046a09ce68a2127fa0372567fa92e541ff3a15734fdfe97e48df4b73
            • Opcode Fuzzy Hash: a358ced1e74d562b56068a8cbd518ddeea0904a8a4d60a6c6413b583a421acf3
            • Instruction Fuzzy Hash: 72519D301283029BC720EF14D891AAFB7A5FF95345F14882AF896572E2DB31DD69CA53
            Function 002DC27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
              • Part of subcall function 00252344: GetCursorPos.USER32(?), ref: 00252357
              • Part of subcall function 00252344: ScreenToClient.USER32(003167B0,?), ref: 00252374
              • Part of subcall function 00252344: GetAsyncKeyState.USER32(00000001), ref: 00252399
              • Part of subcall function 00252344: GetAsyncKeyState.USER32(00000002), ref: 002523A7
            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 002DC2E4
            • ImageList_EndDrag.COMCTL32 ref: 002DC2EA
            • ReleaseCapture.USER32 ref: 002DC2F0
            • SetWindowTextW.USER32(?,00000000), ref: 002DC39A
            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002DC3AD
            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 002DC48F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
            • String ID: @GUI_DRAGFILE$@GUI_DROPID$pr1$pr1
            • API String ID: 1924731296-64955891
            • Opcode ID: bfa0a276300eec9ee71a32328f9bc7bc7dc7f0ff098d311e442b4a98fa254a7b
            • Instruction ID: 486fa7567af1564147d3237ff74519a35fea1cc3a3d81322e6416b878060972f
            • Opcode Fuzzy Hash: bfa0a276300eec9ee71a32328f9bc7bc7dc7f0ff098d311e442b4a98fa254a7b
            • Instruction Fuzzy Hash: 47519C30614305AFD705EF24C856FAA7BF5EB88311F10852EF9568B2E1CB709969CF52
            Function 00259997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __i64tow__itow__swprintf
            • String ID: %.15g$0x%p$False$True
            • API String ID: 421087845-2263619337
            • Opcode ID: e3334dc1e446631d81dab9f3d497ded05305e217a63731486264a186b4db1a94
            • Instruction ID: 6b0c98ed2799df193d612db7fc12e5100321e34cbc358c38515c36738192532c
            • Opcode Fuzzy Hash: e3334dc1e446631d81dab9f3d497ded05305e217a63731486264a186b4db1a94
            • Instruction Fuzzy Hash: 32412475634206EBDB24EF38D942E7A73E8EF05300F20446EE949C7281EA71A865CB12
            Function 002D73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 002D73D9
            • CreateMenu.USER32 ref: 002D73F4
            • SetMenu.USER32(?,00000000), ref: 002D7403
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002D7490
            • IsMenu.USER32(?), ref: 002D74A6
            • CreatePopupMenu.USER32 ref: 002D74B0
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002D74DD
            • DrawMenuBar.USER32 ref: 002D74E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
            • String ID: 0$F
            • API String ID: 176399719-3044882817
            • Opcode ID: 6a36d6bf955e700c037e56f6061558d6c363d0694da9f3124abfb27e45f62ebe
            • Instruction ID: 950cda9c4f64cfc763c6e69996bffc5da26ec83473a7d735ae2e0861663d1f74
            • Opcode Fuzzy Hash: 6a36d6bf955e700c037e56f6061558d6c363d0694da9f3124abfb27e45f62ebe
            • Instruction Fuzzy Hash: FA416A74A15205EFDB21DF64E949A9ABBB9FF09300F14402AED0697390E734AD20CF50
            Function 002D772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002D77CD
            • CreateCompatibleDC.GDI32(00000000), ref: 002D77D4
            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002D77E7
            • SelectObject.GDI32(00000000,00000000), ref: 002D77EF
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 002D77FA
            • DeleteDC.GDI32(00000000), ref: 002D7803
            • GetWindowLongW.USER32(?,000000EC), ref: 002D780D
            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002D7821
            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002D782D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
            • String ID: static
            • API String ID: 2559357485-2160076837
            • Opcode ID: 49e6cb6f53e2b62107ccd7e0050258103d254faf11a6fad9ab872555a675c995
            • Instruction ID: 40ef01fde25285bac413508daac4f735368dc384fe11096970f58b772dd64e93
            • Opcode Fuzzy Hash: 49e6cb6f53e2b62107ccd7e0050258103d254faf11a6fad9ab872555a675c995
            • Instruction Fuzzy Hash: B931AF31515115ABDF125F64EC09FDA3B69FF09321F114226FA16E21A0D735DC21DBA8
            Function 00277040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 0027707B
              • Part of subcall function 00278D68: __getptd_noexit.LIBCMT ref: 00278D68
            • __gmtime64_s.LIBCMT ref: 00277114
            • __gmtime64_s.LIBCMT ref: 0027714A
            • __gmtime64_s.LIBCMT ref: 00277167
            • __allrem.LIBCMT ref: 002771BD
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002771D9
            • __allrem.LIBCMT ref: 002771F0
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0027720E
            • __allrem.LIBCMT ref: 00277225
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00277243
            • __invoke_watson.LIBCMT ref: 002772B4
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
            • String ID:
            • API String ID: 384356119-0
            • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
            • Instruction ID: 5c15b071a04684982c83ac902be43b2eb27d6e5eef7a3afa60eb4a519ac108af
            • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
            • Instruction Fuzzy Hash: E971C875A25717ABE714EE79CC41B5AB3A8AF10720F14823AF918D76C1E770DD608BD0
            Function 002B2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 002B2A31
            • GetMenuItemInfoW.USER32(00316890,000000FF,00000000,00000030), ref: 002B2A92
            • SetMenuItemInfoW.USER32(00316890,00000004,00000000,00000030), ref: 002B2AC8
            • Sleep.KERNEL32(000001F4), ref: 002B2ADA
            • GetMenuItemCount.USER32(?), ref: 002B2B1E
            • GetMenuItemID.USER32(?,00000000), ref: 002B2B3A
            • GetMenuItemID.USER32(?,-00000001), ref: 002B2B64
            • GetMenuItemID.USER32(?,?), ref: 002B2BA9
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002B2BEF
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B2C03
            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B2C24
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
            • String ID:
            • API String ID: 4176008265-0
            • Opcode ID: 6a9f3b26cfeeb3316b842bc224c29a237c55d382806275137210fdceb473a8c7
            • Instruction ID: 13cda8f8e52ab77195554a9aa2eb16e8ba3dc613ed41bd4007a8f7a10e35bc12
            • Opcode Fuzzy Hash: 6a9f3b26cfeeb3316b842bc224c29a237c55d382806275137210fdceb473a8c7
            • Instruction Fuzzy Hash: AA61C27092034AEFDB11CF54DD88EFE7BB8EB05388F14455AE84293251DB31AD69DB21
            Function 002D7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002D7214
            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002D7217
            • GetWindowLongW.USER32(?,000000F0), ref: 002D723B
            • _memset.LIBCMT ref: 002D724C
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002D725E
            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002D72D6
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$LongWindow_memset
            • String ID:
            • API String ID: 830647256-0
            • Opcode ID: 7f12104b5585226432d53ce8d975d596271147e5e37c3891dc654cae73743564
            • Instruction ID: b75e63a3f53fbf0f60c0326cc7abe24390674a22482452f3a8fccb607c22e97b
            • Opcode Fuzzy Hash: 7f12104b5585226432d53ce8d975d596271147e5e37c3891dc654cae73743564
            • Instruction Fuzzy Hash: 25619970A00208AFDB11DFA8CC81EEE77F8EB09300F10419AFA15A73A1D774AD51DBA0
            Function 002A710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
            Download Yara Rule
            APIs
            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002A7135
            • SafeArrayAllocData.OLEAUT32(?), ref: 002A718E
            • VariantInit.OLEAUT32(?), ref: 002A71A0
            • SafeArrayAccessData.OLEAUT32(?,?), ref: 002A71C0
            • VariantCopy.OLEAUT32(?,?), ref: 002A7213
            • SafeArrayUnaccessData.OLEAUT32(?), ref: 002A7227
            • VariantClear.OLEAUT32(?), ref: 002A723C
            • SafeArrayDestroyData.OLEAUT32(?), ref: 002A7249
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002A7252
            • VariantClear.OLEAUT32(?), ref: 002A7264
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002A726F
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
            • String ID:
            • API String ID: 2706829360-0
            • Opcode ID: 30b932c1c760012d5dcafa9004e33a7c350b2538539eaa4c47ad91c4374493a3
            • Instruction ID: e6310b87c11a06a6e2ec9a2c193ac74318e3ab45f8fe2cb26b832a9283339f11
            • Opcode Fuzzy Hash: 30b932c1c760012d5dcafa9004e33a7c350b2538539eaa4c47ad91c4374493a3
            • Instruction Fuzzy Hash: A7413D35D10219EFCB00DF64DD48AAEBBB8EF49354F00806AFA56A7261CB30AD55CF94
            Function 002C86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
              • Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C
            • CoInitialize.OLE32 ref: 002C8718
            • CoUninitialize.OLE32 ref: 002C8723
            • CoCreateInstance.OLE32(?,00000000,00000017,002E2BEC,?), ref: 002C8783
            • IIDFromString.OLE32(?,?), ref: 002C87F6
            • VariantInit.OLEAUT32(?), ref: 002C8890
            • VariantClear.OLEAUT32(?), ref: 002C88F1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
            • API String ID: 834269672-1287834457
            • Opcode ID: cd94cd58307bb1b9ca71589d79f6e77ce9299ef5c016621530778fe253f77466
            • Instruction ID: f56ca9f7e19e9415d10baff660a279c67c7366652203e4a544e2f543811fc664
            • Opcode Fuzzy Hash: cd94cd58307bb1b9ca71589d79f6e77ce9299ef5c016621530778fe253f77466
            • Instruction Fuzzy Hash: 5C61D134628302DFD710DF24C948F6AB7E8AF49714F108A1DF9859B291DB70ED58CB96
            Function 002C5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
            Download Yara Rule
            APIs
            • WSAStartup.WSOCK32(00000101,?), ref: 002C5AA6
            • inet_addr.WSOCK32(?,?,?), ref: 002C5AEB
            • gethostbyname.WSOCK32(?), ref: 002C5AF7
            • IcmpCreateFile.IPHLPAPI ref: 002C5B05
            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002C5B75
            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002C5B8B
            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 002C5C00
            • WSACleanup.WSOCK32 ref: 002C5C06
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
            • String ID: Ping
            • API String ID: 1028309954-2246546115
            • Opcode ID: 44936e4afe844b1819e87f85063b8b6c9c17595d2edd48fcf54c9a335ebc20ae
            • Instruction ID: 0017759146c7fc21a3593fe03f97e0181170007e8a20697728cf0f8c6171f1d0
            • Opcode Fuzzy Hash: 44936e4afe844b1819e87f85063b8b6c9c17595d2edd48fcf54c9a335ebc20ae
            • Instruction Fuzzy Hash: 2B519D31624B119FD7109F24DC49F2ABBE0EB48314F148A2AF95ADB2A1DB70FC948B05
            Function 002BB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 002BB73B
            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002BB7B1
            • GetLastError.KERNEL32 ref: 002BB7BB
            • SetErrorMode.KERNEL32(00000000,READY), ref: 002BB828
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Error$Mode$DiskFreeLastSpace
            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
            • API String ID: 4194297153-14809454
            • Opcode ID: 60c2e60e19953c94827d57a20d354071cdbfc767728d06e3d0ae0f81e5e0abe1
            • Instruction ID: b960cfdc2944cc32a5d52ba07582477b648daff59e979afd1f44ed6a17d2f135
            • Opcode Fuzzy Hash: 60c2e60e19953c94827d57a20d354071cdbfc767728d06e3d0ae0f81e5e0abe1
            • Instruction Fuzzy Hash: 3F31E635A102059FDB02EF64D889EFEBBB8EF44341F14802AE806D7291DBB19D56DB51
            Function 002A9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
              • Part of subcall function 002AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002AB0E7
            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 002A94F6
            • GetDlgCtrlID.USER32 ref: 002A9501
            • GetParent.USER32 ref: 002A951D
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 002A9520
            • GetDlgCtrlID.USER32(?), ref: 002A9529
            • GetParent.USER32(?), ref: 002A9545
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 002A9548
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent$ClassName_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 1536045017-1403004172
            • Opcode ID: cb4fb88d4eb6e3e62cad343428ac4490284a21d754135fb53350d46a33d06d43
            • Instruction ID: 72486bf8d6e237addb273b65c1e46a530d46342d544d9a5dcfcefded8a0bc381
            • Opcode Fuzzy Hash: cb4fb88d4eb6e3e62cad343428ac4490284a21d754135fb53350d46a33d06d43
            • Instruction Fuzzy Hash: 2021E270D10104ABCF01AF65DC89EFEBB68EF4A300F104126B922972E2DF759929DE60
            Function 002A955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
              • Part of subcall function 002AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002AB0E7
            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002A95DF
            • GetDlgCtrlID.USER32 ref: 002A95EA
            • GetParent.USER32 ref: 002A9606
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 002A9609
            • GetDlgCtrlID.USER32(?), ref: 002A9612
            • GetParent.USER32(?), ref: 002A962E
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 002A9631
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent$ClassName_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 1536045017-1403004172
            • Opcode ID: ba8b3d0161b6d0e5697b7daf558b7156920bec32f25e0f20c3d96153d7dd7b1b
            • Instruction ID: 38a358b22a9724a62f58f542cb013c33debe403d36f7c0492850441c2a17ed17
            • Opcode Fuzzy Hash: ba8b3d0161b6d0e5697b7daf558b7156920bec32f25e0f20c3d96153d7dd7b1b
            • Instruction Fuzzy Hash: E621D670D11204BBDF01AB61DC95EFEBBB8EF49300F104056F922972E2DB759969DE24
            Function 002A9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32 ref: 002A9651
            • GetClassNameW.USER32(00000000,?,00000100), ref: 002A9666
            • _wcscmp.LIBCMT ref: 002A9678
            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002A96F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ClassMessageNameParentSend_wcscmp
            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
            • API String ID: 1704125052-3381328864
            • Opcode ID: f08c1b75ce1c0912194016ec80047ea68431ba1fdf9bc2006061568af938cff8
            • Instruction ID: 5dc6f78c39442675c69705221ead86dcfad2a7b0a831262d469f1a1fce921852
            • Opcode Fuzzy Hash: f08c1b75ce1c0912194016ec80047ea68431ba1fdf9bc2006061568af938cff8
            • Instruction Fuzzy Hash: 521120775653077BFA012622DC1BEE6779C8F07B60F204017F905A50D2FEA199B05D58
            Function 002B4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
            Download Yara Rule
            APIs
            • __swprintf.LIBCMT ref: 002B419D
            • __swprintf.LIBCMT ref: 002B41AA
              • Part of subcall function 002738D8: __woutput_l.LIBCMT ref: 00273931
            • FindResourceW.KERNEL32(?,?,0000000E), ref: 002B41D4
            • LoadResource.KERNEL32(?,00000000), ref: 002B41E0
            • LockResource.KERNEL32(00000000), ref: 002B41ED
            • FindResourceW.KERNEL32(?,?,00000003), ref: 002B420D
            • LoadResource.KERNEL32(?,00000000), ref: 002B421F
            • SizeofResource.KERNEL32(?,00000000), ref: 002B422E
            • LockResource.KERNEL32(?), ref: 002B423A
            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 002B429B
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
            • String ID:
            • API String ID: 1433390588-0
            • Opcode ID: 3dc4746c51aefbd54d5fadc730bb87e7ae9ec286cc90897d74cfed21acdef9dd
            • Instruction ID: 8d7211d8d048629662fea1b3d44ac535171cb1869fcfed01285abb396549d042
            • Opcode Fuzzy Hash: 3dc4746c51aefbd54d5fadc730bb87e7ae9ec286cc90897d74cfed21acdef9dd
            • Instruction Fuzzy Hash: C631B271A1520AABDB01AF60ED88EFF7BADEF08341F048526FC06D6151D770DE619BA4
            Function 002B16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 002B1700
            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,002B0778,?,00000001), ref: 002B1714
            • GetWindowThreadProcessId.USER32(00000000), ref: 002B171B
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002B0778,?,00000001), ref: 002B172A
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 002B173C
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002B0778,?,00000001), ref: 002B1755
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002B0778,?,00000001), ref: 002B1767
            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002B0778,?,00000001), ref: 002B17AC
            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,002B0778,?,00000001), ref: 002B17C1
            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,002B0778,?,00000001), ref: 002B17CC
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
            • String ID:
            • API String ID: 2156557900-0
            • Opcode ID: b648db3a0f0f422eaeec80864b480e6826bc29f06b389a858cf21cbdc3ff6921
            • Instruction ID: b3a53d07db42ce46709828f84bf3211b9adc4e5611798b8e4157621e8ac41087
            • Opcode Fuzzy Hash: b648db3a0f0f422eaeec80864b480e6826bc29f06b389a858cf21cbdc3ff6921
            • Instruction Fuzzy Hash: CF31E371610205BBEB129F10ED98FFAB7FEEB09791F548065F801C72A0DB709D609B90
            Function 002C9428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Variant$ClearInit$_memset
            • String ID: ,,.$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
            • API String ID: 2862541840-1389923024
            • Opcode ID: c58a62be5f9b4943e9da4ee65548b37b242727aa84727698a3914a69992fcc67
            • Instruction ID: 798b5e861839e959aa470d1f865a71487ad9bab56dbf90dad50642247edb3c90
            • Opcode Fuzzy Hash: c58a62be5f9b4943e9da4ee65548b37b242727aa84727698a3914a69992fcc67
            • Instruction Fuzzy Hash: 8691C171A20215AFDF24DFA5D848FAEB7B8EF45710F10825DF509AB280D7709995CFA0
            Function 002AA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
            Download Yara Rule
            APIs
            • EnumChildWindows.USER32(?,002AAA64), ref: 002AA9A2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ChildEnumWindows
            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
            • API String ID: 3555792229-1603158881
            • Opcode ID: 5503ad19a84047d7c1cf05850c42564c576bef10ccc851bf9004ca54a14b6f9a
            • Instruction ID: 4b32a42455300b33a21664b1baf700e7e26b95617ea1ba62f1347c8ea132417c
            • Opcode Fuzzy Hash: 5503ad19a84047d7c1cf05850c42564c576bef10ccc851bf9004ca54a14b6f9a
            • Instruction Fuzzy Hash: C9917230A20607EBDB58DF60C491BEEFB75BF05314F10811AD89AA7191DF306A69DF91
            Function 00252E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,000000EB), ref: 00252EAE
              • Part of subcall function 00251DB3: GetClientRect.USER32(?,?), ref: 00251DDC
              • Part of subcall function 00251DB3: GetWindowRect.USER32(?,?), ref: 00251E1D
              • Part of subcall function 00251DB3: ScreenToClient.USER32(?,?), ref: 00251E45
            • GetDC.USER32 ref: 0028CF82
            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0028CF95
            • SelectObject.GDI32(00000000,00000000), ref: 0028CFA3
            • SelectObject.GDI32(00000000,00000000), ref: 0028CFB8
            • ReleaseDC.USER32(?,00000000), ref: 0028CFC0
            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0028D04B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
            • String ID: U
            • API String ID: 4009187628-3372436214
            • Opcode ID: 4e068ca2aa077f246fe691bb75d028807e3d99e878f87356d53979cef9afd8c9
            • Instruction ID: 0428de61e2f1d20dbacc984c7cfb55fbe022897f4491835a3f623b7bb63bdbab
            • Opcode Fuzzy Hash: 4e068ca2aa077f246fe691bb75d028807e3d99e878f87356d53979cef9afd8c9
            • Instruction Fuzzy Hash: C3712534421206DFCF219F64C885AFA3BB5FF09311F24826AEE555A2E6C7319C69DF60
            Function 002C8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,002DF910), ref: 002C903D
            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,002DF910), ref: 002C9071
            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002C91EB
            • SysFreeString.OLEAUT32(?), ref: 002C9215
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Free$FileLibraryModuleNamePathQueryStringType
            • String ID:
            • API String ID: 560350794-0
            • Opcode ID: 9087aa67415b4af7bec004fe1952240a031a7a4e49ea44714f5c09287c3aa199
            • Instruction ID: 46fc82cd81ac1ff39df3fdb15f208ba24254e1209730bbedc067bf5ff91fb082
            • Opcode Fuzzy Hash: 9087aa67415b4af7bec004fe1952240a031a7a4e49ea44714f5c09287c3aa199
            • Instruction Fuzzy Hash: 93F13A71A1010AEFDB04DF94C888FAEB7B9FF49314F148199F916AB250CB71AE95CB50
            Function 002CF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 002CF9C9
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002CFB5C
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002CFB80
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002CFBC0
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002CFBE2
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002CFD5E
            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 002CFD90
            • CloseHandle.KERNEL32(?), ref: 002CFDBF
            • CloseHandle.KERNEL32(?), ref: 002CFE36
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
            • String ID:
            • API String ID: 4090791747-0
            • Opcode ID: 63fbc75051da357e6bc18cde8ecff74de5d1e86aa27fe45cb8edc7110316aa3c
            • Instruction ID: 5e3d3ea1da95bfcac1a020cb5c73a3ebbb5598f75e2dd3f302dd55e441b255d1
            • Opcode Fuzzy Hash: 63fbc75051da357e6bc18cde8ecff74de5d1e86aa27fe45cb8edc7110316aa3c
            • Instruction Fuzzy Hash: 9EE1B131224241DFCB54EF24C591F6ABBE1AF85354F14856DF89A8B2A2CB31EC64CF52
            Function 002B4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002B38D3,?), ref: 002B48C7
              • Part of subcall function 002B48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002B38D3,?), ref: 002B48E0
              • Part of subcall function 002B4CD3: GetFileAttributesW.KERNEL32(?,002B3947), ref: 002B4CD4
            • lstrcmpiW.KERNEL32(?,?), ref: 002B4FE2
            • _wcscmp.LIBCMT ref: 002B4FFC
            • MoveFileW.KERNEL32(?,?), ref: 002B5017
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
            • String ID:
            • API String ID: 793581249-0
            • Opcode ID: ea31503da19924a99b7f322b4245275cbc46381242f8a488acd992ff06e30e35
            • Instruction ID: afcfbcd7f5b32b8046214f990f67052a9206baf92a196f469a820866fdfaa533
            • Opcode Fuzzy Hash: ea31503da19924a99b7f322b4245275cbc46381242f8a488acd992ff06e30e35
            • Instruction Fuzzy Hash: D55196B24183859BC724EF64D881ADFB3ECAF84341F00492EF589D7152EF70A59C8B66
            Function 002D88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002D896E
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: f66a661372a15ae2f63350d0a7b22e77945fba00a0298d7e8ce2b8d8f6d46da8
            • Instruction ID: b44d03297507ef648bff2aca13d75c96fd6fcf32f2c697d0dfd30f36378404e9
            • Opcode Fuzzy Hash: f66a661372a15ae2f63350d0a7b22e77945fba00a0298d7e8ce2b8d8f6d46da8
            • Instruction Fuzzy Hash: 4D51A230620209BFEB209F28DC89BA97B65FF05310F604117F915E67E1DFB1ADA49B81
            Function 00252B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0028C547
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0028C569
            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0028C581
            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0028C59F
            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0028C5C0
            • DestroyIcon.USER32(00000000), ref: 0028C5CF
            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0028C5EC
            • DestroyIcon.USER32(?), ref: 0028C5FB
              • Part of subcall function 002DA71E: DeleteObject.GDI32(00000000), ref: 002DA757
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
            • String ID:
            • API String ID: 2819616528-0
            • Opcode ID: 96f13bcdc073e3a6c7e9dfcb202590afbbd11dd89deff1f76ffaf6db37407b2f
            • Instruction ID: 435578f4e7cc295d4d88f08a1677e061021855964b8751353c8b18eb48ed2e9f
            • Opcode Fuzzy Hash: 96f13bcdc073e3a6c7e9dfcb202590afbbd11dd89deff1f76ffaf6db37407b2f
            • Instruction Fuzzy Hash: 89519C74A21205EFDB20DF24DC45FAA77B9EB49311F104529F902A72D0D770EDA4DB64
            Function 002A8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,002A8A84,00000B00,?,?), ref: 002A8E0C
            • HeapAlloc.KERNEL32(00000000,?,002A8A84,00000B00,?,?), ref: 002A8E13
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002A8A84,00000B00,?,?), ref: 002A8E28
            • GetCurrentProcess.KERNEL32(?,00000000,?,002A8A84,00000B00,?,?), ref: 002A8E30
            • DuplicateHandle.KERNEL32(00000000,?,002A8A84,00000B00,?,?), ref: 002A8E33
            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,002A8A84,00000B00,?,?), ref: 002A8E43
            • GetCurrentProcess.KERNEL32(002A8A84,00000000,?,002A8A84,00000B00,?,?), ref: 002A8E4B
            • DuplicateHandle.KERNEL32(00000000,?,002A8A84,00000B00,?,?), ref: 002A8E4E
            • CreateThread.KERNEL32(00000000,00000000,002A8E74,00000000,00000000,00000000), ref: 002A8E68
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
            • String ID:
            • API String ID: 1957940570-0
            • Opcode ID: eeacc33af349bd5cb5123532800ba1ecb8a59bdce470b06e3250df380411573a
            • Instruction ID: efb55a5da28d01dbe68725038553452ce280791dbb61dbce2a7e8b3de9c8e7ba
            • Opcode Fuzzy Hash: eeacc33af349bd5cb5123532800ba1ecb8a59bdce470b06e3250df380411573a
            • Instruction Fuzzy Hash: 5901A8B5641348FFE650ABA5ED4DF6B3BACEB89711F004421FA09DB1A1CA70DC008A24
            Function 002C9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002A7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?,?,002A799D), ref: 002A766F
              • Part of subcall function 002A7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?), ref: 002A768A
              • Part of subcall function 002A7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?), ref: 002A7698
              • Part of subcall function 002A7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?), ref: 002A76A8
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 002C9B1B
            • _memset.LIBCMT ref: 002C9B28
            • _memset.LIBCMT ref: 002C9C6B
            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 002C9C97
            • CoTaskMemFree.OLE32(?), ref: 002C9CA2
            Strings
            • NULL Pointer assignment, xrefs: 002C9CF0
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
            • String ID: NULL Pointer assignment
            • API String ID: 1300414916-2785691316
            • Opcode ID: 71ee4bb43d4a01a0490b4304b4ef7c97e07a353fbd8e097f8682437afbdd8665
            • Instruction ID: 5b0dc707c65c9bbef5a70958ca74ff5dc295d15ff38272845c0c58d852c6d5b6
            • Opcode Fuzzy Hash: 71ee4bb43d4a01a0490b4304b4ef7c97e07a353fbd8e097f8682437afbdd8665
            • Instruction Fuzzy Hash: C3913971D10229EBDB10DFA4DC84EDEBBB9BF08710F20415AF51AA7281DB719A54CFA0
            Function 002D6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002D7093
            • SendMessageW.USER32(?,00001036,00000000,?), ref: 002D70A7
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002D70C1
            • _wcscat.LIBCMT ref: 002D711C
            • SendMessageW.USER32(?,00001057,00000000,?), ref: 002D7133
            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 002D7161
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$Window_wcscat
            • String ID: SysListView32
            • API String ID: 307300125-78025650
            • Opcode ID: de923962f1407e3ed9589bfd57b60dbd6cb56b2bc100e3f8fcc609cece18a9e2
            • Instruction ID: 20397cfd25cd7e29150aa70b3b565737578b7155f034db513ccf45d33f2d255f
            • Opcode Fuzzy Hash: de923962f1407e3ed9589bfd57b60dbd6cb56b2bc100e3f8fcc609cece18a9e2
            • Instruction Fuzzy Hash: 8D41C270914309AFDB219FA4CC85BEE77A8EF08350F10452BF549E72D1E7759D948B50
            Function 002CEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002B3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 002B3EB6
              • Part of subcall function 002B3E91: Process32FirstW.KERNEL32(00000000,?), ref: 002B3EC4
              • Part of subcall function 002B3E91: CloseHandle.KERNEL32(00000000), ref: 002B3F8E
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002CECB8
            • GetLastError.KERNEL32 ref: 002CECCB
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002CECFA
            • TerminateProcess.KERNEL32(00000000,00000000), ref: 002CED77
            • GetLastError.KERNEL32(00000000), ref: 002CED82
            • CloseHandle.KERNEL32(00000000), ref: 002CEDB7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
            • String ID: SeDebugPrivilege
            • API String ID: 2533919879-2896544425
            • Opcode ID: 646f6682d20b3fd97b80300af0d9140bcf9c9713a48d1485c85630312f4dd4ad
            • Instruction ID: a411ee201f9a2eb3002d2b28cc63b35c984b27076e154cf4500eb31150a6f5ed
            • Opcode Fuzzy Hash: 646f6682d20b3fd97b80300af0d9140bcf9c9713a48d1485c85630312f4dd4ad
            • Instruction Fuzzy Hash: C341BB302202019FCB14EF24C899F6EB7A4AF40710F19805DF8439B2C2CBB5A964CF96
            Function 002B3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000000,00007F03), ref: 002B32C5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: IconLoad
            • String ID: blank$info$question$stop$warning
            • API String ID: 2457776203-404129466
            • Opcode ID: f7b9e57fcebd06fc2a1e20b65e6ce11cac874430537255718bf61974a5dd551f
            • Instruction ID: e03672de4c35841d8d34c1ffbf7ea2d8ca4b8ed26b53594c22ee7f4e74fe1011
            • Opcode Fuzzy Hash: f7b9e57fcebd06fc2a1e20b65e6ce11cac874430537255718bf61974a5dd551f
            • Instruction Fuzzy Hash: CB115732269357BAEB01DE54EC52DEAB3DCDF193B0F20402AFD04A61C1E6B15F200AA5
            Function 002B4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002B454E
            • LoadStringW.USER32(00000000), ref: 002B4555
            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002B456B
            • LoadStringW.USER32(00000000), ref: 002B4572
            • _wprintf.LIBCMT ref: 002B4598
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002B45B6
            Strings
            • %s (%d) : ==> %s: %s %s, xrefs: 002B4593
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message_wprintf
            • String ID: %s (%d) : ==> %s: %s %s
            • API String ID: 3648134473-3128320259
            • Opcode ID: 576575313dfd6d084e284daca6103795ca6833b94850eef3b9cdbb629a661677
            • Instruction ID: d5dfa3fb7a3dfcd179d53213f33077782e178917b9b51310ae32ea10a969032e
            • Opcode Fuzzy Hash: 576575313dfd6d084e284daca6103795ca6833b94850eef3b9cdbb629a661677
            • Instruction Fuzzy Hash: C901A7F2801208BFE751EB94DE8DEE7736CD708300F4044A6B70AD2051E6709E848B74
            Function 002DD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
            • GetSystemMetrics.USER32(0000000F), ref: 002DD78A
            • GetSystemMetrics.USER32(0000000F), ref: 002DD7AA
            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 002DD9E5
            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002DDA03
            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002DDA24
            • ShowWindow.USER32(00000003,00000000), ref: 002DDA43
            • InvalidateRect.USER32(?,00000000,00000001), ref: 002DDA68
            • DefDlgProcW.USER32(?,00000005,?,?), ref: 002DDA8B
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
            • String ID:
            • API String ID: 1211466189-0
            • Opcode ID: 7d3ba6b71bf9312653ceb6d8e237f1a9f99516a1493e647a2ea50f4de62b6994
            • Instruction ID: 9dddf7881452be3a75ce2cd4df0c601511ba3383bdbba489f5011b476087f81d
            • Opcode Fuzzy Hash: 7d3ba6b71bf9312653ceb6d8e237f1a9f99516a1493e647a2ea50f4de62b6994
            • Instruction Fuzzy Hash: 36B18871A00626EFDF14CF68C9997ED7BB1BF08711F08C06AEC499A295D731AD60CB90
            Function 00252A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0028C417,00000004,00000000,00000000,00000000), ref: 00252ACF
            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0028C417,00000004,00000000,00000000,00000000,000000FF), ref: 00252B17
            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0028C417,00000004,00000000,00000000,00000000), ref: 0028C46A
            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0028C417,00000004,00000000,00000000,00000000), ref: 0028C4D6
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ShowWindow
            • String ID:
            • API String ID: 1268545403-0
            • Opcode ID: fd6413fd42e1ae8799be7b0f7fc92db5cce55cb80fca1e605a5e4dab3d2b26d1
            • Instruction ID: 96bf6737a7d9e5be8a6931f614b3c8426423660b046dc0b0d41ddad90af3f5d0
            • Opcode Fuzzy Hash: fd6413fd42e1ae8799be7b0f7fc92db5cce55cb80fca1e605a5e4dab3d2b26d1
            • Instruction Fuzzy Hash: E2414B34634281DAD7359F289D9C77A7B95AB47306F24C41EE887425E0C77198ADC728
            Function 002B7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,000001F5), ref: 002B737F
              • Part of subcall function 00270FF6: std::exception::exception.LIBCMT ref: 0027102C
              • Part of subcall function 00270FF6: __CxxThrowException@8.LIBCMT ref: 00271041
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002B73B6
            • EnterCriticalSection.KERNEL32(?), ref: 002B73D2
            • _memmove.LIBCMT ref: 002B7420
            • _memmove.LIBCMT ref: 002B743D
            • LeaveCriticalSection.KERNEL32(?), ref: 002B744C
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002B7461
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 002B7480
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
            • String ID:
            • API String ID: 256516436-0
            • Opcode ID: acfa41ec92095e41c850b9ce4a690259f17ad11abef9a963c89b6e491170fc82
            • Instruction ID: 2395ef58438fa9cfb29e973e99fde635f9012d1f77f98a0e9b4b871ccdd4621e
            • Opcode Fuzzy Hash: acfa41ec92095e41c850b9ce4a690259f17ad11abef9a963c89b6e491170fc82
            • Instruction Fuzzy Hash: E8317031914205EBCF10DF68DD89AAE7BB8EF45710B1481A6FD04AB246DB309E64CBA4
            Function 002D6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 002D645A
            • GetDC.USER32(00000000), ref: 002D6462
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002D646D
            • ReleaseDC.USER32(00000000,00000000), ref: 002D6479
            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002D64B5
            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002D64C6
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002D9299,?,?,000000FF,00000000,?,000000FF,?), ref: 002D6500
            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002D6520
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
            • String ID:
            • API String ID: 3864802216-0
            • Opcode ID: 40ce32acbbd9d975535e2ba4c24b740548e0aaac2e61f9412ebce25f7f0c9d42
            • Instruction ID: 315633ebffc1f92f80d4ede870c9676ee0373cb3846ba69301fd42071cb235b0
            • Opcode Fuzzy Hash: 40ce32acbbd9d975535e2ba4c24b740548e0aaac2e61f9412ebce25f7f0c9d42
            • Instruction Fuzzy Hash: 71319F72601210BFEB118F50ED4AFEA3FADEF0A761F044066FE099A295C6759C51CBA4
            Function 002AC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: 369d7758186d3598846d7969f6846cc8c4ccb822eaa9353e4e04dafd659a1b41
            • Instruction ID: e869bdfac74a911832646fa1883c0b20c51b572765356d39fd7fc110cef7fd8a
            • Opcode Fuzzy Hash: 369d7758186d3598846d7969f6846cc8c4ccb822eaa9353e4e04dafd659a1b41
            • Instruction Fuzzy Hash: F821D771771206FBD614AD258C42FBB239DAF23394B644021FE0E96282EF61ED3589A5
            Function 002BED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
              • Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C
              • Part of subcall function 0026FEC6: _wcscpy.LIBCMT ref: 0026FEE9
            • _wcstok.LIBCMT ref: 002BEEFF
            • _wcscpy.LIBCMT ref: 002BEF8E
            • _memset.LIBCMT ref: 002BEFC1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
            • String ID: X
            • API String ID: 774024439-3081909835
            • Opcode ID: 4609c4e4b98d1fdb476701004b266842cfee62874d6b86ef106f3bf7b1223126
            • Instruction ID: 1642c36c475bcb99b691c6adbeed709b71df79b4511ac36f4a62967f5dadad43
            • Opcode Fuzzy Hash: 4609c4e4b98d1fdb476701004b266842cfee62874d6b86ef106f3bf7b1223126
            • Instruction Fuzzy Hash: E3C1A131528301DFC754EF24D981AAAB7E4BF84350F04492DF899972A2DB30EC69CF86
            Function 00251424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 70985f45726e4715720a1e33baa1dfee8a2c1751c987e9e7a210737105a2e3a4
            • Instruction ID: 5240708308168f39fbdc7903785d10ef1b70133bf18d4a93f80d5f678639144c
            • Opcode Fuzzy Hash: 70985f45726e4715720a1e33baa1dfee8a2c1751c987e9e7a210737105a2e3a4
            • Instruction Fuzzy Hash: 4A717C34920109EFCB059F98CC49ABEBB79FF85311F148149F915AA291C730AA25CFA8
            Function 002C6E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ab2844ea16ae51c172c3ea483a9fb37035db53d7be860aef390c09f121906c85
            • Instruction ID: 137545d7dcf0d326e0b959c51c91682083dc0b55a0729d61724610c2751faa72
            • Opcode Fuzzy Hash: ab2844ea16ae51c172c3ea483a9fb37035db53d7be860aef390c09f121906c85
            • Instruction Fuzzy Hash: 6B61CD31528300ABD710EF24CC86F6FB3E9AF84714F104A1DF94697292DB70AD28CB96
            Function 002DB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(01016978), ref: 002DB6A5
            • IsWindowEnabled.USER32(01016978), ref: 002DB6B1
            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 002DB795
            • SendMessageW.USER32(01016978,000000B0,?,?), ref: 002DB7CC
            • IsDlgButtonChecked.USER32(?,?), ref: 002DB809
            • GetWindowLongW.USER32(01016978,000000EC), ref: 002DB82B
            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002DB843
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
            • String ID:
            • API String ID: 4072528602-0
            • Opcode ID: 3818b1b868f5b78e5b12f793979e2d26f5150ea5ef5a9860c984d9da9bab4473
            • Instruction ID: 16cf35970032ab308975bd4cadc078e6de34686dd5badecf279b80a3f7aaf4f3
            • Opcode Fuzzy Hash: 3818b1b868f5b78e5b12f793979e2d26f5150ea5ef5a9860c984d9da9bab4473
            • Instruction Fuzzy Hash: 7771B335A10205EFEB269F64C8A5FAAB7B9FF49300F16405AE956973A1C731EC60CF50
            Function 002CF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 002CF75C
            • _memset.LIBCMT ref: 002CF825
            • ShellExecuteExW.SHELL32(?), ref: 002CF86A
              • Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
              • Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C
              • Part of subcall function 0026FEC6: _wcscpy.LIBCMT ref: 0026FEE9
            • GetProcessId.KERNEL32(00000000), ref: 002CF8E1
            • CloseHandle.KERNEL32(00000000), ref: 002CF910
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
            • String ID: @
            • API String ID: 3522835683-2766056989
            • Opcode ID: 4a9fa55c32a9a37c7b583be0670f78f560f0fe6fc355c15717a67d02da05fb1e
            • Instruction ID: d4da1fb3ccb8194145e51ea17d4831b8f6ea9fd3cade579fa2943c4d035491a6
            • Opcode Fuzzy Hash: 4a9fa55c32a9a37c7b583be0670f78f560f0fe6fc355c15717a67d02da05fb1e
            • Instruction Fuzzy Hash: E2618C75A20619DFCF14DF54C980AAEBBB5FF48310B14856DE84AAB351CB30AD64CF94
            Function 002B145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 002B149C
            • GetKeyboardState.USER32(?), ref: 002B14B1
            • SetKeyboardState.USER32(?), ref: 002B1512
            • PostMessageW.USER32(?,00000101,00000010,?), ref: 002B1540
            • PostMessageW.USER32(?,00000101,00000011,?), ref: 002B155F
            • PostMessageW.USER32(?,00000101,00000012,?), ref: 002B15A5
            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 002B15C8
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 48c96f72bf52eb1bfc8a2808205f2a2f2c56b18db50809c74c8d20931ced30b6
            • Instruction ID: 3aabeb5156f40aed353231c8928d6fc8950b18fed12d1a071e0a643df9a64af3
            • Opcode Fuzzy Hash: 48c96f72bf52eb1bfc8a2808205f2a2f2c56b18db50809c74c8d20931ced30b6
            • Instruction Fuzzy Hash: 065104A0A243D63DFB364A348C65BFABFA95B46384F8C4489E1D6468C2C3D4ECB4D750
            Function 002B1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 002B12B5
            • GetKeyboardState.USER32(?), ref: 002B12CA
            • SetKeyboardState.USER32(?), ref: 002B132B
            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002B1357
            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002B1374
            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002B13B8
            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002B13D9
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: cfe1965dc2349d6df31d6297a5e4a3734bf394ca8e01d12cb2d2e393273e7857
            • Instruction ID: 9faf3d09a2ab050a4c4d18a9ddcfae81f9fa4595e4b5299f976aa3cfc43f7ef8
            • Opcode Fuzzy Hash: cfe1965dc2349d6df31d6297a5e4a3734bf394ca8e01d12cb2d2e393273e7857
            • Instruction Fuzzy Hash: 755107A09246D63DFB324B248C65BFABFE95F06380F4884C9E1D5468C2E795ECB4D750
            Function 002B589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _wcsncpy$LocalTime
            • String ID:
            • API String ID: 2945705084-0
            • Opcode ID: 10854718d11eae27fc2e8a0e63f44e7fb1c073ddca10505cbff7c71cbb4ecb50
            • Instruction ID: 8a67c1ba2692740b9c7cfe1a754ad1e4b16f8eaf743bca6b39f119c6944195d0
            • Opcode Fuzzy Hash: 10854718d11eae27fc2e8a0e63f44e7fb1c073ddca10505cbff7c71cbb4ecb50
            • Instruction Fuzzy Hash: 19414365C31528B6CB11FBB4888AACFB7AC9F05310F50C956F918E3122E734E765CBA5
            Function 002ADA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002ADAC5
            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002ADAFB
            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002ADB0C
            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002ADB8E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ErrorMode$AddressCreateInstanceProc
            • String ID: ,,.$DllGetClassObject
            • API String ID: 753597075-1173203973
            • Opcode ID: 56c41b0511ea225c1575c0733d7569da24d01221bbcdeae50a090ffeb18fe56d
            • Instruction ID: 36fba968a482084780136bcffdfafb83d6dff7815710482693c8c3508f4dc089
            • Opcode Fuzzy Hash: 56c41b0511ea225c1575c0733d7569da24d01221bbcdeae50a090ffeb18fe56d
            • Instruction Fuzzy Hash: D541C2B1611209EFDB05CF14C884B9ABBB9EF45714F1584AAED0A9F205DBB0DE50CBA0
            Function 002B38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002B38D3,?), ref: 002B48C7
              • Part of subcall function 002B48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002B38D3,?), ref: 002B48E0
            • lstrcmpiW.KERNEL32(?,?), ref: 002B38F3
            • _wcscmp.LIBCMT ref: 002B390F
            • MoveFileW.KERNEL32(?,?), ref: 002B3927
            • _wcscat.LIBCMT ref: 002B396F
            • SHFileOperationW.SHELL32(?), ref: 002B39DB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
            • String ID: \*.*
            • API String ID: 1377345388-1173974218
            • Opcode ID: 47086f6a8e7c4655ad4cf65765fba36cef88d37c841ae03d1c83b633e3d047ff
            • Instruction ID: 10f46a3ec90b9a1a6d5450205d8e5858f2334bdc2338d315142a8e57ced0d0ef
            • Opcode Fuzzy Hash: 47086f6a8e7c4655ad4cf65765fba36cef88d37c841ae03d1c83b633e3d047ff
            • Instruction Fuzzy Hash: 5A41B1724193859EC751EF64D485AEFB7ECAF88380F00482EF48AC3151EA74D69CCB52
            Function 002D7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 002D7519
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002D75C0
            • IsMenu.USER32(?), ref: 002D75D8
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002D7620
            • DrawMenuBar.USER32 ref: 002D7633
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Menu$Item$DrawInfoInsert_memset
            • String ID: 0
            • API String ID: 3866635326-4108050209
            • Opcode ID: 2b26fea46e641f21aef621bef7a95fc618ef76edb94efcaa8e75a970e8d61333
            • Instruction ID: 9a67f9a4708d501d8b74ea48873195fab4bc346ad7dd295dc554f5fb292d5536
            • Opcode Fuzzy Hash: 2b26fea46e641f21aef621bef7a95fc618ef76edb94efcaa8e75a970e8d61333
            • Instruction Fuzzy Hash: 5A413875A15609EFDB10DF54E884E9ABBF8FB08310F44812AE96597390E735ED60CF90
            Function 002D122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
            Download Yara Rule
            APIs
            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 002D125C
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D1286
            • FreeLibrary.KERNEL32(00000000), ref: 002D133D
              • Part of subcall function 002D122D: RegCloseKey.ADVAPI32(?), ref: 002D12A3
              • Part of subcall function 002D122D: FreeLibrary.KERNEL32(?), ref: 002D12F5
              • Part of subcall function 002D122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 002D1318
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 002D12E0
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: EnumFreeLibrary$CloseDeleteOpen
            • String ID:
            • API String ID: 395352322-0
            • Opcode ID: 9d0940f007455697683dedf3133adf23347930df38099a39e2da3a71b8a74bb8
            • Instruction ID: 00799c89d05b146387213038cdd2e6c4d8ac0a5113d05f3c2b1c4c690d4fc42f
            • Opcode Fuzzy Hash: 9d0940f007455697683dedf3133adf23347930df38099a39e2da3a71b8a74bb8
            • Instruction Fuzzy Hash: 05314D71D11119BFDB549F90EC89EFEB7BCEF08300F0041AAE902E2641DB749E659AA4
            Function 002D653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002D655B
            • GetWindowLongW.USER32(01016978,000000F0), ref: 002D658E
            • GetWindowLongW.USER32(01016978,000000F0), ref: 002D65C3
            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002D65F5
            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002D661F
            • GetWindowLongW.USER32(00000000,000000F0), ref: 002D6630
            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002D664A
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: LongWindow$MessageSend
            • String ID:
            • API String ID: 2178440468-0
            • Opcode ID: fc35ce94569b9a7c76b366a448b82fccd28cff92da06fc923de8792db224012d
            • Instruction ID: c457e11a6337c56c4e31f4d56f85a50a29eb6d2dec27f739abf5c2c5ad34e607
            • Opcode Fuzzy Hash: fc35ce94569b9a7c76b366a448b82fccd28cff92da06fc923de8792db224012d
            • Instruction Fuzzy Hash: 9C310330615151AFDB21CF58EC89F5537E9FB4A310F5841AAF5128B3B5CB62ECA0DB81
            Function 002C6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002C80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002C80CB
            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002C64D9
            • WSAGetLastError.WSOCK32(00000000), ref: 002C64E8
            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 002C6521
            • connect.WSOCK32(00000000,?,00000010), ref: 002C652A
            • WSAGetLastError.WSOCK32 ref: 002C6534
            • closesocket.WSOCK32(00000000), ref: 002C655D
            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 002C6576
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
            • String ID:
            • API String ID: 910771015-0
            • Opcode ID: a7cd3c5c75bb85c01fe2de06180526007a4c831078e6740abc0f751feab70c02
            • Instruction ID: 4d6a4ae671626e1b33e734dcb617559b85496a190b3f52de0d4692968f8455ad
            • Opcode Fuzzy Hash: a7cd3c5c75bb85c01fe2de06180526007a4c831078e6740abc0f751feab70c02
            • Instruction Fuzzy Hash: 7C31A131620118AFDB209F24DC89FBE7BA9EB44751F14812EFD0AD7291CB70AD54CB65
            Function 002AE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002AE0FA
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002AE120
            • SysAllocString.OLEAUT32(00000000), ref: 002AE123
            • SysAllocString.OLEAUT32 ref: 002AE144
            • SysFreeString.OLEAUT32 ref: 002AE14D
            • StringFromGUID2.OLE32(?,?,00000028), ref: 002AE167
            • SysAllocString.OLEAUT32(?), ref: 002AE175
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: a670060d3a566bd9aeddf3ac3f5470310d3e7f8ac428b7b3cceaeee6d7ffcd66
            • Instruction ID: db80818a0fa59f7a16cbf38ad3f76c1ed8abc8783e768013e440a26cc91ef7a7
            • Opcode Fuzzy Hash: a670060d3a566bd9aeddf3ac3f5470310d3e7f8ac428b7b3cceaeee6d7ffcd66
            • Instruction Fuzzy Hash: 6321B831611119AFDF50AFA8DC89CAB77ECEB0A760B018135F919CB260DE70DC528B64
            Function 002D783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00251D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00251D73
              • Part of subcall function 00251D35: GetStockObject.GDI32(00000011), ref: 00251D87
              • Part of subcall function 00251D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00251D91
            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002D78A1
            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002D78AE
            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002D78B9
            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002D78C8
            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002D78D4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$CreateObjectStockWindow
            • String ID: Msctls_Progress32
            • API String ID: 1025951953-3636473452
            • Opcode ID: 999d1f0a7ea84694e06c9a3924780fe28bfb81f65c6482df19d964b07e7f5c19
            • Instruction ID: 3cc00b4234cbb3a66041b31a2d357771da5c0be80797d4629a857b83eb611c65
            • Opcode Fuzzy Hash: 999d1f0a7ea84694e06c9a3924780fe28bfb81f65c6482df19d964b07e7f5c19
            • Instruction Fuzzy Hash: 5611C4B252021ABFEF159F60CC85EE77F6DEF08798F014115FA04A2190DB729C21EBA4
            Function 002741C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00274292,?), ref: 002741E3
            • GetProcAddress.KERNEL32(00000000), ref: 002741EA
            • EncodePointer.KERNEL32(00000000), ref: 002741F6
            • DecodePointer.KERNEL32(00000001,00274292,?), ref: 00274213
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
            • String ID: RoInitialize$combase.dll
            • API String ID: 3489934621-340411864
            • Opcode ID: 1464a5235dacabfacfbd6682bdb707e30c0daa13b3fe6094c88b2642cfb7129f
            • Instruction ID: 78725638dcacff2a52d5cc1d3ef0e6f73a1350facca5d52cfec4e041e72cb46d
            • Opcode Fuzzy Hash: 1464a5235dacabfacfbd6682bdb707e30c0daa13b3fe6094c88b2642cfb7129f
            • Instruction Fuzzy Hash: 36E092B09A1341BEDB512F71FC0CB443698B716702F40C434B916D50A0D7B044A58F04
            Function 0027429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002741B8), ref: 002742B8
            • GetProcAddress.KERNEL32(00000000), ref: 002742BF
            • EncodePointer.KERNEL32(00000000), ref: 002742CA
            • DecodePointer.KERNEL32(002741B8), ref: 002742E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
            • String ID: RoUninitialize$combase.dll
            • API String ID: 3489934621-2819208100
            • Opcode ID: 7a2f65ab8b7f7c71f5841f2d4277c362e0242a46c54cf1ca40b9b098bd955c43
            • Instruction ID: 4220917fca544df38bcb316994ca504ccbf66b13e0c92ee2353822bf47c9ac09
            • Opcode Fuzzy Hash: 7a2f65ab8b7f7c71f5841f2d4277c362e0242a46c54cf1ca40b9b098bd955c43
            • Instruction Fuzzy Hash: 85E0BF78992341FBEB929F61FD0DB443BA8B718742F548076F516E10A0CBB44974CA18
            Function 002B675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memmove$__itow__swprintf
            • String ID:
            • API String ID: 3253778849-0
            • Opcode ID: e327b8897fd19e936d1eee5e2f0421ae7c7c5f06ec1c6915e15c0605240b16d7
            • Instruction ID: ac3910ec5da70d1e7e313f96641d64990e2c4d661bc474c99cdcbd1e3d073a43
            • Opcode Fuzzy Hash: e327b8897fd19e936d1eee5e2f0421ae7c7c5f06ec1c6915e15c0605240b16d7
            • Instruction Fuzzy Hash: A761AC3052065A9FDF11EF24CC86EFE77A4AF04348F088559FC5A5B292DB38A969CF50
            Function 002D046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
              • Part of subcall function 002D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002D0038,?,?), ref: 002D10BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D0548
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D0588
            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002D05AB
            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002D05D4
            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 002D0617
            • RegCloseKey.ADVAPI32(00000000), ref: 002D0624
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
            • String ID:
            • API String ID: 4046560759-0
            • Opcode ID: 0be282eeeff8fd4a6ceec394110738936859e56ea2c0a7fbf207d8170d72a5a9
            • Instruction ID: dacbe72984dff2aedb86fad38f45c267108b6aa508a088cb434aa1cf60f9214a
            • Opcode Fuzzy Hash: 0be282eeeff8fd4a6ceec394110738936859e56ea2c0a7fbf207d8170d72a5a9
            • Instruction Fuzzy Hash: 19514931528201AFC714EF24D885E6EBBE8FF89314F04891EF945872A1DB71E928CF56
            Function 002D5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
            Download Yara Rule
            APIs
            • GetMenu.USER32(?), ref: 002D5A82
            • GetMenuItemCount.USER32(00000000), ref: 002D5AB9
            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002D5AE1
            • GetMenuItemID.USER32(?,?), ref: 002D5B50
            • GetSubMenu.USER32(?,?), ref: 002D5B5E
            • PostMessageW.USER32(?,00000111,?,00000000), ref: 002D5BAF
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Menu$Item$CountMessagePostString
            • String ID:
            • API String ID: 650687236-0
            • Opcode ID: 6ce2b6ca222807f1080a40d931b938caa5fbf823e432a50fae181d0117c7567f
            • Instruction ID: 208a228119e016d0880c281792baaf53624bfb76ff3106a3b34b886a44d6da12
            • Opcode Fuzzy Hash: 6ce2b6ca222807f1080a40d931b938caa5fbf823e432a50fae181d0117c7567f
            • Instruction Fuzzy Hash: 7A518E35A10625EFCF11DF64C945AAEB7B4EF48310F14446AEC16BB351CBB0AE518F94
            Function 002AF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 002AF3F7
            • VariantClear.OLEAUT32(00000013), ref: 002AF469
            • VariantClear.OLEAUT32(00000000), ref: 002AF4C4
            • _memmove.LIBCMT ref: 002AF4EE
            • VariantClear.OLEAUT32(?), ref: 002AF53B
            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002AF569
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Variant$Clear$ChangeInitType_memmove
            • String ID:
            • API String ID: 1101466143-0
            • Opcode ID: 958cdec2e699725e1a7ee6fa497630b852685fbb0aae523ad53ddb5dc015e46a
            • Instruction ID: b3da43fd9a1d8d5490e8e782d76cb17832270075613aa820db6255b479e951a2
            • Opcode Fuzzy Hash: 958cdec2e699725e1a7ee6fa497630b852685fbb0aae523ad53ddb5dc015e46a
            • Instruction Fuzzy Hash: 175169B5A10209EFDB10CF58D884AAAB7B8FF4D354B15856AEE59DB300D734E911CFA0
            Function 002B26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 002B2747
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B2792
            • IsMenu.USER32(00000000), ref: 002B27B2
            • CreatePopupMenu.USER32 ref: 002B27E6
            • GetMenuItemCount.USER32(000000FF), ref: 002B2844
            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 002B2875
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
            • String ID:
            • API String ID: 3311875123-0
            • Opcode ID: 7cdad829114c939fd546a5d82074906a604b38671ed9626284c4fb097706dbc2
            • Instruction ID: d60bcd9341ad31f08423887b91e6b029d0bdb8ae5109f7b557153d91e82dace0
            • Opcode Fuzzy Hash: 7cdad829114c939fd546a5d82074906a604b38671ed9626284c4fb097706dbc2
            • Instruction Fuzzy Hash: 7051C370920306DFDF25CF68D888BEEBBF5AF44394F144229E4159B290D7709928CB61
            Function 00251765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
            • BeginPaint.USER32(?,?,?,?,?,?), ref: 0025179A
            • GetWindowRect.USER32(?,?), ref: 002517FE
            • ScreenToClient.USER32(?,?), ref: 0025181B
            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0025182C
            • EndPaint.USER32(?,?), ref: 00251876
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: PaintWindow$BeginClientLongRectScreenViewport
            • String ID:
            • API String ID: 1827037458-0
            • Opcode ID: 01ebd133abad88a03f523feb217e31ef4a396766b1b3047bca7eb10ee1b5febc
            • Instruction ID: daa15f567833400512cdcef3b83eeed8bd12081a1bed36c8b9ffb0da7d234b12
            • Opcode Fuzzy Hash: 01ebd133abad88a03f523feb217e31ef4a396766b1b3047bca7eb10ee1b5febc
            • Instruction Fuzzy Hash: 9241E030511301AFD721EF64CC89FB67BE8EB49325F044629F9A5872A1C7309C69CB65
            Function 002DB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(003167B0,00000000,01016978,?,?,003167B0,?,002DB862,?,?), ref: 002DB9CC
            • EnableWindow.USER32(00000000,00000000), ref: 002DB9F0
            • ShowWindow.USER32(003167B0,00000000,01016978,?,?,003167B0,?,002DB862,?,?), ref: 002DBA50
            • ShowWindow.USER32(00000000,00000004,?,002DB862,?,?), ref: 002DBA62
            • EnableWindow.USER32(00000000,00000001), ref: 002DBA86
            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 002DBAA9
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$Show$Enable$MessageSend
            • String ID:
            • API String ID: 642888154-0
            • Opcode ID: 8d19ec214c2f86cb1ea7771e899cc73b63d40e0bc253ed2d65c69af6e6f556ea
            • Instruction ID: 275e607117cb4e2ddfb282511cbc7a3d3e9c47e9c112128ffb88da396d125d69
            • Opcode Fuzzy Hash: 8d19ec214c2f86cb1ea7771e899cc73b63d40e0bc253ed2d65c69af6e6f556ea
            • Instruction Fuzzy Hash: C6415134601242EFDB22CF14D5A9BD57BE0BB09310F1A41ABEA598F7A2C731AC55CF90
            Function 002C73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(?,?,?,?,?,?,002C5134,?,?,00000000,00000001), ref: 002C73BF
              • Part of subcall function 002C3C94: GetWindowRect.USER32(?,?), ref: 002C3CA7
            • GetDesktopWindow.USER32 ref: 002C73E9
            • GetWindowRect.USER32(00000000), ref: 002C73F0
            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 002C7422
              • Part of subcall function 002B54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B555E
            • GetCursorPos.USER32(?), ref: 002C744E
            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002C74AC
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
            • String ID:
            • API String ID: 4137160315-0
            • Opcode ID: b27f6ba941c27fbe93b54ecd011b8dc24cfb04b267c16952e58c2705a6dd504a
            • Instruction ID: 7c4e9915335228110870f5df7189bf1ecb54dbe9aa2934d5f3fc1125c159e753
            • Opcode Fuzzy Hash: b27f6ba941c27fbe93b54ecd011b8dc24cfb04b267c16952e58c2705a6dd504a
            • Instruction Fuzzy Hash: B331F672509306ABD724DF14E849F9BBBE9FF88314F00091EF48997191C630EE14CB92
            Function 002A8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002A85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002A8608
              • Part of subcall function 002A85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002A8612
              • Part of subcall function 002A85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002A8621
              • Part of subcall function 002A85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002A8628
              • Part of subcall function 002A85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002A863E
            • GetLengthSid.ADVAPI32(?,00000000,002A8977), ref: 002A8DAC
            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 002A8DB8
            • HeapAlloc.KERNEL32(00000000), ref: 002A8DBF
            • CopySid.ADVAPI32(00000000,00000000,?), ref: 002A8DD8
            • GetProcessHeap.KERNEL32(00000000,00000000,002A8977), ref: 002A8DEC
            • HeapFree.KERNEL32(00000000), ref: 002A8DF3
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
            • String ID:
            • API String ID: 3008561057-0
            • Opcode ID: a2a975367c6d97fc5c11d27cc92d8184bf37c85cfd2b48e3d9ca7e5de5a95f9e
            • Instruction ID: 0c07bbc7bdf6950c19e166de006b0dc2c645aac7dfb9921dd8cc7abd4ff23072
            • Opcode Fuzzy Hash: a2a975367c6d97fc5c11d27cc92d8184bf37c85cfd2b48e3d9ca7e5de5a95f9e
            • Instruction Fuzzy Hash: BF11E132921A06FFDB508F64DD08BAE7B69FF42316F10406AE84693250CF319D10CB60
            Function 002A8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002A8B2A
            • OpenProcessToken.ADVAPI32(00000000), ref: 002A8B31
            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 002A8B40
            • CloseHandle.KERNEL32(00000004), ref: 002A8B4B
            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002A8B7A
            • DestroyEnvironmentBlock.USERENV(00000000), ref: 002A8B8E
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
            • String ID:
            • API String ID: 1413079979-0
            • Opcode ID: 480d3f20842d93a19eb900bbe48e8ebc86c02ef720ad4b8d889015d922733727
            • Instruction ID: 77a6a4634b0d03459608ede7e13c408f15e3a737d938cff2d89a0c82740ba8bc
            • Opcode Fuzzy Hash: 480d3f20842d93a19eb900bbe48e8ebc86c02ef720ad4b8d889015d922733727
            • Instruction Fuzzy Hash: 5D112CB250124AABDF018FA4ED49FEA7BA9EF09308F044465FE05A2160CB759D64DB60
            Function 002DC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0025134D
              • Part of subcall function 002512F3: SelectObject.GDI32(?,00000000), ref: 0025135C
              • Part of subcall function 002512F3: BeginPath.GDI32(?), ref: 00251373
              • Part of subcall function 002512F3: SelectObject.GDI32(?,00000000), ref: 0025139C
            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 002DC1C4
            • LineTo.GDI32(00000000,00000003,?), ref: 002DC1D8
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002DC1E6
            • LineTo.GDI32(00000000,00000000,?), ref: 002DC1F6
            • EndPath.GDI32(00000000), ref: 002DC206
            • StrokePath.GDI32(00000000), ref: 002DC216
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
            • String ID:
            • API String ID: 43455801-0
            • Opcode ID: 9cb1a2d462c6b87ee537506dbf02211364f6914e697be9941a9d026d5006cd44
            • Instruction ID: ba82f4a770ccca84566b2ad8a0f2d5114591cd48ccce4e69efe3b934a8ec7bf9
            • Opcode Fuzzy Hash: 9cb1a2d462c6b87ee537506dbf02211364f6914e697be9941a9d026d5006cd44
            • Instruction Fuzzy Hash: CF110C7640010DBFDF129F90EC48EDA7FADEB08355F148022BD1956161C7719E55DBA0
            Function 002703A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
            Download Yara Rule
            APIs
            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 002703D3
            • MapVirtualKeyW.USER32(00000010,00000000), ref: 002703DB
            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002703E6
            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 002703F1
            • MapVirtualKeyW.USER32(00000011,00000000), ref: 002703F9
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00270401
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Virtual
            • String ID:
            • API String ID: 4278518827-0
            • Opcode ID: 6b4f097703683ffe54cbce7cee516c31c78cee4b11d62b66a3019bb501dbc2d6
            • Instruction ID: 5ad20d3ca3b6f2223a3b3cb509e65e079b15f9a2dbdd5fe6d463a9155618187d
            • Opcode Fuzzy Hash: 6b4f097703683ffe54cbce7cee516c31c78cee4b11d62b66a3019bb501dbc2d6
            • Instruction Fuzzy Hash: 8B0148B09027597DE3008F5A8C85A52FFA8FF19354F00411BA15847941C7B5A864CBE5
            Function 002B568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002B569B
            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002B56B1
            • GetWindowThreadProcessId.USER32(?,?), ref: 002B56C0
            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B56CF
            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B56D9
            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B56E0
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
            • String ID:
            • API String ID: 839392675-0
            • Opcode ID: caae28fcb469c5966c1376310fc3995ef8162698c8232ee2801e1b2f1c142648
            • Instruction ID: dd8b62f481cac392259b3d6ac93ea61aca1fcf5686a35ec44b91f77b22251f86
            • Opcode Fuzzy Hash: caae28fcb469c5966c1376310fc3995ef8162698c8232ee2801e1b2f1c142648
            • Instruction Fuzzy Hash: D9F09631542158BBD3605B52ED0DEEF7B7CEFC6B11F00016AF905D1050D7A05E0186F9
            Function 002B74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,?), ref: 002B74E5
            • EnterCriticalSection.KERNEL32(?,?,00261044,?,?), ref: 002B74F6
            • TerminateThread.KERNEL32(00000000,000001F6,?,00261044,?,?), ref: 002B7503
            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00261044,?,?), ref: 002B7510
              • Part of subcall function 002B6ED7: CloseHandle.KERNEL32(00000000,?,002B751D,?,00261044,?,?), ref: 002B6EE1
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 002B7523
            • LeaveCriticalSection.KERNEL32(?,?,00261044,?,?), ref: 002B752A
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 3495660284-0
            • Opcode ID: fc76a081231791a7e6621c7979c91d4c43c26832b68be11c1f8ab8a9562f58c3
            • Instruction ID: 158865ce9a80e7d56380c36b4d6042bd96ffc7106fe0ee23c248f2e7171a2922
            • Opcode Fuzzy Hash: fc76a081231791a7e6621c7979c91d4c43c26832b68be11c1f8ab8a9562f58c3
            • Instruction Fuzzy Hash: D5F05E3A942612EBDB512B64FE8CAEB772AEF45302B410532FA43A10B0CB755D11CB64
            Function 002A8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 002A8E7F
            • UnloadUserProfile.USERENV(?,?), ref: 002A8E8B
            • CloseHandle.KERNEL32(?), ref: 002A8E94
            • CloseHandle.KERNEL32(?), ref: 002A8E9C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 002A8EA5
            • HeapFree.KERNEL32(00000000), ref: 002A8EAC
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
            • String ID:
            • API String ID: 146765662-0
            • Opcode ID: d835e135be6aad7ff31c84b58415485df6a29cd5dad537c2360b155505ee9006
            • Instruction ID: 2c5f7004c80368be5aaae94cdaa003d7457b9ff3ad298adda50b190ed230e6b5
            • Opcode Fuzzy Hash: d835e135be6aad7ff31c84b58415485df6a29cd5dad537c2360b155505ee9006
            • Instruction Fuzzy Hash: 64E0C236505001FBDA812FE5FE0C94ABB69FB89322B108232F21A81170CB329820DB58
            Function 002A7A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
            Download Yara Rule
            APIs
            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002E2C7C,?), ref: 002A7C32
            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002E2C7C,?), ref: 002A7C4A
            • CLSIDFromProgID.OLE32(?,?,00000000,002DFB80,000000FF,?,00000000,00000800,00000000,?,002E2C7C,?), ref: 002A7C6F
            • _memcmp.LIBCMT ref: 002A7C90
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: FromProg$FreeTask_memcmp
            • String ID: ,,.
            • API String ID: 314563124-737214711
            • Opcode ID: e6329e12a62699ecf5a4f484ed930a5c3ba4b35ee1f2c8ed2b949204983b2e1b
            • Instruction ID: ea129f003ef386e1aac3d502d8f1e831653e748326dd5e6c06e2f1330ee5df9a
            • Opcode Fuzzy Hash: e6329e12a62699ecf5a4f484ed930a5c3ba4b35ee1f2c8ed2b949204983b2e1b
            • Instruction Fuzzy Hash: 93810B71A1010AEFCB04DF94C984EEEB7BAFF89315F204599E506EB250DB71AE05CB64
            Function 002C8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 002C8928
            • CharUpperBuffW.USER32(?,?), ref: 002C8A37
            • VariantClear.OLEAUT32(?), ref: 002C8BAF
              • Part of subcall function 002B7804: VariantInit.OLEAUT32(00000000), ref: 002B7844
              • Part of subcall function 002B7804: VariantCopy.OLEAUT32(00000000,?), ref: 002B784D
              • Part of subcall function 002B7804: VariantClear.OLEAUT32(00000000), ref: 002B7859
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Variant$ClearInit$BuffCharCopyUpper
            • String ID: AUTOIT.ERROR$Incorrect Parameter format
            • API String ID: 4237274167-1221869570
            • Opcode ID: acc97dc28eb7d6342811f13acedaa9e656691aed4065e5c5fc2139a71fb87bb8
            • Instruction ID: 44893924ad05f2d77e250bb03254e8b69a085154e89101104403e1918cb538b3
            • Opcode Fuzzy Hash: acc97dc28eb7d6342811f13acedaa9e656691aed4065e5c5fc2139a71fb87bb8
            • Instruction Fuzzy Hash: 33916B75628301DFC710DF24C484E5ABBE4AF89314F148A6EF89A8B361DB31ED59CB52
            Function 002B2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0026FEC6: _wcscpy.LIBCMT ref: 0026FEE9
            • _memset.LIBCMT ref: 002B3077
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002B30A6
            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002B3159
            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002B3187
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ItemMenu$Info$Default_memset_wcscpy
            • String ID: 0
            • API String ID: 4152858687-4108050209
            • Opcode ID: d1f4d0b9cfb9f3fda94f5742a8f0d9e052fa2e7a32bb0de3e6aec72b77b56832
            • Instruction ID: d811821b312db76b8c4ee93f6f97e54ee1633df768c695cbcd13df2b2b83c3bb
            • Opcode Fuzzy Hash: d1f4d0b9cfb9f3fda94f5742a8f0d9e052fa2e7a32bb0de3e6aec72b77b56832
            • Instruction Fuzzy Hash: D051C0316393029AD715EF2CD845AEBB7E8EF453A0F044A2DF899D3191DB70CE648B52
            Function 002B2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 002B2CAF
            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002B2CCB
            • DeleteMenu.USER32(?,00000007,00000000), ref: 002B2D11
            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00316890,00000000), ref: 002B2D5A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Menu$Delete$InfoItem_memset
            • String ID: 0
            • API String ID: 1173514356-4108050209
            • Opcode ID: 0b7540681e32c89e1ddb60029de120dc1b975394365f38502369b4fb4c59c3d8
            • Instruction ID: 46898d2e58b2c0dca28ceabbd9db4c791af04db7035f8ca458dddd297142f793
            • Opcode Fuzzy Hash: 0b7540681e32c89e1ddb60029de120dc1b975394365f38502369b4fb4c59c3d8
            • Instruction Fuzzy Hash: 48419F30215302DFD724DF24D845B9ABBE8BF85360F14461EF9669B291D770E918CBA2
            Function 002CDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 002CDAD9
              • Part of subcall function 002579AB: _memmove.LIBCMT ref: 002579F9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: BuffCharLower_memmove
            • String ID: cdecl$none$stdcall$winapi
            • API String ID: 3425801089-567219261
            • Opcode ID: cb4f41a3bd86dd6369af7a56b7aabc26b3adbf17b7a85892727aa9920ad187a9
            • Instruction ID: fddc7bc4df342f5c586e7e26165c11b80c4262990fe882f61d7dc9499aed0e45
            • Opcode Fuzzy Hash: cb4f41a3bd86dd6369af7a56b7aabc26b3adbf17b7a85892727aa9920ad187a9
            • Instruction Fuzzy Hash: 0931737052061A9BCF10EF54CC919AEB3B4FF05314B108629E866976D1DB71AD19CF90
            Function 002A9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
              • Part of subcall function 002AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002AB0E7
            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002A93F6
            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002A9409
            • SendMessageW.USER32(?,00000189,?,00000000), ref: 002A9439
              • Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$_memmove$ClassName
            • String ID: ComboBox$ListBox
            • API String ID: 365058703-1403004172
            • Opcode ID: 2f3720750341ac7e9871793ae31b8159825c829dfe47216f22c1a985340a0c19
            • Instruction ID: f8687998a40aad3410ff258d02546d48ab9e47419bcf1cb4b10fb7ca37dba745
            • Opcode Fuzzy Hash: 2f3720750341ac7e9871793ae31b8159825c829dfe47216f22c1a985340a0c19
            • Instruction Fuzzy Hash: 54210471961104ABDB14AB71DC858FFB77CDF06310B10812AF926972E1DF344D6A8A10
            Function 002C1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002C1B40
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002C1B66
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002C1B96
            • InternetCloseHandle.WININET(00000000), ref: 002C1BDD
              • Part of subcall function 002C2777: GetLastError.KERNEL32(?,?,002C1B0B,00000000,00000000,00000001), ref: 002C278C
              • Part of subcall function 002C2777: SetEvent.KERNEL32(?,?,002C1B0B,00000000,00000000,00000001), ref: 002C27A1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
            • String ID:
            • API String ID: 3113390036-3916222277
            • Opcode ID: ba7f6fbc647173b46f0ec7428dabe40593359b5d3bc6b72f0c9fb46bf31d8f19
            • Instruction ID: 01484b1b0e975a8c1b8f7361289499a244cf0935aacff2236fceb20290f6d4ea
            • Opcode Fuzzy Hash: ba7f6fbc647173b46f0ec7428dabe40593359b5d3bc6b72f0c9fb46bf31d8f19
            • Instruction Fuzzy Hash: ED21C2B1520208BFEB119F209CC6FBFB7ECEB4A748F10422EF405A2241EB709D255B61
            Function 002D6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00251D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00251D73
              • Part of subcall function 00251D35: GetStockObject.GDI32(00000011), ref: 00251D87
              • Part of subcall function 00251D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00251D91
            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002D66D0
            • LoadLibraryW.KERNEL32(?), ref: 002D66D7
            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002D66EC
            • DestroyWindow.USER32(?), ref: 002D66F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
            • String ID: SysAnimate32
            • API String ID: 4146253029-1011021900
            • Opcode ID: f6a744f89a7dd8b7b1973f377ab4d4a23ac086aacad6589c6201ce429424d041
            • Instruction ID: 0b6d2250336255244af4da6164eea97a3deb823b2023e9c891132041754ba409
            • Opcode Fuzzy Hash: f6a744f89a7dd8b7b1973f377ab4d4a23ac086aacad6589c6201ce429424d041
            • Instruction Fuzzy Hash: 1B21C37112020ABFEF104F64EC88EBB77ADEF59368F10462AF911922D0D775CC619BA0
            Function 002B703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(0000000C), ref: 002B705E
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002B7091
            • GetStdHandle.KERNEL32(0000000C), ref: 002B70A3
            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002B70DD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: a32541537fe262c375c5ee3730ac1b9522a30bb2340919c353c44c0fb6bd1c2e
            • Instruction ID: efedb0959a2cfc71acdc3fc512e28a8ce40ef313e9de5e23e6d77be6eab7ede5
            • Opcode Fuzzy Hash: a32541537fe262c375c5ee3730ac1b9522a30bb2340919c353c44c0fb6bd1c2e
            • Instruction Fuzzy Hash: 642135755143069BDB20AF39DC09ADA77B4BF94760F204A1AFDA1D72D0D7709D60CB50
            Function 002B710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(000000F6), ref: 002B712B
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002B715D
            • GetStdHandle.KERNEL32(000000F6), ref: 002B716E
            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002B71A8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: 8ed8772386aa6caff730afcb963616615eca53501a245e13fa7a7eee6156432a
            • Instruction ID: a23671b292834c689dae4c1ea5c3b6dd92aba9789daa394b0ea8ccaffd747ac8
            • Opcode Fuzzy Hash: 8ed8772386aa6caff730afcb963616615eca53501a245e13fa7a7eee6156432a
            • Instruction Fuzzy Hash: 8621D375524306ABDF209F2C9C08AEAB7E8AF953A0F204619FDB5D32D0D7709861CB70
            Function 002BAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 002BAEBF
            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002BAF13
            • __swprintf.LIBCMT ref: 002BAF2C
            • SetErrorMode.KERNEL32(00000000,00000001,00000000,002DF910), ref: 002BAF6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ErrorMode$InformationVolume__swprintf
            • String ID: %lu
            • API String ID: 3164766367-685833217
            • Opcode ID: d0857077b4f28f86b84454e38dc28f13f793aeeb893a9a4a95180ff7fcddc7d2
            • Instruction ID: 3ae9f65c289e30953d7d71c89a86e4fd674af23cf059eae5bd74d0aba52b2682
            • Opcode Fuzzy Hash: d0857077b4f28f86b84454e38dc28f13f793aeeb893a9a4a95180ff7fcddc7d2
            • Instruction Fuzzy Hash: 3A216034A10209AFCB10EF64D985EEE7BB8EF49704B044069F909AB251DB31EE55CF21
            Function 002AA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66
              • Part of subcall function 002AA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002AA399
              • Part of subcall function 002AA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 002AA3AC
              • Part of subcall function 002AA37C: GetCurrentThreadId.KERNEL32 ref: 002AA3B3
              • Part of subcall function 002AA37C: AttachThreadInput.USER32(00000000), ref: 002AA3BA
            • GetFocus.USER32 ref: 002AA554
              • Part of subcall function 002AA3C5: GetParent.USER32(?), ref: 002AA3D3
            • GetClassNameW.USER32(?,?,00000100), ref: 002AA59D
            • EnumChildWindows.USER32(?,002AA615), ref: 002AA5C5
            • __swprintf.LIBCMT ref: 002AA5DF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
            • String ID: %s%d
            • API String ID: 1941087503-1110647743
            • Opcode ID: 41dbec26464dd087f40c06fb005771d9a84adf83ee0357e8ac015c6dbed5dbb7
            • Instruction ID: 8071595fa2fca6d7cf4716a8585ee0229fc428b25fed0166cad54d584150dcd2
            • Opcode Fuzzy Hash: 41dbec26464dd087f40c06fb005771d9a84adf83ee0357e8ac015c6dbed5dbb7
            • Instruction Fuzzy Hash: C1118E71650209ABDF11AF60EC86FEA377C9F4A701F0480B6B909AA152CF709965CF75
            Function 002B2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 002B2048
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: APPEND$EXISTS$KEYS$REMOVE
            • API String ID: 3964851224-769500911
            • Opcode ID: 9b1673f9efa338648527c2d9f1b9b13f32b230468024a3edcf370947d5949e57
            • Instruction ID: 8df06958379327396d097a236da0b7afe860c49ea5347ce1f180cd7f0e114ef4
            • Opcode Fuzzy Hash: 9b1673f9efa338648527c2d9f1b9b13f32b230468024a3edcf370947d5949e57
            • Instruction Fuzzy Hash: DB11613492020ADFCF14EFA4D9914EEB7B4FF29304B108869D85567291DB325D2ECF50
            Function 002CEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
            Download Yara Rule
            APIs
            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002CEF1B
            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 002CEF4B
            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 002CF07E
            • CloseHandle.KERNEL32(?), ref: 002CF0FF
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Process$CloseCountersHandleInfoMemoryOpen
            • String ID:
            • API String ID: 2364364464-0
            • Opcode ID: de20e99b6c26062e1d8b5cf69b9d42c49e2f8535c383cae7eef676b9613ebf4d
            • Instruction ID: 100f11a1c1a778833d7e4bfa4f15ddc17ec56d868356c82cb046b44b7b822244
            • Opcode Fuzzy Hash: de20e99b6c26062e1d8b5cf69b9d42c49e2f8535c383cae7eef676b9613ebf4d
            • Instruction Fuzzy Hash: BB8183716203019FD720DF28C846F2AB7E5AF48B10F14891DF99ADB292DBB0EC548F95
            Function 002D02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
              • Part of subcall function 002D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002D0038,?,?), ref: 002D10BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D0388
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D03C7
            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002D040E
            • RegCloseKey.ADVAPI32(?,?), ref: 002D043A
            • RegCloseKey.ADVAPI32(00000000), ref: 002D0447
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
            • String ID:
            • API String ID: 3440857362-0
            • Opcode ID: e133fb1f932d88ddc67c8b5bc96b857b4b6e8fd4e2defc6b149490de6450bec0
            • Instruction ID: 88553ef8172630f427d43e05b7ab6ac8f3a64b8bb87de96c7705989fe88ad6b8
            • Opcode Fuzzy Hash: e133fb1f932d88ddc67c8b5bc96b857b4b6e8fd4e2defc6b149490de6450bec0
            • Instruction Fuzzy Hash: FC515E31528205AFD704EF64D885F6EB7E8FF88304F04855EB596872A1DB70ED18CB56
            Function 002BE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
            Download Yara Rule
            APIs
            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002BE88A
            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002BE8B3
            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002BE8F2
              • Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
              • Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C
            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002BE917
            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002BE91F
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
            • String ID:
            • API String ID: 1389676194-0
            • Opcode ID: ebf0ca7cd3b02efdb1ab5cdf57634c75075e54e591f62d32ebda02ba963dcd20
            • Instruction ID: 9536e61db0eafba840604a3d6f954d93771ddecaa6eb15102ae7de53dcfba750
            • Opcode Fuzzy Hash: ebf0ca7cd3b02efdb1ab5cdf57634c75075e54e591f62d32ebda02ba963dcd20
            • Instruction Fuzzy Hash: 18512B35A10209DFCF01EF64C9859ADBBF5EF08311B188099E80AAB361CB31ED65CF54
            Function 002DA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a2ae905b4326b198bf9e0b1f210807fc099156cb957078a245cfbdfcb97077a0
            • Instruction ID: f8f087d20005cc4668f10f6d1edeb048549d1c70dbec7119d1b4aa12ddc52fb3
            • Opcode Fuzzy Hash: a2ae905b4326b198bf9e0b1f210807fc099156cb957078a245cfbdfcb97077a0
            • Instruction Fuzzy Hash: 5C412835D21105AFC750DF28DC49FE9BBAAEB09310F1441A7F816A73E0C7B0AD61CA51
            Function 00252344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00252357
            • ScreenToClient.USER32(003167B0,?), ref: 00252374
            • GetAsyncKeyState.USER32(00000001), ref: 00252399
            • GetAsyncKeyState.USER32(00000002), ref: 002523A7
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AsyncState$ClientCursorScreen
            • String ID:
            • API String ID: 4210589936-0
            • Opcode ID: 24321a22f828499be9a53b4e6689cb068978859191c19db6f80e5ba33a0839bc
            • Instruction ID: 4c5210062f8d87cb0a45679f6f21fc1393b5bd1e84f4e6d2595cddf95bc74cc5
            • Opcode Fuzzy Hash: 24321a22f828499be9a53b4e6689cb068978859191c19db6f80e5ba33a0839bc
            • Instruction Fuzzy Hash: 2A41A335524116FBCF159F64C848AE9BB74FB05321F204396FC29922D0C7705D68DFA5
            Function 002A6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002A695D
            • TranslateAcceleratorW.USER32(?,?,?), ref: 002A69A9
            • TranslateMessage.USER32(?), ref: 002A69D2
            • DispatchMessageW.USER32(?), ref: 002A69DC
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002A69EB
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Message$PeekTranslate$AcceleratorDispatch
            • String ID:
            • API String ID: 2108273632-0
            • Opcode ID: 8fcd35a4758aa26d984a5846e3615e0f9fe77478cce0bcc1daf66f60a5a45889
            • Instruction ID: f681994d62f1d8b1d0838d63466cd5e1b6f0b9bac9b5ef3106aaedb3a706dc86
            • Opcode Fuzzy Hash: 8fcd35a4758aa26d984a5846e3615e0f9fe77478cce0bcc1daf66f60a5a45889
            • Instruction Fuzzy Hash: 9331E471920247ABDB61CFB49C4DBF77BACAB07300F188569E422C24A1DB70D8A5DB90
            Function 002A8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 002A8F12
            • PostMessageW.USER32(?,00000201,00000001), ref: 002A8FBC
            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 002A8FC4
            • PostMessageW.USER32(?,00000202,00000000), ref: 002A8FD2
            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 002A8FDA
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessagePostSleep$RectWindow
            • String ID:
            • API String ID: 3382505437-0
            • Opcode ID: 6f8273668e2ee784724f00081c2b08a600d05848076e40f8feea816af1ad1864
            • Instruction ID: ddf4ebb76fcd184ae1467e5bff046f73b4a2511f6a3719037088dbcc727455bf
            • Opcode Fuzzy Hash: 6f8273668e2ee784724f00081c2b08a600d05848076e40f8feea816af1ad1864
            • Instruction Fuzzy Hash: AD31BF7190021AEFDB14CF68D94CA9E7BB6FB05315F104229F925E61D0CBB09D24DB91
            Function 002AB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 002AB6C7
            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 002AB6E4
            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 002AB71C
            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 002AB742
            • _wcsstr.LIBCMT ref: 002AB74C
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
            • String ID:
            • API String ID: 3902887630-0
            • Opcode ID: b92ae03744fb35dadcf7c77609e6877e12a2df573ffa33b893c86f66e9070604
            • Instruction ID: 8d87d937d656d93ff44750698a265e859c073407d1d9856eaf76b58191b85d89
            • Opcode Fuzzy Hash: b92ae03744fb35dadcf7c77609e6877e12a2df573ffa33b893c86f66e9070604
            • Instruction Fuzzy Hash: 6921DA32615205BBEB165F399D49E7BBB9CDF46710F00806AFD09CA1A2EFB1DC60D690
            Function 002DB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
            • GetWindowLongW.USER32(?,000000F0), ref: 002DB44C
            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 002DB471
            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002DB489
            • GetSystemMetrics.USER32(00000004), ref: 002DB4B2
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,002C1184,00000000), ref: 002DB4D0
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$Long$MetricsSystem
            • String ID:
            • API String ID: 2294984445-0
            • Opcode ID: b0753836fa42e3b97ef27503cf34d2cc2359ecb495cc29b067058425b04c7b3f
            • Instruction ID: 55d00a8a49ab1a6668ebcaa7532a24eea33a0946de71a01602f66fa4f40a0648
            • Opcode Fuzzy Hash: b0753836fa42e3b97ef27503cf34d2cc2359ecb495cc29b067058425b04c7b3f
            • Instruction Fuzzy Hash: 9C217671920256EFCB11DF789C28A693764FB05721F15873AF926D62E1D7309C20DB90
            Function 002A97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002A9802
              • Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002A9834
            • __itow.LIBCMT ref: 002A984C
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002A9874
            • __itow.LIBCMT ref: 002A9885
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$__itow$_memmove
            • String ID:
            • API String ID: 2983881199-0
            • Opcode ID: c0deee9af5e5b25cb11bad741915f6b0fd69d018a7494c52ea0fe2961fbef0a1
            • Instruction ID: 9dff926410ca63baf0086a46c771ad4a43ca6fd2ff412804c8a5c583fb992738
            • Opcode Fuzzy Hash: c0deee9af5e5b25cb11bad741915f6b0fd69d018a7494c52ea0fe2961fbef0a1
            • Instruction Fuzzy Hash: 7C210A31B11208AFDB109E669C8AEEE7BACDF4B710F044025FE05DB281DA74CDA59BD1
            Function 002512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
            Download Yara Rule
            APIs
            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0025134D
            • SelectObject.GDI32(?,00000000), ref: 0025135C
            • BeginPath.GDI32(?), ref: 00251373
            • SelectObject.GDI32(?,00000000), ref: 0025139C
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: 1ab61ac706e9fab05a8c12f04276ffab93bf4e860edd1f48c17353b3019d2ebb
            • Instruction ID: 40240d0d35668cf275cbb9bd712aa04a03b9c1c587e211b6461927d6dba8d479
            • Opcode Fuzzy Hash: 1ab61ac706e9fab05a8c12f04276ffab93bf4e860edd1f48c17353b3019d2ebb
            • Instruction Fuzzy Hash: AD216270C21209EFDB129F69ED097A97BBDFB04322F14C266F811961A0D37198B5DB94
            Function 002AC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: c20f755379cffc83432e2b89e420bd302240b31e5f12a0499cf2fa4dbe773d76
            • Instruction ID: 0e94b2bf6d28922645cf02e84bd263410b029370407bad4f9c7de2245a9149c9
            • Opcode Fuzzy Hash: c20f755379cffc83432e2b89e420bd302240b31e5f12a0499cf2fa4dbe773d76
            • Instruction Fuzzy Hash: AB01B9B17791067BD204A9259C42F6B739D9F23394F648015FD0D96243EEA0EE3587E0
            Function 002B4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 002B4D5C
            • __beginthreadex.LIBCMT ref: 002B4D7A
            • MessageBoxW.USER32(?,?,?,?), ref: 002B4D8F
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002B4DA5
            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002B4DAC
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
            • String ID:
            • API String ID: 3824534824-0
            • Opcode ID: 57e41b823963afea6cbe587f3b8b70d2dae3c2e55ec1bbbb76a376249c4603af
            • Instruction ID: 8ded30b0ab7866ccc514a1d859d093034703ffc65d504476d83c9c0500b0185f
            • Opcode Fuzzy Hash: 57e41b823963afea6cbe587f3b8b70d2dae3c2e55ec1bbbb76a376249c4603af
            • Instruction Fuzzy Hash: B3114872D15245BFC701AFA8EC48AEA7FACEB49320F14826AF914D3251C6B08D1087A0
            Function 002A874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
            Download Yara Rule
            APIs
            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002A8766
            • GetLastError.KERNEL32(?,002A822A,?,?,?), ref: 002A8770
            • GetProcessHeap.KERNEL32(00000008,?,?,002A822A,?,?,?), ref: 002A877F
            • HeapAlloc.KERNEL32(00000000,?,002A822A,?,?,?), ref: 002A8786
            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002A879D
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
            • String ID:
            • API String ID: 842720411-0
            • Opcode ID: 7aa7ac8b66f8c3a9edb1dd99d389a5db21ade5ab5c10447ad4537d82366244f5
            • Instruction ID: a599d468850c2a508920962cb92bbf8ad2aad23352aa9fd3472e8d68ce496c78
            • Opcode Fuzzy Hash: 7aa7ac8b66f8c3a9edb1dd99d389a5db21ade5ab5c10447ad4537d82366244f5
            • Instruction Fuzzy Hash: 2B014B75611205EFDB204FA6ED8CD6BBBACEF8A355720046AF84AC2260DA31CD10CA60
            Function 002B54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B5502
            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002B5510
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B5518
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002B5522
            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B555E
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: PerformanceQuery$CounterSleep$Frequency
            • String ID:
            • API String ID: 2833360925-0
            • Opcode ID: e0aeea77db566dc4b15b1db0c176181002efb0afd5af9cabea7cc35218b2fec3
            • Instruction ID: 222430b0b27ab90b247db51f08b57fd3a9b669a9571db7b7bbd0d3ffddc09a74
            • Opcode Fuzzy Hash: e0aeea77db566dc4b15b1db0c176181002efb0afd5af9cabea7cc35218b2fec3
            • Instruction Fuzzy Hash: BF015B35C21A29DBDF10EFE8E94C7EDBB78BB09752F400056E806B6140DB309960CBA5
            Function 002A7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
            Download Yara Rule
            APIs
            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?,?,002A799D), ref: 002A766F
            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?), ref: 002A768A
            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?), ref: 002A7698
            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?), ref: 002A76A8
            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A758C,80070057,?,?), ref: 002A76B4
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: From$Prog$FreeStringTasklstrcmpi
            • String ID:
            • API String ID: 3897988419-0
            • Opcode ID: 4b3c95e34ace9dfb473cd90e1e5f700790385a48ac28167775bb210ab3dc1fff
            • Instruction ID: f825d0fa930cc7d8799030a1a98262796fc06c535ba6a150ebade95bd72da7d5
            • Opcode Fuzzy Hash: 4b3c95e34ace9dfb473cd90e1e5f700790385a48ac28167775bb210ab3dc1fff
            • Instruction Fuzzy Hash: C701D4B2A11604BBDB104F58ED08BAA7BECEB85B51F144029FD05D2211EB31DE5097A4
            Function 002A85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002A8608
            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002A8612
            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002A8621
            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002A8628
            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002A863E
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: ee86d347d6181f2faf88918d8b85da10d6a873cb2277b229cf125ca7b07e2ad8
            • Instruction ID: 003aa32a80b8f64a226cbef6f2d8df4428c63222a9e496852690e62ea6a74a29
            • Opcode Fuzzy Hash: ee86d347d6181f2faf88918d8b85da10d6a873cb2277b229cf125ca7b07e2ad8
            • Instruction Fuzzy Hash: 04F0CD30212215AFEB100FA4EE8DE6B3BACEF8AB55B04402AF90AC3150CF70DC51DA60
            Function 002A8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002A8669
            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002A8673
            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8682
            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8689
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A869F
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 412f584d9abc9d4c42a49cd4c71fd735b1c7ebbbfbf5406f1b15fff67f6baeb2
            • Instruction ID: 7d437cc71904fb9dcd65c1eeb623b5f53c9236c091be836cc6c5c8d959124840
            • Opcode Fuzzy Hash: 412f584d9abc9d4c42a49cd4c71fd735b1c7ebbbfbf5406f1b15fff67f6baeb2
            • Instruction Fuzzy Hash: F3F0AF70211215AFEB111FA4EC8CE677BACEF8AB55B140026F90AC2150CE70DD50DA60
            Function 002AC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003E9), ref: 002AC6BA
            • GetWindowTextW.USER32(00000000,?,00000100), ref: 002AC6D1
            • MessageBeep.USER32(00000000), ref: 002AC6E9
            • KillTimer.USER32(?,0000040A), ref: 002AC705
            • EndDialog.USER32(?,00000001), ref: 002AC71F
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: BeepDialogItemKillMessageTextTimerWindow
            • String ID:
            • API String ID: 3741023627-0
            • Opcode ID: a392e6c5c7ed412e234cd311f965a486cdff3b23a24884183223b181ac533023
            • Instruction ID: e203d3250ec207cd9bc22b8ebf71c9172f5551c560278c1f1703bd03509bbae4
            • Opcode Fuzzy Hash: a392e6c5c7ed412e234cd311f965a486cdff3b23a24884183223b181ac533023
            • Instruction Fuzzy Hash: 43014F30911704ABEB619F20ED4EB96B7BCBB01B05F14066AB552A18E1DBE0AD648E84
            Function 002513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
            Download Yara Rule
            APIs
            • EndPath.GDI32(?), ref: 002513BF
            • StrokeAndFillPath.GDI32(?,?,0028BAD8,00000000,?), ref: 002513DB
            • SelectObject.GDI32(?,00000000), ref: 002513EE
            • DeleteObject.GDI32 ref: 00251401
            • StrokePath.GDI32(?), ref: 0025141C
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Path$ObjectStroke$DeleteFillSelect
            • String ID:
            • API String ID: 2625713937-0
            • Opcode ID: f76c4f9801ef8b60342eb9fb5f045df8806f49f74c562c9aa2e18ed123dfe33e
            • Instruction ID: f2298e7eddc31d41748596ffd49355cfe434640435bd189ac0aaf3ea92768f9a
            • Opcode Fuzzy Hash: f76c4f9801ef8b60342eb9fb5f045df8806f49f74c562c9aa2e18ed123dfe33e
            • Instruction Fuzzy Hash: 03F0E73041530DEBDB525FAAED0D7983FA9AB05327F04C225E82A994F1C73189B9DF58
            Function 00262E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00270FF6: std::exception::exception.LIBCMT ref: 0027102C
              • Part of subcall function 00270FF6: __CxxThrowException@8.LIBCMT ref: 00271041
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
              • Part of subcall function 00257BB1: _memmove.LIBCMT ref: 00257C0B
            • __swprintf.LIBCMT ref: 0026302D
            Strings
            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00262EC6
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
            • API String ID: 1943609520-557222456
            • Opcode ID: 02c2162cc5fcdd7edd90d8d6ee19669d2d1b503ab043fa0c9dde93ef1992c6b3
            • Instruction ID: a70e910108d2ec3450b9cbadfd9fb0367a42b59e2a29e822d7217b09d7b7b365
            • Opcode Fuzzy Hash: 02c2162cc5fcdd7edd90d8d6ee19669d2d1b503ab043fa0c9dde93ef1992c6b3
            • Instruction Fuzzy Hash: 0D918E311283129FCB18EF24D895C6EB7E4EF95750F00491DF846972A1DA70EEA8CB56
            Function 002AB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
            Download Yara Rule
            APIs
            • OleSetContainedObject.OLE32(?,00000001), ref: 002AB981
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ContainedObject
            • String ID: AutoIt3GUI$Container$%.
            • API String ID: 3565006973-783795609
            • Opcode ID: fdadec4ced60bd595b7539b7bbfe251c907412f6ac9c9a912c787698a5cdb992
            • Instruction ID: e7bbdf36bd1bdcb7c1623646d383756b95ffe03c02b31fbba159abe813b631b1
            • Opcode Fuzzy Hash: fdadec4ced60bd595b7539b7bbfe251c907412f6ac9c9a912c787698a5cdb992
            • Instruction Fuzzy Hash: BA913D746202019FDB15CF68C884B66B7E9FF4A710F24856EE949CB6A2DF70E854CB50
            Function 0027524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
            Download Yara Rule
            APIs
            • __startOneArgErrorHandling.LIBCMT ref: 002752DD
              • Part of subcall function 00280340: __87except.LIBCMT ref: 0028037B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ErrorHandling__87except__start
            • String ID: pow
            • API String ID: 2905807303-2276729525
            • Opcode ID: 386b8642baf1349f292a1feda3df57b0fe64d5fb1dee0dc80ace1535e47eb557
            • Instruction ID: fd1e63a3ca05c95faca90c678f8daf88ad7fb2c9dea8d49226d651466b2ae977
            • Opcode Fuzzy Hash: 386b8642baf1349f292a1feda3df57b0fe64d5fb1dee0dc80ace1535e47eb557
            • Instruction Fuzzy Hash: E9519B24E3BA0387D7517F24D98137EA7949B00350F24C999E48D461E6EFF48CF89B41
            Function 0027023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID: #$+
            • API String ID: 0-2552117581
            • Opcode ID: 124f0f7cc8ecf1fdd2ef3fece5876ec3e04e830814c4b5b70600677e5adc6a8f
            • Instruction ID: 00883bead3db4598038341ce982b5763e4dd46e4b36f88b50db86c20a22fa692
            • Opcode Fuzzy Hash: 124f0f7cc8ecf1fdd2ef3fece5876ec3e04e830814c4b5b70600677e5adc6a8f
            • Instruction Fuzzy Hash: A4515635524A66CFCF15DF28C488AFA7BA4EF16310F144095FC959B2A0DB749C6ACB60
            Function 00263297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memmove$_free
            • String ID: Oa&
            • API String ID: 2620147621-711773428
            • Opcode ID: b01c15491aaa235600ca32f16ce45a54ed8d8378940e18dd837e12b82011bb35
            • Instruction ID: c1b6e297ba9f518982c99fcb5db8e0539afcd6fdf78a0528f4ef00337702adb5
            • Opcode Fuzzy Hash: b01c15491aaa235600ca32f16ce45a54ed8d8378940e18dd837e12b82011bb35
            • Instruction Fuzzy Hash: F5516D719283429FDB24CF28C491B2BBBE5BF89314F44492DE98A87351DB31D961CF82
            Function 002662F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memset$_memmove
            • String ID: ERCP
            • API String ID: 2532777613-1384759551
            • Opcode ID: 78e5acc1d245390988eaeda15a499a07935ec29cf3684da7a846a6885981f070
            • Instruction ID: 7350ee9039fe9a3f7e981fc1eaab5cb54193f096809020b2973bcd90cbcf0c65
            • Opcode Fuzzy Hash: 78e5acc1d245390988eaeda15a499a07935ec29cf3684da7a846a6885981f070
            • Instruction Fuzzy Hash: DA51B27192030ADBDB24CF65C8957AABBF4FF04714F20856EE94ACB281EB7195A4CB40
            Function 002D7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002D76D0
            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002D76E4
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 002D7708
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$Window
            • String ID: SysMonthCal32
            • API String ID: 2326795674-1439706946
            • Opcode ID: 4bbe723f77dfdf482709c77d178ea62b3953b17589f2448d8e19fbf37d537b30
            • Instruction ID: 42a82cd6097c504bc7f68ea82c030264190255c9cfba9fc4edce6dca42a016e5
            • Opcode Fuzzy Hash: 4bbe723f77dfdf482709c77d178ea62b3953b17589f2448d8e19fbf37d537b30
            • Instruction Fuzzy Hash: 77219132514219ABDF118E94CC46FEA3B69EF48754F110215FE156B2D0E6B5EC609BA0
            Function 002D6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002D6FAA
            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002D6FBA
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002D6FDF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend$MoveWindow
            • String ID: Listbox
            • API String ID: 3315199576-2633736733
            • Opcode ID: f02c2d1cc85201461c62a09dac246fd951f3e8afe12b2d4784e7eaed99ab5c68
            • Instruction ID: bebd0f915a721e990b2518df307d7d25d63bdc2882e4d349b4861b903107b0b7
            • Opcode Fuzzy Hash: f02c2d1cc85201461c62a09dac246fd951f3e8afe12b2d4784e7eaed99ab5c68
            • Instruction Fuzzy Hash: E521D732621119BFDF118F54DC89FEB377AEF89750F018125F91597690C671AC61CBA0
            Function 002D797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002D79E1
            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002D79F6
            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002D7A03
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: msctls_trackbar32
            • API String ID: 3850602802-1010561917
            • Opcode ID: b616d507edddbf3a33ca5a4975136d073dffef440810c2058f4d4f272334f3d2
            • Instruction ID: e5a6339b23acb31ae36dab158c7d6a821f0f29ae31f7aeaa4a1ce6f8e1c3a523
            • Opcode Fuzzy Hash: b616d507edddbf3a33ca5a4975136d073dffef440810c2058f4d4f272334f3d2
            • Instruction Fuzzy Hash: 7A112732264209BADF109F60CC05FDB37ADEF89764F02451AFA01A61D0D271DC21CB60
            Function 00254C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00254C2E), ref: 00254CA3
            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00254CB5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetNativeSystemInfo$kernel32.dll
            • API String ID: 2574300362-192647395
            • Opcode ID: ed6bec537d3a68d3fc7570c7e9d3581d50f7e90c1696bb2672132f690d4e6f09
            • Instruction ID: 2ee4209af399822c015a5d854bc7cd717774dc062b86daa315b75e00fffa2a56
            • Opcode Fuzzy Hash: ed6bec537d3a68d3fc7570c7e9d3581d50f7e90c1696bb2672132f690d4e6f09
            • Instruction Fuzzy Hash: 2BD01230921723CFD7605F31DB18606B6D5AF06756B15883B9C97D6650D770DCD0C658
            Function 00254D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00254D2E,?,00254F4F,?,003162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254D6F
            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00254D81
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-3689287502
            • Opcode ID: 586d989d6cc1fc741ef4926a5c21b60a329162a2ca25512e18d16989ba549957
            • Instruction ID: 39228f47d8b9ec3596a235b8e44bd174e84ddf3243661b9797a3a7826ad2c303
            • Opcode Fuzzy Hash: 586d989d6cc1fc741ef4926a5c21b60a329162a2ca25512e18d16989ba549957
            • Instruction Fuzzy Hash: A5D0C731922313CFC720AF30E908202B2E8AF05766B10883BD88BC2290E774D8C0CA68
            Function 00254D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00254CE1,?), ref: 00254DA2
            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00254DB4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-1355242751
            • Opcode ID: d50797bcb6c91f42da183a57c043a7cc80574cfdc5d750f66c912360350770a3
            • Instruction ID: 10cb3c8f56b282f75e20a4f52a625036b1a87e22e0ed4110817a81866ae26af2
            • Opcode Fuzzy Hash: d50797bcb6c91f42da183a57c043a7cc80574cfdc5d750f66c912360350770a3
            • Instruction Fuzzy Hash: 4BD01231961713CFD7205F31D908646B6E4AF05359B15883BDCD6D6150D774D8D0CA54
            Function 002D1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(advapi32.dll,?,002D12C1), ref: 002D1080
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002D1092
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 2574300362-4033151799
            • Opcode ID: 726b09d7f390d0bb3235ce307c114a38b155284289e925c833847aa3fc5d9663
            • Instruction ID: 5a31520cf7ee21297b47b76ab0bcde5ce1a888d51c2230a67e2d9c7148d07cc6
            • Opcode Fuzzy Hash: 726b09d7f390d0bb3235ce307c114a38b155284289e925c833847aa3fc5d9663
            • Instruction Fuzzy Hash: FFD0C230811313DFC3205F30D828556B2E8AF14352B048C3BE8CAC6690D770CCD0C610
            Function 002C93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,002C9009,?,002DF910), ref: 002C9403
            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 002C9415
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetModuleHandleExW$kernel32.dll
            • API String ID: 2574300362-199464113
            • Opcode ID: 1d4b30b7b125c965ba93e4b745fb6199a7f6102a09b9be8bc70bf6cc54f2e130
            • Instruction ID: 06ac6ee79cf7c4610b92d9aa56ed938e56147386ab3613a241e293ee26904d28
            • Opcode Fuzzy Hash: 1d4b30b7b125c965ba93e4b745fb6199a7f6102a09b9be8bc70bf6cc54f2e130
            • Instruction Fuzzy Hash: B7D0E234925713CFD7209F31EA0CA4676E5AF05351B15C83EA89AE6690E670C8D08A60
            Function 00291B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: LocalTime__swprintf
            • String ID: %.3d$WIN_XPe
            • API String ID: 2070861257-2409531811
            • Opcode ID: 66f6d877283f3ef49be724ce11c3a028ebe550155181d1b8619d5c2229252ce4
            • Instruction ID: 92d830ae9a553943f370321f2a27abe2522214a4764b91ce08b677d27945663b
            • Opcode Fuzzy Hash: 66f6d877283f3ef49be724ce11c3a028ebe550155181d1b8619d5c2229252ce4
            • Instruction Fuzzy Hash: 17D0C271C3420AEACF049A92DC648F9737DAB08305F100192F80291040F2B08BB4AB25
            Function 002A76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f9f70dedeaf50ff2409d2c06a6da3f4c078c3d8cb03d974fa6f8cef23b1b8378
            • Instruction ID: f18274e11e59b3812b8df86ec01f55baafff0f06d6ce52255c3b270009347955
            • Opcode Fuzzy Hash: f9f70dedeaf50ff2409d2c06a6da3f4c078c3d8cb03d974fa6f8cef23b1b8378
            • Instruction Fuzzy Hash: F6C18B75A14216EFDB14CF94CC84EAEB7B9FF49310B108599E806EB251DB30EE91CB94
            Function 002CE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?), ref: 002CE3D2
            • CharLowerBuffW.USER32(?,?), ref: 002CE415
              • Part of subcall function 002CDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 002CDAD9
            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 002CE615
            • _memmove.LIBCMT ref: 002CE628
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: BuffCharLower$AllocVirtual_memmove
            • String ID:
            • API String ID: 3659485706-0
            • Opcode ID: 0b46c0b0512105147c3feb31bd35b4c71944a5489005affbdb44194ecddebaa2
            • Instruction ID: f7c982802d7d723a21065fb6c6e0f7c8045da0bdd15cc228485939aa4d906837
            • Opcode Fuzzy Hash: 0b46c0b0512105147c3feb31bd35b4c71944a5489005affbdb44194ecddebaa2
            • Instruction Fuzzy Hash: 52C15A716283019FCB14DF28C480A6ABBE4FF88318F158A6DF8999B351D731E955CF82
            Function 002C83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 002C83D8
            • CoUninitialize.OLE32 ref: 002C83E3
              • Part of subcall function 002ADA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002ADAC5
            • VariantInit.OLEAUT32(?), ref: 002C83EE
            • VariantClear.OLEAUT32(?), ref: 002C86BF
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
            • String ID:
            • API String ID: 780911581-0
            • Opcode ID: 1ef4b570c4710e752946711cf050731e764ff58cd4a01ace16decb9c2a6a54cd
            • Instruction ID: 74d3c827a0e325a507fe8288cd6dde25891d554799ec6fc338bceab307b693ab
            • Opcode Fuzzy Hash: 1ef4b570c4710e752946711cf050731e764ff58cd4a01ace16decb9c2a6a54cd
            • Instruction Fuzzy Hash: 11A114752247029FCB10DF14C485B2AB7E4BF88354F18854DF99A9B3A1CB70ED64CB96
            Function 002A6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Variant$AllocClearCopyInitString
            • String ID:
            • API String ID: 2808897238-0
            • Opcode ID: 1988a2f541c43613088d1607eca7842b0348df5d31d602c4349ba0564ecc2486
            • Instruction ID: fbb082e1df1d5b1812b0073b1ef98441d3a40282fe4ba199fe10a2fb9f7d8aab
            • Opcode Fuzzy Hash: 1988a2f541c43613088d1607eca7842b0348df5d31d602c4349ba0564ecc2486
            • Instruction Fuzzy Hash: 2051E930634302DFDB30AF65D895B2AB3E4AF4A310F24881FE556CB691DF7098A49F09
            Function 002D9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(0101EBB0,?), ref: 002D9AD2
            • ScreenToClient.USER32(00000002,00000002), ref: 002D9B05
            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 002D9B72
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$ClientMoveRectScreen
            • String ID:
            • API String ID: 3880355969-0
            • Opcode ID: 5d3e86f40f8097ab040152313fd78d2255c161061f25a6c39b0d3f2a65f78efd
            • Instruction ID: 10ebdb62bcb2ac6b5671e9b3a796456c26c0481f589b1eee714fa18157814dac
            • Opcode Fuzzy Hash: 5d3e86f40f8097ab040152313fd78d2255c161061f25a6c39b0d3f2a65f78efd
            • Instruction Fuzzy Hash: 63514D35A10209EFCF10DF58E881AAE7BB9FB44324F11815BF8159B390D730AD91CB90
            Function 002C6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000002,00000011), ref: 002C6CE4
            • WSAGetLastError.WSOCK32(00000000), ref: 002C6CF4
              • Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
              • Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C
            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 002C6D58
            • WSAGetLastError.WSOCK32(00000000), ref: 002C6D64
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ErrorLast$__itow__swprintfsocket
            • String ID:
            • API String ID: 2214342067-0
            • Opcode ID: 946d3885ea9cf1ad2c21e23dadf2097f56ed14686673cde44408dbc98de725d7
            • Instruction ID: ba767c4886474f82afdc9b3ea26515b57431ea99de4558cc7e4c5e640dde27f2
            • Opcode Fuzzy Hash: 946d3885ea9cf1ad2c21e23dadf2097f56ed14686673cde44408dbc98de725d7
            • Instruction Fuzzy Hash: 9D41D434750200AFEB10AF24DC8BF3A77E59B04B10F54811CFE1AAB2C2DBB19D508B95
            Function 002C672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
            Download Yara Rule
            APIs
            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,002DF910), ref: 002C67BA
            • _strlen.LIBCMT ref: 002C67EC
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _strlen
            • String ID:
            • API String ID: 4218353326-0
            • Opcode ID: 1f3336e3c7dc9e07adcf6f50520a35208b254823a12dc52cec28ec77e555c625
            • Instruction ID: f1daf20024e64862cf9b2f2f926e79f2362db5e3941a45cf96a3c0945c17080b
            • Opcode Fuzzy Hash: 1f3336e3c7dc9e07adcf6f50520a35208b254823a12dc52cec28ec77e555c625
            • Instruction Fuzzy Hash: 8741EB31920104AFCB14EB64DCD5FADB3A8EF44310F148269F91A97292DF30AD68CF55
            Function 002BBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
            Download Yara Rule
            APIs
            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002BBB09
            • GetLastError.KERNEL32(?,00000000), ref: 002BBB2F
            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002BBB54
            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002BBB80
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CreateHardLink$DeleteErrorFileLast
            • String ID:
            • API String ID: 3321077145-0
            • Opcode ID: 9f4bba0b4ea41bcc6c2d3fccb36fe415f2d528cb9cf277e8edca2dd0956f5ebf
            • Instruction ID: 0ec16685e338039c65ddda209822e569374083692f4d37194f5b20e1152dab88
            • Opcode Fuzzy Hash: 9f4bba0b4ea41bcc6c2d3fccb36fe415f2d528cb9cf277e8edca2dd0956f5ebf
            • Instruction Fuzzy Hash: 5D414339610611DFCB11EF14C588A5DBBE1AF89321B198089EC8A9B362CB70FD64CF95
            Function 002D8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002D8B4D
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: 539d9314d01557f564f6ae45bca0c7ebedc526ebc36dd0e711e31810789e07a2
            • Instruction ID: b6bd1893729b23f10f99f5f49e4018dafc729d8fe45e8590e779da51be207f5a
            • Opcode Fuzzy Hash: 539d9314d01557f564f6ae45bca0c7ebedc526ebc36dd0e711e31810789e07a2
            • Instruction Fuzzy Hash: E431E4B4620205BFEF219F58DC45FA937A8EB09318F648917FA52D63E0DE70AD60CB51
            Function 002DADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
            Download Yara Rule
            APIs
            • ClientToScreen.USER32(?,?), ref: 002DAE1A
            • GetWindowRect.USER32(?,?), ref: 002DAE90
            • PtInRect.USER32(?,?,002DC304), ref: 002DAEA0
            • MessageBeep.USER32(00000000), ref: 002DAF11
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Rect$BeepClientMessageScreenWindow
            • String ID:
            • API String ID: 1352109105-0
            • Opcode ID: a5f0921905b78b0853d302972c6427d379e6316795e03a9c85b28c76315765c7
            • Instruction ID: 4cce45f98ca9a099007957e2f33b8dcffed7f08a775192679e78a407036ceee3
            • Opcode Fuzzy Hash: a5f0921905b78b0853d302972c6427d379e6316795e03a9c85b28c76315765c7
            • Instruction Fuzzy Hash: 46416A70A1111A9FCB11CF58D885FA97BF5FB88340F1481BAE8159B351D731ED11DB92
            Function 002B0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 002B1037
            • SetKeyboardState.USER32(00000080,?,00000001), ref: 002B1053
            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 002B10B9
            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 002B110B
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: f174229552de80ee41531278a87affe54d83eeff8720e532762b29ce117c3953
            • Instruction ID: 1a46d080ab61bf78773b2f55160b11786049df5ce925da510093052cde7a24c6
            • Opcode Fuzzy Hash: f174229552de80ee41531278a87affe54d83eeff8720e532762b29ce117c3953
            • Instruction Fuzzy Hash: 8F319C30E70689AEFF309F298C197FABBA9AF44390F84462AEC91421D0C3748DF49751
            Function 002B1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 002B1176
            • SetKeyboardState.USER32(00000080,?,00008000), ref: 002B1192
            • PostMessageW.USER32(00000000,00000101,00000000), ref: 002B11F1
            • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 002B1243
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: 975b192b549689d55146ce2b1b830cf9fcec7a78bf56a2e63ca0b2bf638e6670
            • Instruction ID: 70863b69bd2c127246203bdbcf0d4d30de3ca36cbda6215099f9dc334b8d54e0
            • Opcode Fuzzy Hash: 975b192b549689d55146ce2b1b830cf9fcec7a78bf56a2e63ca0b2bf638e6670
            • Instruction Fuzzy Hash: 76316830D702195AEF208E698C297FABBBAAB49390F88431BE685921D1C3748DB49751
            Function 00286415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0028644B
            • __isleadbyte_l.LIBCMT ref: 00286479
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002864A7
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002864DD
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
            • String ID:
            • API String ID: 3058430110-0
            • Opcode ID: 1602a41fcd51b3824dc8b280009b9907b81adcea484c968e0e6bcb7d02f71fee
            • Instruction ID: 99954c5e04bb028f259694bf1676451de642bd2956de769542f23f9ff6647688
            • Opcode Fuzzy Hash: 1602a41fcd51b3824dc8b280009b9907b81adcea484c968e0e6bcb7d02f71fee
            • Instruction Fuzzy Hash: 5931D039612247AFDB31AF64C849BAF7BA5FF40320F194029E855871D1E731D860DB90
            Function 002D5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 002D5189
              • Part of subcall function 002B387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002B3897
              • Part of subcall function 002B387D: GetCurrentThreadId.KERNEL32 ref: 002B389E
              • Part of subcall function 002B387D: AttachThreadInput.USER32(00000000,?,002B52A7), ref: 002B38A5
            • GetCaretPos.USER32(?), ref: 002D519A
            • ClientToScreen.USER32(00000000,?), ref: 002D51D5
            • GetForegroundWindow.USER32 ref: 002D51DB
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
            • String ID:
            • API String ID: 2759813231-0
            • Opcode ID: e3e490b113e6caa2e90d66da856bb61d049640db4ddbee76a17ed97ae03c3254
            • Instruction ID: c59c5f8a92cb7481ad67204dc88da5a9532a8a9673508c218465a48b17611094
            • Opcode Fuzzy Hash: e3e490b113e6caa2e90d66da856bb61d049640db4ddbee76a17ed97ae03c3254
            • Instruction Fuzzy Hash: 02311871910108ABDB00EFA5C985AEFB7F9EF98300F10446AE816E7241EA759E55CFA4
            Function 002DC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
            • GetCursorPos.USER32(?), ref: 002DC7C2
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0028BBFB,?,?,?,?,?), ref: 002DC7D7
            • GetCursorPos.USER32(?), ref: 002DC824
            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0028BBFB,?,?,?), ref: 002DC85E
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Cursor$LongMenuPopupProcTrackWindow
            • String ID:
            • API String ID: 2864067406-0
            • Opcode ID: fe6d8b958ac3a4fad6561eca8f6b7e30051ec0d19318737c9426ad93587a0fd9
            • Instruction ID: 86dea8411a312fb26cdd1577d5139b8befc1b62306fb14d8d171e87a7d92869d
            • Opcode Fuzzy Hash: fe6d8b958ac3a4fad6561eca8f6b7e30051ec0d19318737c9426ad93587a0fd9
            • Instruction Fuzzy Hash: 9B31B635610019EFCB16CF98D898EEA7BBAEB09310F54406AF906CB261C7315D60EF64
            Function 002A8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002A8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002A8669
              • Part of subcall function 002A8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002A8673
              • Part of subcall function 002A8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8682
              • Part of subcall function 002A8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8689
              • Part of subcall function 002A8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A869F
            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002A8BEB
            • _memcmp.LIBCMT ref: 002A8C0E
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002A8C44
            • HeapFree.KERNEL32(00000000), ref: 002A8C4B
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
            • String ID:
            • API String ID: 1592001646-0
            • Opcode ID: 438445206e7f179a2249b78b97226f1423b1023baabd49fcc390f96878926b54
            • Instruction ID: b496db1313e6a2475e79951b454cfb510800b617bd1b8368aaa169d78297a84f
            • Opcode Fuzzy Hash: 438445206e7f179a2249b78b97226f1423b1023baabd49fcc390f96878926b54
            • Instruction Fuzzy Hash: 64218B71E12209EBDB04DFA4C948BAEB7B9EF41355F04409AE455A7240DB30AE16CF60
            Function 00270BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
            Download Yara Rule
            APIs
            • __setmode.LIBCMT ref: 00270BF2
              • Part of subcall function 00255B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002B7B20,?,?,00000000), ref: 00255B8C
              • Part of subcall function 00255B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002B7B20,?,?,00000000,?,?), ref: 00255BB0
            • _fprintf.LIBCMT ref: 00270C29
            • OutputDebugStringW.KERNEL32(?), ref: 002A6331
              • Part of subcall function 00274CDA: _flsall.LIBCMT ref: 00274CF3
            • __setmode.LIBCMT ref: 00270C5E
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
            • String ID:
            • API String ID: 521402451-0
            • Opcode ID: 19780cedf203f68308a994b3340d9dcaa13ca49a5612b085fcdd745df5ebd3ac
            • Instruction ID: 97c3a91b66e57e452aebb8ad6a983188c7e0568be10179c7e018787af5a996d5
            • Opcode Fuzzy Hash: 19780cedf203f68308a994b3340d9dcaa13ca49a5612b085fcdd745df5ebd3ac
            • Instruction Fuzzy Hash: DA115732924208ABCB05B7B49C879BEBB6C9F41320F14815AF20857181DF700DBA8B95
            Function 002C1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002C1A97
              • Part of subcall function 002C1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002C1B40
              • Part of subcall function 002C1B21: InternetCloseHandle.WININET(00000000), ref: 002C1BDD
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Internet$CloseConnectHandleOpen
            • String ID:
            • API String ID: 1463438336-0
            • Opcode ID: 82bc369a4240a0de02e5b341b8025513eacda1a5545e7b65109ea91af60d2043
            • Instruction ID: 30816c634c01c199a2ca9d911f354c7ffdfa66e379904e8c9014236595fbb415
            • Opcode Fuzzy Hash: 82bc369a4240a0de02e5b341b8025513eacda1a5545e7b65109ea91af60d2043
            • Instruction Fuzzy Hash: 4521CF31211601BFEB129F608C06FBAB7A9FF45700F14021EFA0696652EB71E834DBA4
            Function 002AE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002AF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,002AE1C4,?,?,?,002AEFB7,00000000,000000EF,00000119,?,?), ref: 002AF5BC
              • Part of subcall function 002AF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 002AF5E2
              • Part of subcall function 002AF5AD: lstrcmpiW.KERNEL32(00000000,?,002AE1C4,?,?,?,002AEFB7,00000000,000000EF,00000119,?,?), ref: 002AF613
            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,002AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 002AE1DD
            • lstrcpyW.KERNEL32(00000000,?), ref: 002AE203
            • lstrcmpiW.KERNEL32(00000002,cdecl,?,002AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 002AE237
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: lstrcmpilstrcpylstrlen
            • String ID: cdecl
            • API String ID: 4031866154-3896280584
            • Opcode ID: a07d2ab5451d9cd0ce9170bbe358ff43c83a516b1337ab0b9c1dce18f852d47b
            • Instruction ID: f4d452a8c1626396258521e3a4037ed6eb87b4c33b780869e30b9f88ff13bc35
            • Opcode Fuzzy Hash: a07d2ab5451d9cd0ce9170bbe358ff43c83a516b1337ab0b9c1dce18f852d47b
            • Instruction Fuzzy Hash: 91118436110345EFCF25AF64D849A7A77A8FF46350B41802AE806C7250EF71D9619BA4
            Function 00285332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00285351
              • Part of subcall function 0027594C: __FF_MSGBANNER.LIBCMT ref: 00275963
              • Part of subcall function 0027594C: __NMSG_WRITE.LIBCMT ref: 0027596A
              • Part of subcall function 0027594C: RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000000,?,?,?,00271013,?), ref: 0027598F
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: AllocateHeap_free
            • String ID:
            • API String ID: 614378929-0
            • Opcode ID: 7089e2a406229220fd648bd7ca0d3b439750eee1a1db5886828866d2f525e204
            • Instruction ID: 7c6b4d6e8f32194740c087222169e2ec1a9fec06c3830430b8d888881084421e
            • Opcode Fuzzy Hash: 7089e2a406229220fd648bd7ca0d3b439750eee1a1db5886828866d2f525e204
            • Instruction Fuzzy Hash: 3E112732926A26EFCB313F70EC4865D37985F143E0F1084AAF9099A0D0DFB08D709B90
            Function 00254531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00254560
              • Part of subcall function 0025410D: _memset.LIBCMT ref: 0025418D
              • Part of subcall function 0025410D: _wcscpy.LIBCMT ref: 002541E1
              • Part of subcall function 0025410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002541F1
            • KillTimer.USER32(?,00000001,?,?), ref: 002545B5
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002545C4
            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0028D6CE
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
            • String ID:
            • API String ID: 1378193009-0
            • Opcode ID: ce9460d9236bf073fea2c481c2404b204a2ddb7c1c38bc8c7a73c5bdf310d20f
            • Instruction ID: c797c817e25b92756f841c920d8ce38e4497dd403e783495f1c4e4bc78b57e70
            • Opcode Fuzzy Hash: ce9460d9236bf073fea2c481c2404b204a2ddb7c1c38bc8c7a73c5bdf310d20f
            • Instruction Fuzzy Hash: A42128749153989FE7329B20A845BE7FBEC9F11308F00009EE68E561C1D7B41A988B45
            Function 002B40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 002B40D1
            • _memset.LIBCMT ref: 002B40F2
            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002B4144
            • CloseHandle.KERNEL32(00000000), ref: 002B414D
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle_memset
            • String ID:
            • API String ID: 1157408455-0
            • Opcode ID: 97d197e06290d6f917fed6d62fba421d8b25dcd6a242774ce080abb821b974f4
            • Instruction ID: ac602ce7236210e979d9dc74cbc75550ad3345704cecb6e65b3807dae5d5a652
            • Opcode Fuzzy Hash: 97d197e06290d6f917fed6d62fba421d8b25dcd6a242774ce080abb821b974f4
            • Instruction Fuzzy Hash: BF11AB75D112287AD730ABA5AC4DFEBBB7CEF44760F104596F908D7180D6744F808BA4
            Function 002C667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00255B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002B7B20,?,?,00000000), ref: 00255B8C
              • Part of subcall function 00255B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002B7B20,?,?,00000000,?,?), ref: 00255BB0
            • gethostbyname.WSOCK32(?,?,?), ref: 002C66AC
            • WSAGetLastError.WSOCK32(00000000), ref: 002C66B7
            • _memmove.LIBCMT ref: 002C66E4
            • inet_ntoa.WSOCK32(?), ref: 002C66EF
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
            • String ID:
            • API String ID: 1504782959-0
            • Opcode ID: 7af2cc43d6929d7bb77d068c95df47e5b724d28f63eeadd7c129b951273ee3c2
            • Instruction ID: 99ed2f98127db0bb04bddb757073a5e5dcd32cd430e86cba6f42807c6fb1cb9f
            • Opcode Fuzzy Hash: 7af2cc43d6929d7bb77d068c95df47e5b724d28f63eeadd7c129b951273ee3c2
            • Instruction Fuzzy Hash: DF119335920108AFCB00EBA4DD9ADEEB7B8AF04311B144129F906A7261DF309F28DF55
            Function 002A9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000000B0,?,?), ref: 002A9043
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A9055
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A906B
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A9086
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: c899876cac3befe7f091f5074c231d3e2521e3ef1601a25702fb7313437f00ae
            • Instruction ID: fa8d8390852bebb4f2f80949ff695d59d7cad8bb7ef9f68b9091f43bf9c9d0ba
            • Opcode Fuzzy Hash: c899876cac3befe7f091f5074c231d3e2521e3ef1601a25702fb7313437f00ae
            • Instruction Fuzzy Hash: 98115E79901218FFDB10DFA5CD84E9DBB78FB48350F204095E904B7290DA726E50DB94
            Function 00251290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
            • DefDlgProcW.USER32(?,00000020,?), ref: 002512D8
            • GetClientRect.USER32(?,?), ref: 0028B84B
            • GetCursorPos.USER32(?), ref: 0028B855
            • ScreenToClient.USER32(?,?), ref: 0028B860
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Client$CursorLongProcRectScreenWindow
            • String ID:
            • API String ID: 4127811313-0
            • Opcode ID: 40a530516d2a31c301ca8b042bb7644d4375d4ef8fb84d32d2be956038307384
            • Instruction ID: dd00455f48d8c5ae98d12b27c6036271cfc1d4d0787a4d02821322a98161beac
            • Opcode Fuzzy Hash: 40a530516d2a31c301ca8b042bb7644d4375d4ef8fb84d32d2be956038307384
            • Instruction Fuzzy Hash: F7112B35911029BFCB00DF94D989AFE77B8EB05305F404456FD11E7150C730AA65CBA9
            Function 002B1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002B01FD,?,002B1250,?,00008000), ref: 002B166F
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,002B01FD,?,002B1250,?,00008000), ref: 002B1694
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002B01FD,?,002B1250,?,00008000), ref: 002B169E
            • Sleep.KERNEL32(?,?,?,?,?,?,?,002B01FD,?,002B1250,?,00008000), ref: 002B16D1
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CounterPerformanceQuerySleep
            • String ID:
            • API String ID: 2875609808-0
            • Opcode ID: d2d79b79741cfb7e06b847f5211bcd9394003ecdd84d5ee0cfe8b76ef11c01be
            • Instruction ID: b7e3fdef6c8c415067516241931caca473551f779668d669d5a2cb85835d6ec0
            • Opcode Fuzzy Hash: d2d79b79741cfb7e06b847f5211bcd9394003ecdd84d5ee0cfe8b76ef11c01be
            • Instruction Fuzzy Hash: 0B118E31C2151DE7CF049FA6E958AEEBB7CFF09781F444056E945B2240CB709970CB96
            Function 00287207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
            • String ID:
            • API String ID: 3016257755-0
            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
            • Instruction ID: 55cc1116e9accffccacdcd6a5e5e494a6675e920fc7b33a6ec4bddf386bc76e3
            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
            • Instruction Fuzzy Hash: EA01403A06914ABBCF526E84CC418EE3F62BF59351F688615FE1858075D337C9B1AB81
            Function 002DB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 002DB59E
            • ScreenToClient.USER32(?,?), ref: 002DB5B6
            • ScreenToClient.USER32(?,?), ref: 002DB5DA
            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002DB5F5
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ClientRectScreen$InvalidateWindow
            • String ID:
            • API String ID: 357397906-0
            • Opcode ID: 9da8d4fe0e6b1d003e4520077af05940d5c573d897b390449344206c145ffe3d
            • Instruction ID: 31da608cc5e6d592fa7aec13c3ab46adc90d67d9135d62fc0251ed0971202ffc
            • Opcode Fuzzy Hash: 9da8d4fe0e6b1d003e4520077af05940d5c573d897b390449344206c145ffe3d
            • Instruction Fuzzy Hash: 7C1166B5D00209EFDB41CF99D5449EEFBB9FB08310F508166E915E3620D731AA618F90
            Function 002DB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 002DB8FE
            • _memset.LIBCMT ref: 002DB90D
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00317F20,00317F64), ref: 002DB93C
            • CloseHandle.KERNEL32 ref: 002DB94E
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memset$CloseCreateHandleProcess
            • String ID:
            • API String ID: 3277943733-0
            • Opcode ID: 81aa0d53f664d16a5df63234c380af75656d1168d3ce160b9efb7f144924d12a
            • Instruction ID: 4b5a9829c5de6470193b24f3e24bc2d69adb39657dee7d87671068ecb479b214
            • Opcode Fuzzy Hash: 81aa0d53f664d16a5df63234c380af75656d1168d3ce160b9efb7f144924d12a
            • Instruction Fuzzy Hash: 8CF082B2554340BBF2516B65AC09FFB3BADEB0C754F048061BB09D5292D7718D118BA9
            Function 002B6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(?), ref: 002B6E88
              • Part of subcall function 002B794E: _memset.LIBCMT ref: 002B7983
            • _memmove.LIBCMT ref: 002B6EAB
            • _memset.LIBCMT ref: 002B6EB8
            • LeaveCriticalSection.KERNEL32(?), ref: 002B6EC8
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CriticalSection_memset$EnterLeave_memmove
            • String ID:
            • API String ID: 48991266-0
            • Opcode ID: d51e542b5a06a0430359bc15a39a68b2d98dc9afed40f994dfe4fe7373e6680d
            • Instruction ID: 9fd11ffd3af348fb9c09d00378cc5a134bd64f6e3bc18c8d5e7f013a0e409028
            • Opcode Fuzzy Hash: d51e542b5a06a0430359bc15a39a68b2d98dc9afed40f994dfe4fe7373e6680d
            • Instruction Fuzzy Hash: FAF0543A100200ABCF416F55EC89A8ABB29FF45360B04C061FE0D5E216C731AD21DFB5
            Function 002DC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0025134D
              • Part of subcall function 002512F3: SelectObject.GDI32(?,00000000), ref: 0025135C
              • Part of subcall function 002512F3: BeginPath.GDI32(?), ref: 00251373
              • Part of subcall function 002512F3: SelectObject.GDI32(?,00000000), ref: 0025139C
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002DC030
            • LineTo.GDI32(00000000,?,?), ref: 002DC03D
            • EndPath.GDI32(00000000), ref: 002DC04D
            • StrokePath.GDI32(00000000), ref: 002DC05B
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
            • String ID:
            • API String ID: 1539411459-0
            • Opcode ID: 6aef2ad1a398c11d3a59e4da2467707e30c91c76d89f38bf68896e9d66c8ae01
            • Instruction ID: 6a09e6274ddf82018bd0ca0fe8322fc556e053abf07345ced53a008e16e3338a
            • Opcode Fuzzy Hash: 6aef2ad1a398c11d3a59e4da2467707e30c91c76d89f38bf68896e9d66c8ae01
            • Instruction Fuzzy Hash: A5F0543144125AB7DB136F54AD0EFCE3F596F05312F148001FA12611E1C7755965CF99
            Function 002AA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
            Download Yara Rule
            APIs
            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002AA399
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 002AA3AC
            • GetCurrentThreadId.KERNEL32 ref: 002AA3B3
            • AttachThreadInput.USER32(00000000), ref: 002AA3BA
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
            • String ID:
            • API String ID: 2710830443-0
            • Opcode ID: 74afabe083b992bb721bb30fa5ea16b02b309f225a304c91f87ea37aa66f6639
            • Instruction ID: 40a752c2afda1f6cef574bceae926535a75a42b6295bbf414befe698bfe473a0
            • Opcode Fuzzy Hash: 74afabe083b992bb721bb30fa5ea16b02b309f225a304c91f87ea37aa66f6639
            • Instruction Fuzzy Hash: E4E03931942228BBDB601FA2ED0CEE73F1CEF167A1F048066F50A84460CBB1C950CBE4
            Function 00252218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 00252231
            • SetTextColor.GDI32(?,000000FF), ref: 0025223B
            • SetBkMode.GDI32(?,00000001), ref: 00252250
            • GetStockObject.GDI32(00000005), ref: 00252258
            • GetWindowDC.USER32(?,00000000), ref: 0028C0D3
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0028C0E0
            • GetPixel.GDI32(00000000,?,00000000), ref: 0028C0F9
            • GetPixel.GDI32(00000000,00000000,?), ref: 0028C112
            • GetPixel.GDI32(00000000,?,?), ref: 0028C132
            • ReleaseDC.USER32(?,00000000), ref: 0028C13D
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
            • String ID:
            • API String ID: 1946975507-0
            • Opcode ID: 8e3c7ef9f24a2dc109b6a4514d4822ff7827babf7b68767cb33d73de10c15aac
            • Instruction ID: 4599301931f6b76c6c947f350ec690808376db6ae225170c138788d151adc76a
            • Opcode Fuzzy Hash: 8e3c7ef9f24a2dc109b6a4514d4822ff7827babf7b68767cb33d73de10c15aac
            • Instruction Fuzzy Hash: 65E06D32901245EADF615FA4FD0D7D83B10EB15332F14C367FAAE880E187718994DB21
            Function 002A8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThread.KERNEL32 ref: 002A8C63
            • OpenThreadToken.ADVAPI32(00000000,?,?,?,002A882E), ref: 002A8C6A
            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002A882E), ref: 002A8C77
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,002A882E), ref: 002A8C7E
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CurrentOpenProcessThreadToken
            • String ID:
            • API String ID: 3974789173-0
            • Opcode ID: eb66763343a1fc984fb4ee9aa9a54783b73fac262eab38cc64d3d3d69927c46a
            • Instruction ID: ab95421b8a66ebd0bbf7e4b129130fd66e4d3930b528bd1960f32c2df61a203b
            • Opcode Fuzzy Hash: eb66763343a1fc984fb4ee9aa9a54783b73fac262eab38cc64d3d3d69927c46a
            • Instruction Fuzzy Hash: 87E08636A47211DBD7A05FB07E0CB563BACEF51BA2F098829B687CA040DA348C41CF65
            Function 00292187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 00292187
            • GetDC.USER32(00000000), ref: 00292191
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 002921B1
            • ReleaseDC.USER32(?), ref: 002921D2
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 403a3a3fe9f273c432bf929e75d0800159059a5f3f748c6d3f506b6e666d3ad0
            • Instruction ID: e2a8afe6e484d2b4c9c094b6bd3ea347b4f69835cabe70d22588c2dc5dda780a
            • Opcode Fuzzy Hash: 403a3a3fe9f273c432bf929e75d0800159059a5f3f748c6d3f506b6e666d3ad0
            • Instruction Fuzzy Hash: 7DE03271810204EFCB409F60E90CA9D7BA9EB0C311F208026E82A93620CB788A519F88
            Function 0029219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 0029219B
            • GetDC.USER32(00000000), ref: 002921A5
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 002921B1
            • ReleaseDC.USER32(?), ref: 002921D2
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: e2bf3183a725b9d673dc5580bf61a7f7767b886e02b13bb60b699127dcc59325
            • Instruction ID: 7b09abbb30b0893b0a9c500e9a54256d1f6c5d9af0f654e1958308a5d3fc6c96
            • Opcode Fuzzy Hash: e2bf3183a725b9d673dc5580bf61a7f7767b886e02b13bb60b699127dcc59325
            • Instruction Fuzzy Hash: D0E0E575C11204AFCB419F60E90C69D7BE9EB4C311F108026F96A97620DB789A419F88
            Function 002563A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID:
            • String ID: %.
            • API String ID: 0-3490990516
            • Opcode ID: 94ba3896c5ae9bad42e5c74e4ae106dcab386f9808ea1149192a04ccbbfbff0f
            • Instruction ID: 054fed2e4f77d9fd191f56e8e318fc0a553e66886e8b25e052e2d8c2a1b9e6f7
            • Opcode Fuzzy Hash: 94ba3896c5ae9bad42e5c74e4ae106dcab386f9808ea1149192a04ccbbfbff0f
            • Instruction Fuzzy Hash: 2AB1D57192010A9BCF24EF94C4999FDB7B9FF44312F944026ED02A7291EB309DADCB59
            Function 002CB1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __itow_s
            • String ID: xr1$xr1
            • API String ID: 3653519197-2703582721
            • Opcode ID: 494ea7c1b55c04cca7530477fd55653182ca83152ba116731d586b35539176b6
            • Instruction ID: 7afde252084a008788688f5427b427bd39f835e2475dd354d22e85d9fae6a606
            • Opcode Fuzzy Hash: 494ea7c1b55c04cca7530477fd55653182ca83152ba116731d586b35539176b6
            • Instruction Fuzzy Hash: 68B1C030A14209AFCB25DF54C892EAEB7B9FF58300F14855DF9059B282EB70D9A5CB60
            Function 002BB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0026FEC6: _wcscpy.LIBCMT ref: 0026FEE9
              • Part of subcall function 00259997: __itow.LIBCMT ref: 002599C2
              • Part of subcall function 00259997: __swprintf.LIBCMT ref: 00259A0C
            • __wcsnicmp.LIBCMT ref: 002BB298
            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 002BB361
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
            • String ID: LPT
            • API String ID: 3222508074-1350329615
            • Opcode ID: 2dd4e3d2cf2c7b19817c7ec0ed302a6fb9d3ef2b91a967f3741358efae8fe246
            • Instruction ID: d93f58b58fe7d52d713cd3532f7a6f5f78017d13bc39458a67300160087f9cbf
            • Opcode Fuzzy Hash: 2dd4e3d2cf2c7b19817c7ec0ed302a6fb9d3ef2b91a967f3741358efae8fe246
            • Instruction Fuzzy Hash: C161C475A20215EFCB15DF54C881EEEB7F4EF08310F15409AF846AB291DBB0AE94CB50
            Function 00298A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _memmove
            • String ID: Oa&
            • API String ID: 4104443479-711773428
            • Opcode ID: 466d9c76244f1a6bb1de1fbcd2929a63e44dd876e7e773da6efca5abe0ca89af
            • Instruction ID: 5c95fa628d561e46870c9eeb97339e5a139ab2d880f57ebb45febd95b73767c4
            • Opcode Fuzzy Hash: 466d9c76244f1a6bb1de1fbcd2929a63e44dd876e7e773da6efca5abe0ca89af
            • Instruction Fuzzy Hash: C151707091061ADFCF24CF68D484AAEB7F1FF45318F14456AE85AD7240EB31A9A5CB50
            Function 00262AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000), ref: 00262AC8
            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00262AE1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: GlobalMemorySleepStatus
            • String ID: @
            • API String ID: 2783356886-2766056989
            • Opcode ID: bbfa2784e94a3e05af38aa38e6beb6b501192fe072b4c4d930a46da39249f9c7
            • Instruction ID: 743e62668ad2a9325d10eb68d9dcbdb0fd2bdd135802c0120152bb409db32268
            • Opcode Fuzzy Hash: bbfa2784e94a3e05af38aa38e6beb6b501192fe072b4c4d930a46da39249f9c7
            • Instruction Fuzzy Hash: 0D514571428744DBD320AF10D88ABAFBBE8FB84315F42885DF5D9410A1DB708969CB2A
            Function 002B99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0025506B: __fread_nolock.LIBCMT ref: 00255089
            • _wcscmp.LIBCMT ref: 002B9AAE
            • _wcscmp.LIBCMT ref: 002B9AC1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: _wcscmp$__fread_nolock
            • String ID: FILE
            • API String ID: 4029003684-3121273764
            • Opcode ID: 1b2024c5b9f5eb46cfd16b57a00c32283e13b6f42217a31400d012c17c6d5116
            • Instruction ID: ac2c8fd5a5062efc648ce692cb85df5244c377af4c52528a56b277c5fc77994f
            • Opcode Fuzzy Hash: 1b2024c5b9f5eb46cfd16b57a00c32283e13b6f42217a31400d012c17c6d5116
            • Instruction Fuzzy Hash: ED41F971A10619BBDF20AEA4DC45FEFB7FDDF49714F000069FA00A71C1D6719A548BA5
            Function 0029099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID: Dt1$Dt1
            • API String ID: 1473721057-1670705480
            • Opcode ID: 4e3be3734545f7bffdf6e8daea5e78a11182b8435a157ff45c91396563ae3c1f
            • Instruction ID: af3b314e9d0b3adb1698ab02d8d6b5952ae8044549a15b365aa9ae62f26c8957
            • Opcode Fuzzy Hash: 4e3be3734545f7bffdf6e8daea5e78a11182b8435a157ff45c91396563ae3c1f
            • Instruction Fuzzy Hash: 4C5114786283429FC754CF19C081A2ABBF1BB98359F54895CE9818B321D731EC95CB86
            Function 002C2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 002C2892
            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002C28C8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CrackInternet_memset
            • String ID: |
            • API String ID: 1413715105-2343686810
            • Opcode ID: 57b45d24ed28e4731beb40caaf0a633a4e15e2db37601dad6fb44873dc2b4638
            • Instruction ID: c5de945a881e5851ea88ca29286973154e717408ef1033e77658dcd039605200
            • Opcode Fuzzy Hash: 57b45d24ed28e4731beb40caaf0a633a4e15e2db37601dad6fb44873dc2b4638
            • Instruction Fuzzy Hash: 95310C71810119AFCF01DFA1DC85EEEBFB9FF08310F104169F815A6165DA31596ADF60
            Function 002D6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?,?), ref: 002D6D86
            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002D6DC2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$DestroyMove
            • String ID: static
            • API String ID: 2139405536-2160076837
            • Opcode ID: a585b9dcb95613dbe326398143832a653590da2b4f7cf9cdf9e90fe27ca72ff4
            • Instruction ID: 96995a8f3b5b41b6b00d219a7bf30735b1b0affe6ccd39e56ea1c4599b7ec6ff
            • Opcode Fuzzy Hash: a585b9dcb95613dbe326398143832a653590da2b4f7cf9cdf9e90fe27ca72ff4
            • Instruction Fuzzy Hash: 4331A171220205AEDB109F64DC44BFB73B9FF48720F10851AF8A687290CB31ACA1CB64
            Function 002B2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 002B2E00
            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002B2E3B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: InfoItemMenu_memset
            • String ID: 0
            • API String ID: 2223754486-4108050209
            • Opcode ID: f0a8e314c50de38914787b10990f75419a0485677e31c3fbda66f2d64599973f
            • Instruction ID: ad949300621ecc0bfeca0ca438fc40ee2f508e4783406d8bf63a970f4f453e91
            • Opcode Fuzzy Hash: f0a8e314c50de38914787b10990f75419a0485677e31c3fbda66f2d64599973f
            • Instruction Fuzzy Hash: 02310931A20306EBEB25CF49D8457EEBBB9FF45380F144029E985A61A1D770F968CB11
            Function 002D6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002D69D0
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D69DB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: Combobox
            • API String ID: 3850602802-2096851135
            • Opcode ID: cdaf80304590d587dd2e8f2baa8fa26271293c975def89312e2d37491877950b
            • Instruction ID: 0edcb4888ce5d035697bb0e337e0d7296e39f0202a7ae830ac11d42cbdde187d
            • Opcode Fuzzy Hash: cdaf80304590d587dd2e8f2baa8fa26271293c975def89312e2d37491877950b
            • Instruction Fuzzy Hash: EE11C47172020A6FEF129F14CCA4EFB376EEB893A4F114126F958973D0D6719C618BA0
            Function 002D6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00251D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00251D73
              • Part of subcall function 00251D35: GetStockObject.GDI32(00000011), ref: 00251D87
              • Part of subcall function 00251D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00251D91
            • GetWindowRect.USER32(00000000,?), ref: 002D6EE0
            • GetSysColor.USER32(00000012), ref: 002D6EFA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Window$ColorCreateMessageObjectRectSendStock
            • String ID: static
            • API String ID: 1983116058-2160076837
            • Opcode ID: 6eba8b73a07764bf0aa891156009d5268b064dc700554043807665499b14e480
            • Instruction ID: ddecf11a4d8eeaf48640ca2c6ebd4ceee7ff997f7d3fdd535658e21a66a4194f
            • Opcode Fuzzy Hash: 6eba8b73a07764bf0aa891156009d5268b064dc700554043807665499b14e480
            • Instruction Fuzzy Hash: D4215C7292020AAFDB04DFA8DD49EEA7BB8FB08314F004529FD55D3250D734E8619B50
            Function 002D6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowTextLengthW.USER32(00000000), ref: 002D6C11
            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002D6C20
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: LengthMessageSendTextWindow
            • String ID: edit
            • API String ID: 2978978980-2167791130
            • Opcode ID: e1d9fb74013ab8d530d7bc435aaeeeddff166e2568bb7b6e63dd1c92cf1527c9
            • Instruction ID: 2703b58e7064228bf131758cc3d2e431a085a871cfc5ee97e82bf85d7019162e
            • Opcode Fuzzy Hash: e1d9fb74013ab8d530d7bc435aaeeeddff166e2568bb7b6e63dd1c92cf1527c9
            • Instruction Fuzzy Hash: 4511BF71521109ABEB108F64DC49AEB376DEB05378F104727F961E32D0C775DCA19B60
            Function 002B2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 002B2F11
            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002B2F30
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: InfoItemMenu_memset
            • String ID: 0
            • API String ID: 2223754486-4108050209
            • Opcode ID: 9dfaab8d7b1a209e99a4daeeb3653c00cf9b082b381b55771bd7ca1a154a35df
            • Instruction ID: 02626bb1ec4ae05d92ef927fa43944478a2e5426fa27e635cbdce2c782b7f423
            • Opcode Fuzzy Hash: 9dfaab8d7b1a209e99a4daeeb3653c00cf9b082b381b55771bd7ca1a154a35df
            • Instruction Fuzzy Hash: 6311E231921315EBDB21DF98DC44BE973B9FB05390F0840A1E864A72A0D7B0EE28C791
            Function 002C24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002C2520
            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002C2549
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Internet$OpenOption
            • String ID: <local>
            • API String ID: 942729171-4266983199
            • Opcode ID: aec5f0b803b8ae92e9d60312e0a20404683fb82beafe11133e78a84eadb63111
            • Instruction ID: e020d9939ae08fd0a1219a210ec1dfede45d239f3e8467dd0125ae3464c5bb94
            • Opcode Fuzzy Hash: aec5f0b803b8ae92e9d60312e0a20404683fb82beafe11133e78a84eadb63111
            • Instruction Fuzzy Hash: 6C11E370521226FADB288F518C98FFBFF68FB05391F50822EF50552040DAB05968D6E0
            Function 002C80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002C830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,002C80C8,?,00000000,?,?), ref: 002C8322
            • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002C80CB
            • htons.WSOCK32(00000000,?,00000000), ref: 002C8108
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ByteCharMultiWidehtonsinet_addr
            • String ID: 255.255.255.255
            • API String ID: 2496851823-2422070025
            • Opcode ID: 3ed0d720a73d050628862d606bfbee2d373901bf4d88fc0277eb1d3ccc6534f4
            • Instruction ID: d1d61cfd4effe27f990caa17a63dc27f9349473ff062ca0c8e601a96744086bd
            • Opcode Fuzzy Hash: 3ed0d720a73d050628862d606bfbee2d373901bf4d88fc0277eb1d3ccc6534f4
            • Instruction Fuzzy Hash: 0411E534610206ABDB10AF64DC56FFDB364FF05310F14862BE91597291DB72A825CA95
            Function 00260A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00253C26,003162F8,?,?,?), ref: 00260ACE
              • Part of subcall function 00257D2C: _memmove.LIBCMT ref: 00257D66
            • _wcscat.LIBCMT ref: 002950E1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: FullNamePath_memmove_wcscat
            • String ID: c1
            • API String ID: 257928180-4215254210
            • Opcode ID: 24299ac5d1e6237cea78978cf0132f73c57503cc3b104fbd7041ab563727e00b
            • Instruction ID: 3c45f16f2dcd1ebc3e533468918c937e5591f29ed79d019b99230886f74eab73
            • Opcode Fuzzy Hash: 24299ac5d1e6237cea78978cf0132f73c57503cc3b104fbd7041ab563727e00b
            • Instruction Fuzzy Hash: BF11A938A2521C9B8B41FBA4DC42DDD73B8EF0C354B0044A6B959D7151EA70DAE85B15
            Function 002A92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
              • Part of subcall function 002AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002AB0E7
            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002A9355
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: 23d8db4601bb4027c399c5090175c306c36b8da8026ec85595ed058ca45f07c7
            • Instruction ID: 13309abc6e2037d520397092e8531ef48315f7882fecb4d28641c7c99e7ad098
            • Opcode Fuzzy Hash: 23d8db4601bb4027c399c5090175c306c36b8da8026ec85595ed058ca45f07c7
            • Instruction Fuzzy Hash: E701F171A61224ABCF05EBA1CCA18FE73B9BF07320B100659F932572D2DF31582CCA50
            Function 002A91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
              • Part of subcall function 002AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002AB0E7
            • SendMessageW.USER32(?,00000180,00000000,?), ref: 002A924D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: 52db8be334a7c8a86b5c214bc58c4032c343e0f3bc169bed09505359aa0d7407
            • Instruction ID: 9eea36d9f65695e418dc655f2b28db95668e6c9b3b4cf9353c0449e90a0a0abf
            • Opcode Fuzzy Hash: 52db8be334a7c8a86b5c214bc58c4032c343e0f3bc169bed09505359aa0d7407
            • Instruction Fuzzy Hash: E901D471E611047BCB05EBA1C9A2EFF73AC9F47301F140029BD12632C2EE245E2C8AA1
            Function 002A9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00257F41: _memmove.LIBCMT ref: 00257F82
              • Part of subcall function 002AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002AB0E7
            • SendMessageW.USER32(?,00000182,?,00000000), ref: 002A92D0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: 5b55d98c87eee783920873c34aa067b20e79953be9b67a835dec2c12e6ca8404
            • Instruction ID: 028df49af5af996a96ed0a8c1c2cd1d6e2c3eb0ccc99806016747fc93573b410
            • Opcode Fuzzy Hash: 5b55d98c87eee783920873c34aa067b20e79953be9b67a835dec2c12e6ca8404
            • Instruction Fuzzy Hash: C201A771E6121577CB05EAA5CD92FFF77AC9F12301F140116BC12636C2DE215E2C9A75
            Function 00276DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: __calloc_crt
            • String ID: @R1
            • API String ID: 3494438863-1451780926
            • Opcode ID: 799ea59942f849e8d9784e3b92e0bb2a6408b71a35ecf0646b8932524ee2de61
            • Instruction ID: 834e4ab48a94286e8db411450fc6659357894d8499f611c579ef257d5fe62abb
            • Opcode Fuzzy Hash: 799ea59942f849e8d9784e3b92e0bb2a6408b71a35ecf0646b8932524ee2de61
            • Instruction Fuzzy Hash: F9F06875776A179FF739CF58BD16AE12799E709720F10C826E108CA1D0EB7488528650
            Function 002B51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: ClassName_wcscmp
            • String ID: #32770
            • API String ID: 2292705959-463685578
            • Opcode ID: eb706633b4f70fa876c0deb9874d75dcd8fb79ed18a0190cd70f0e38cec001fe
            • Instruction ID: 621a65e837821d6ddb143573e2593ee48cd51dc2489b67686a65c9d686b092f8
            • Opcode Fuzzy Hash: eb706633b4f70fa876c0deb9874d75dcd8fb79ed18a0190cd70f0e38cec001fe
            • Instruction Fuzzy Hash: 62E02B3290132916E3109A95AC09BE7F7ACEB45761F000067FD14D3040D57099548BD0
            Function 002A81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
            Download Yara Rule
            APIs
            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002A81CA
              • Part of subcall function 00273598: _doexit.LIBCMT ref: 002735A2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: Message_doexit
            • String ID: AutoIt$Error allocating memory.
            • API String ID: 1993061046-4017498283
            • Opcode ID: 6ef9ef63cf5fb6bb21cf4099dc9025c8dcd0473a2f2e409acba00c2a92bf5c66
            • Instruction ID: 2c22322ca99580b9584a688549ca0fe388fb5763a535d72612dd1bede412059c
            • Opcode Fuzzy Hash: 6ef9ef63cf5fb6bb21cf4099dc9025c8dcd0473a2f2e409acba00c2a92bf5c66
            • Instruction Fuzzy Hash: A3D0C2322E531832D21432A96C0ABC566484B0AB12F508023FF0C954D38DE188B142DD
            Function 0028B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0028B564: _memset.LIBCMT ref: 0028B571
              • Part of subcall function 00270B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0028B540,?,?,?,0025100A), ref: 00270B89
            • IsDebuggerPresent.KERNEL32(?,?,?,0025100A), ref: 0028B544
            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0025100A), ref: 0028B553
            Strings
            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0028B54E
            Memory Dump Source
            • Source File: 00000000.00000002.1651632377.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
            • Associated: 00000000.00000002.1651618061.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651667997.0000000000305000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651696165.000000000030F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1651708789.0000000000318000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_250000_Attendance list.jbxd
            Similarity
            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
            • API String ID: 3158253471-631824599
            • Opcode ID: b2dc070c792b23ded0cdd510e8ba1a12692fbdfcb3a3e078f0dfaee225f99eb4
            • Instruction ID: b2441f036a15135d476c011458d3850dbebf9a9975e4d5030a594fd460ff1437
            • Opcode Fuzzy Hash: b2dc070c792b23ded0cdd510e8ba1a12692fbdfcb3a3e078f0dfaee225f99eb4
            • Instruction Fuzzy Hash: 1FE06574521311CFD361EF24E90875277E4AB05744F04892DE846C2691D7B8E418CB61